PingOne Authentication (SAML)

1. In the Ivanti Neurons Platform, navigate to Admin > Authentication.
   The Authentication page appears.

2. In the External Authentication (SSO) section, click Configure & Enable.
   The Enable External Authentication (SSO) page appears.

3. From the Provider drop-down, select PingOne.

4. From the Sign-In Method drop-down, select Saml 2.0.

   PingOne Saml 2.0 Configuration Settings appears. It is recommended to leave this tab open for future reference when configuring the details in PingOne Admin console.

1. Log in to PingOneAdmin console.

2. Navigate to Applications > Applications.

3. Click , to add a new application.
   The Add Application screen appears.

4. In Application Name, enter a name for the SAML app.

5. Select SAML Application and click Configure.

6. In SAML Configuration, select Manually Enter.

7. Enter the values in the following fields from the Ivanti Neurons tab that was open:

   1. ACS URLs: Assertion Consumer Service URL.

   2. Entity ID: EntityId.

8. Click SAVE.

9. Select Attribute Mappings tab and click .

10. In Attribute Mapping, click Add.

11. Update the Attributes and PingOne Mappings as follows:
    

    1. email: Email Address. Select Required > Add.

    2. given_name: Given Name. Select Required.

    3. family_name: Family Name. Select Required > Add.

12. Click SAVE.
    The application is now created in PingOne.

13. Click the button near the application name to enable the application.

14. Select Configuration tab, copy the IDP Metadata URL, and paste it into the Identity Provider Metadata Endpoint URL field in the Neurons Platform that was open.

15. Click Continue.

You must connect with your PingOne credentials to validate your connection settings.

1. On the Validate Connection Settings page, click Validate Settings.

   The validation takes place automatically. You will receive a confirmation screen if login is successful.

2. Return to the Validate Connection Settings page and select the check box to confirm login success.

   PingOne is now configured, but it is not enabled. To enable, you need to convert your Ivanti Neurons Platform accounts to PingOne.

3. Click Continue to proceed to the Convert your Ivanti Neurons platform account page.

• E2018 Authentication failed: User failed to authenticate with PingOne. Check that the
  username and password are correct, and that the user has permission on the PingOne Application Registration.

• E2019 Missing optional claims: Validation step failed because the additional optional claims were not present in the token returned to Ivanti Neurons Platform from PingOne.

• E2020 Unable to link to Neurons Platform user account: The PingOne user login does not match with the Ivanti Neurons Platform user. The Ivanti Neurons Platform user account email address must match the email address used to login into PingOne.

1. On the Convert your Ivanti Neurons platform account page, click Sign Out & Enable. Ivanti Neurons is signed-out.

2. Click Sign in with PingOne to complete the process.

3. You can now view PingOne application in Admin > Authentication with an Enabled status.

4. Click Sign out from the Neurons platform.
   Now, when you sign back in, you are routed to PingOne to choose the account and sign in with PingOne credentials.

1. In Ivanti Neurons Platform navigate to Setup > Authentication.
   The Authentication Method page appears.

2. In the External Authentication section, click Actions and select Enable auto provisioning.

3. From the Default roles drop-down, select the access control role that you want to be assigned to all new members.
   To set up Roles, go to Ivanti Neurons > Admin> Roles.

4. Click Enable Auto Provisioning to confirm the role selection and enable auto provisioning for all new members.