PingOne SAML Setup

Create a new SAML configuration in Kasm

1. Log into the Kasm UI as an administrator.

2. Select Access Management -> Authentication -> SAML -> Add Configuration

3. The SAML 2.0 Configuration page will auto-generate the Entity ID, Single Sign On Service, Single Logout Server, and Relay State values.

4. Check Enable and enter a Display Name. e.g (PingOne)

5. Enter memberOf in Group Member Attribute

6. Enter emailAddress in NameID Attribute

Kasm SAML Configurations

7. Leave this page open and continue to the next steps.

Create a new SAML Application in PingOne

1. In the PingOne Admin portal, click Applications -> My Applications -> Add Application -> New SAML Application

Add SAML Application

2. Give the application a Name, Description , Category and optionally an icon. Click Continue to Next Step

New SAML Application

3. Copy the Service Provider entries from the Kasm SAML Configurations started in the previous section into the Basic SAML configurations and click.

Kasm Property Name	PingOne Property Name
Entity ID	Entity ID
Single Sign On Service	Assertion Consumer Service (ACS)
Single Logout Service	<Server URL> (e.g https://kasm.server)
Relay State	Application URL

4. Select Redirect for Single Logout Binding Type

5. Select RSA_SHA1 for Signing Algorithm

6. Select Continue to Next Step

7. At the SSO Attribute Mapping page click Continue to Next Step

8. At the Group Access page enabled the groups desired. In this example we will add both the built in Domain Administrators@directory and Users@directory groups.

Group Access Selections

9. Select Continue to Next Step. The Review Setup page is shown.

Review Setup

10. Click Download next to Signing Certificate. Open this file with a text editor. This will be used as the Singing Certificate in the next section.

11. Click Download next to SAML Metadata. Open the file with a text editor.

    1. Identify the Location for the md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect property. This will be used as the Single Logout Service property in the next section.

    2. Identify the Location for the md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect property. This will be used as the Single Sign On Service property in the next section.

Group Access Selections

Complete SAML configuration in Kasm

1. Back in the Kasm UI SAML configuration page update the Identity Provider selections

Kasm Property Name	Azure Property Name
Entity ID	Issuer
Single Sign On Service	Single Sign On Service
Single Logout Service / SLO Endpoint	Single Logout Service
X509 Certificate	Signing Certificate

2. In the Advanced Settings of check Want Assertion Signed and click Save

Group Access Selections

Mapping Users

PingOne is not set up to pass along the user’s group membership during the SAML assertion. These groups can be mapped to groups within the Kasm Application. In the previous step we gave application login permissions to both the Domain Administrators@directory and Users@directory groups in PingOne. The following steps will now map the PingOne Domain Administrators@directory group to the Administrators group in Kasm.

1. In the PingOne Admin portal, click Users -> User Groups

2. Inspect the Domain Administrators@directory group.

PingOne User Groups

3. Log into the Kasm UI as an administrator.

4. Select Access Management -> Groups, then using the arrow menu click Edit next to the Administrators Group

5. Navigate to the SSO Group Mappings tab and select Add SSO Mapping.

6. Select the SAML IDP that was created above “SAML - PingOne” for the SSO Provider.

7. Enter Domain Administrators@directory into the Group Attributes field.

Add SSO Group Mapping

Testing Access

1. Log out of the Kasm UI if already logged in.

2. Navigate to the Kasm UI login page.

Kasm Login

3. Click PingOne to initiate the SAML SSO process.

PingOne Login

4. Login as a member of the Domain Administrators@directory group.