PingOne SAML Setup

Create a new SAML configuration in Kasm

1. Log into the Kasm UI as an administrator.

2. Select Authentication -> SAML -> Create New Configuration

3. The SAML 2.0 Configuration page will auto-generate the Entity ID, Single Sign On Service, Single Logout Server, and Relay State values.

4. Check Enable and enter a Display Name. e.g (PingOne)

5. Enter memberOf in Group Member Attribute

6. Enter emailAddress in NameID Attribute

   

   Kasm SAML Configurations

7. Leave this page open and continue to the next steps.

Create a new SAML Application in PingOne

1. In the PingOne Admin portal, click Applications -> My Applications -> Add Application -> New SAML Application

   

   Add SAML Application

2. Give the application a Name, Description , Category and optionally an icon. Click Continue to Next Step

   

   New SAML Application

3. Copy the Service Provider entries from the Kasm SAML Configurations started in the previous section into the Basic SAML configurations and click.

   Kasm Property Name	PingOne Property Name
   Entity ID	Entity ID
   Single Sign On Service	Assertion Consumer Service (ACS)
   Single Logout Service	<Server URL> (e.g https://kasm.server)
   Relay State	Application URL

4. Select Redirect for Single Logout Binding Type

5. Select RSA_SHA1 for Signing Algorithm

6. Select Continue to Next Step

7. At the SSO Attribute Mapping page click Continue to Next Step

8. At the Group Access page enabled the groups desired. In this example we will add both the built in Domain Administrators@directory and Users@directory groups.

   

   Group Access Selections

9. Select Continue to Next Step. The Review Setup page is shown.

   

10. Click Download next to Signing Certificate. Open this file with a text editor. This will be used as the Singing Certificate in the next section.

11. Click Download next to SAML Metadata. Open the file with a text editor.

    1. Identify the Location for the md:SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect property. This will be used as the Single Logout Service property in the next section.

    2. Identify the Location for the md:SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect property. This will be used as the Single Sign On Service property in the next section.

    

    Group Access Selections

Complete SAML configuration in Kasm

1. Back in the Kasm UI SAML configuration page update the Identity Provider selections

   Kasm Property Name	Azure Property Name
   Entity ID	Issuer
   Single Sign On Service	Single Sign On Service
   Single Logout Service / SLO Endpoint	Single Logout Service
   X509 Certificate	Signing Certificate

2. In the Advanced Settings of check Want Assertion Signed and click Submit

   

   Group Access Selections

4. In the Advanced Settings of check Want Assertion Signed and click Submit

Mapping Users

PingOne is not set up to pass along the user’s group membership during the SAML assertion. These groups can be mapped to groups within the Kasm Application. In the previous step we gave application login permissions to both the Domain Administrators@directory and Users@directory groups in PingOne. The following steps will now map the PingOne Domain Administrators@directory group to the Administrators group in Kasm.

1. In the PingOne Admin portal, click Users -> User Groups

2. Inspect the Domain Administrators@directory group.

   

   PingOne User Groups

3. Log into the Kasm UI as an administrator.

4. Select Groups, then click Edit next to the Administrators Group

5. Check SAML Group and enter the Object Id for the desired Azure AD Security group previously configured.

   

   Update Kasm Group

Testing Access

1. Log out of the Kasm UI if already logged in.

2. Navigate to the Kasm UI login page.

   

   Kasm Login

3. Click PingOne to initiate the SAML SSO process.

   

   PingOne Login

4. Login as a member of the Domain Administrators@directory group.