---
myst:
html_meta:
"description lang=en": "PingOne SAML setup guide for Workspaces authentication."
"keywords": "Kasm, Ping, Federate, SAML"
"property=og:locale": "en_US"
---
```{title} PingOne SAML Setup
```
## PingOne SAML Setup
### Create a new SAML configuration in Kasm
1. Log into the Kasm UI as an administrator.
2. Select **Access Management** -> **Authentication** -> **SAML** -> **Add Configuration**
3. The **SAML 2.0 Configuration** page will auto-generate the **Entity ID**, **Single Sign On Service**, **Single Logout Server**, and **Relay State** values.
4. Check **Enable** and enter a **Display Name**. e.g (PingOne)
5. Enter `memberOf` in **Group Member Attribute**
6. Enter `emailAddress` in **NameID Attribute**
```{figure} /images/saml/pingone/kasm_saml_configurations.webp
:align: center
**Kasm SAML Configurations**
```
7. Leave this page open and continue to the next steps.
### Create a new SAML Application in PingOne
01. In the PingOne Admin portal, click **Applications** -> **My Applications** -> **Add Application** -> **New SAML Application**
```{figure} /images/saml/pingone/add_application.png
:align: center
**Add SAML Application**
```
02. Give the application a Name, Description , Category and optionally an icon. Click **Continue to Next Step**
```{figure} /images/saml/pingone/new_application.png
:align: center
**New SAML Application**
```
03. Copy the **Service Provider** entries from the Kasm SAML Configurations started in the previous section into the Basic SAML configurations and click.
```{eval-rst}
+------------------------+--------------------------------------------+
| **Kasm Property Name** | **PingOne Property Name** |
+------------------------+--------------------------------------------+
| Entity ID | Entity ID |
+------------------------+--------------------------------------------+
| Single Sign On Service | Assertion Consumer Service (ACS) |
+------------------------+--------------------------------------------+
| Single Logout Service | (e.g https://kasm.server) |
+------------------------+--------------------------------------------+
| Relay State | Application URL |
+------------------------+--------------------------------------------+
```
04. Select **Redirect** for **Single Logout Binding Type**
05. Select **RSA_SHA1** for **Signing Algorithm**
06. Select **Continue to Next Step**
07. At the **SSO Attribute Mapping** page click **Continue to Next Step**
08. At the **Group Access** page enabled the groups desired. In this example we will add both the built in **Domain Administrators@directory** and **Users@directory** groups.
```{figure} /images/saml/pingone/group_access.png
:align: center
**Group Access Selections**
```
09. Select **Continue to Next Step**. The **Review Setup** page is shown.
```{figure} /images/saml/pingone/review.png
:align: center
**Review Setup**
```
10. Click **Download** next to **Signing Certificate**. Open this file with a text editor. This will be used as the **Singing Certificate** in the next section.
11. Click **Download** next to **SAML Metadata**. Open the file with a text editor.
1. Identify the **Location** for the `md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect` property. This will be used as the **Single Logout Service** property in the next section.
2. Identify the **Location** for the `md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect` property. This will be used as the **Single Sign On Service** property in the next section.
```{figure} /images/saml/pingone/metadata.png
:align: center
**Group Access Selections**
```
### Complete SAML configuration in Kasm
1. Back in the Kasm UI SAML configuration page update the **Identity Provider** selections
```{eval-rst}
+--------------------------------------------+-------------------------+
| **Kasm Property Name** | **Azure Property Name** |
+--------------------------------------------+-------------------------+
| Entity ID | Issuer |
+--------------------------------------------+-------------------------+
| Single Sign On Service | Single Sign On Service |
+--------------------------------------------+-------------------------+
| Single Logout Service / SLO Endpoint | Single Logout Service |
+--------------------------------------------+-------------------------+
| X509 Certificate | Signing Certificate |
+--------------------------------------------+-------------------------+
```
2. In the **Advanced Settings** of check **Want Assertion Signed** and click **Save**
```{figure} /images/saml/pingone/kasm_saml_configurations_2.webp
:align: center
**Group Access Selections**
```
### Mapping Users
PingOne is not set up to pass along the user's group membership during the SAML assertion. These groups can be mapped
to groups within the Kasm Application. In the previous step we gave application login permissions to both the
**Domain Administrators@directory** and **Users@directory** groups in PingOne. The following steps will now map the
PingOne **Domain Administrators@directory** group to the **Administrators** group in Kasm.
1. In the PingOne Admin portal, click **Users** -> **User Groups**
2. Inspect the **Domain Administrators@directory** group.
```{figure} /images/saml/pingone/user_groups.png
:align: center
**PingOne User Groups**
```
3. Log into the Kasm UI as an administrator.
4. Select **Access Management** -> **Groups**, then using the arrow menu click **Edit** next to the **Administrators** Group
5. Navigate to the **SSO Group Mappings** tab and select **Add SSO Mapping**.
6. Select the SAML IDP that was created above "SAML - PingOne" for the **SSO Provider**.
7. Enter **Domain Administrators@directory** into the **Group Attributes** field.
```{figure} /images/saml/pingone/group_settings.webp
:align: center
**Add SSO Group Mapping**
```
### Testing Access
1. Log out of the Kasm UI if already logged in.
2. Navigate to the Kasm UI login page.
```{figure} /images/saml/pingone/kasm_login.webp
:align: center
**Kasm Login**
```
3. Click PingOne to initiate the SAML SSO process.
```{figure} /images/saml/pingone/pingone_login.png
:align: center
**PingOne Login**
```
4. Login as a member of the **Domain Administrators@directory** group.