Tags | Authentication | SAML | SSO | Ping |
ADMIN PRIVILEGES REQUIRED
This documentation is for Stack Overflow for Teams Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.
Overview
The following instructions describe how to integrate your Stack Overflow for Teams Enterprise (SOE) instance and the Ping Identity application. Once configured, your users will be able to use Ping Identity's Security Assertion Markup Language (SAML) for Single Sign-on (SSO) authentication into your site.
NOTE: As you work through these steps, it's helpful to have your SOE Authentication admin settings page open in one browser tab and the Ping Identity admin page open in another.
Create the Stack Overflow Application in Ping Identity
From the "Your Environments" dashboard in Ping Identity, click Administrators.
Click Connections, then Applications.
Click the (+) button.
Create the application profile by entering the following:
Application name A unique identifier for the application (Stack Overflow).
Description (optional) A brief description of the application.
Icon (optional) A graphic representation of the application. The image file can be .jpg, .jpeg, .gif, or .png format, up to 1MB in size.
Choose SAML Application as the Application Type.
Click Configure.
Select Manually Enter.
Enter the ACS URL (the "Assertion consumer service URL" value found on your SOE Authentication page).
Enter the Entity ID (the "Issuer" or "Audience Restriction" value found on your SOE Authentication page).
Click Save.
Ping Identity creates new applications in a disabled state. Click the toggle button to the right of your application to enable it.
Set up SOE
Copy the Single Signon Service URL from the Ping Identity "Configuration" tab. Paste the URL into the SSO Service URL field on the SOE Authentication page.
NOTE: PingOne for Enterprise doesn't provide the Single Signon Service URL. Instead, Ping provides instructions for how to manually create an SSO Service URL.
On the SOE authentication settings page, uncheck Use Subject/NameID as user identifier. Insert "saml_subject" as the User identifier assertion. This is a required field for Ping Identity.
Add required assertions for the user display name and the user email. We recommend "displayName" and "emailAddress" respectively.
Optional items
Job title and department user assertions
You can use the same process to add the optional Job Title and Department assertions. If Stack Overflow for Teams detects these assertions in the SAML data on login, it automatically updates the corresponding user data fields. Adding these two optional assertions also allows you to use Stack Overflow for Teams' Connectivity reporting feature.
Automatic certificate updates
To maintain security, certificates must be updated regularly. Automating this task increases site security, reduces technical workload, and eliminates downtime caused by expired certificates. To enable optional automated certificate updates, select and copy the IDP Metadata URL on Ping Identity under the Configuration tab. (You can also click the two pieces of paper button to copy the URL to your clipboard.)
Paste the Ping IDP Metadata URL into the Update certificates from federation metadata field on the SOE Authentication page. If your SOE site can successfully access the IDP Metadata URL, it will automatically update security certificates.
Set up SOE (continued)
On the Ping Identity page, click Download Signing Certificate.
On the SOE Authentication page, click Add another certificate. Paste the signing certificate into the Identity provider certificates field.
Click Validate Certificate. If successful, a green notification will appear with information about the certificate.
If your certificate is not valid, SOE will display a red alert: "Could not parse certificate".
Map SAML attributes
Return to Ping Identity, and go to the "Attribute Mappings" tab. Edit the mappings by clicking the blue pencil. Add one name attribute and one email attribute to the PingOne column (for example: Given Name and Email Address). Set the Stack Overflow values to match those on the SOE Authentication page.
If you're using the optional Job Title and Department assertions, set those here as well.
Complete and test setup
On the SOE Authentication page, click Authenticate and enable. A green "SSO successfully enabled" alert will appear at the top of the page.
To confirm successful SSO setup, try signing into your SOE site by opening the site URL in a new incognito tab (or a different browser). If the login works, your SSO setup is complete.
Troubleshooting
SOE has a SAML troubleshooting page that contains helpful info if you experience problems with your SAML setup. To enable this page, check the Enable SAML login troubleshooting page checkbox under the "Additional Options" heading. This reveals the Test currently saved SAML configuration button.
Click Test currently saved SAML configuration to see the SAML troubleshooting page. You can also click the /enterprise/support/saml-login link under the Enable SAML login troubleshooting page option.
If the SAML connection fails, the troubleshooting page will allow you to inspect the SAML response for issues with attribute mapping (or other problems). Here's an example of the SAML login troubleshooting page report:
Trying to get the User Identifier from NameID !!! Unrecognized or missing NameID Format. !!! !!! Please make sure that the NameID is stable across logins. !!! NameID Value: 01234567-89ab-cdef-0123-456789abcdef AttributeValue for 'displayname': Jim Berry AttributeValue for 'emailaddress': [email protected]