Skip to main content
All CollectionsEnterpriseTechnical SetupAuthentication
Configure Single Sign-on (SSO) with Ping Identity
Configure Single Sign-on (SSO) with Ping Identity

How to set up SAML SSO authentication with the Ping Identity application.

Joel Bradley avatar
Written by Joel Bradley
Updated over a week ago
PDF VERSION

Tags | Authentication | SAML | SSO | Ping |

Applies to: Enterprise

ADMIN PRIVILEGES REQUIRED

This documentation is for Stack Overflow for Teams Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.

Overview

The following instructions describe how to integrate your Stack Overflow for Teams Enterprise (SOE) instance and the Ping Identity application. Once configured, your users will be able to use Ping Identity's Security Assertion Markup Language (SAML) for Single Sign-on (SSO) authentication into your site.

NOTE: As you work through these steps, it's helpful to have your SOE Authentication admin settings page open in one browser tab and the Ping Identity admin page open in another.

Create the Stack Overflow Application in Ping Identity

  1. From the "Your Environments" dashboard in Ping Identity, click Administrators.

  2. Click Connections, then Applications.

  3. Click the (+) button.

  4. Create the application profile by entering the following:

    • Application name A unique identifier for the application (Stack Overflow).

    • Description (optional) A brief description of the application.

    • Icon (optional) A graphic representation of the application. The image file can be .jpg, .jpeg, .gif, or .png format, up to 1MB in size.

  5. Choose SAML Application as the Application Type.

  6. Click Configure.

  7. Select Manually Enter.

  8. Enter the ACS URL (the "Assertion consumer service URL" value found on your SOE Authentication page).

  9. Enter the Entity ID (the "Issuer" or "Audience Restriction" value found on your SOE Authentication page).

  10. Click Save.

  11. Ping Identity creates new applications in a disabled state. Click the toggle button to the right of your application to enable it.

Set up SOE

  1. Copy the Single Signon Service URL from the Ping Identity "Configuration" tab. Paste the URL into the SSO Service URL field on the SOE Authentication page.

NOTE: PingOne for Enterprise doesn't provide the Single Signon Service URL. Instead, Ping provides instructions for how to manually create an SSO Service URL.

  1. On the SOE authentication settings page, uncheck Use Subject/NameID as user identifier. Insert "saml_subject" as the User identifier assertion. This is a required field for Ping Identity.

  2. Add required assertions for the user display name and the user email. We recommend "displayName" and "emailAddress" respectively.

Optional items

Job title and department user assertions

You can use the same process to add the optional Job Title and Department assertions. If Stack Overflow for Teams detects these assertions in the SAML data on login, it automatically updates the corresponding user data fields. Adding these two optional assertions also allows you to use Stack Overflow for Teams' Connectivity reporting feature.

Automatic certificate updates

To maintain security, certificates must be updated regularly. Automating this task increases site security, reduces technical workload, and eliminates downtime caused by expired certificates. To enable optional automated certificate updates, select and copy the IDP Metadata URL on Ping Identity under the Configuration tab. (You can also click the two pieces of paper button to copy the URL to your clipboard.)

Paste the Ping IDP Metadata URL into the Update certificates from federation metadata field on the SOE Authentication page. If your SOE site can successfully access the IDP Metadata URL, it will automatically update security certificates.

Set up SOE (continued)

  1. On the Ping Identity page, click Download Signing Certificate.

  2. On the SOE Authentication page, click Add another certificate. Paste the signing certificate into the Identity provider certificates field.

  3. Click Validate Certificate. If successful, a green notification will appear with information about the certificate.

If your certificate is not valid, SOE will display a red alert: "Could not parse certificate".

Map SAML attributes

  1. Return to Ping Identity, and go to the "Attribute Mappings" tab. Edit the mappings by clicking the blue pencil. Add one name attribute and one email attribute to the PingOne column (for example: Given Name and Email Address). Set the Stack Overflow values to match those on the SOE Authentication page.

    If you're using the optional Job Title and Department assertions, set those here as well.

Complete and test setup

  1. On the SOE Authentication page, click Authenticate and enable. A green "SSO successfully enabled" alert will appear at the top of the page.

To confirm successful SSO setup, try signing into your SOE site by opening the site URL in a new incognito tab (or a different browser). If the login works, your SSO setup is complete.

Troubleshooting

SOE has a SAML troubleshooting page that contains helpful info if you experience problems with your SAML setup. To enable this page, check the Enable SAML login troubleshooting page checkbox under the "Additional Options" heading. This reveals the Test currently saved SAML configuration button.

Click Test currently saved SAML configuration to see the SAML troubleshooting page. You can also click the /enterprise/support/saml-login link under the Enable SAML login troubleshooting page option.

If the SAML connection fails, the troubleshooting page will allow you to inspect the SAML response for issues with attribute mapping (or other problems). Here's an example of the SAML login troubleshooting page report:

Trying to get the User Identifier from NameID
!!! Unrecognized or missing NameID Format. !!!
!!! Please make sure that the NameID is stable across logins. !!!
NameID Value: 01234567-89ab-cdef-0123-456789abcdef
AttributeValue for 'displayname': Jim Berry
AttributeValue for 'emailaddress': [email protected]
Did this answer your question?