Ping Identity Authentication
Previous Topic  Next Topic 

Ping Identity Authentication


Ping Identity authentication allows you to have single-sign-on (SSO) using the Ping Identity SAML 2.0 identity provider.


The first step to setting up SSO with Ping Identity is to create a new application icon in Ping Identity named Pacific Timesheet. Log in as an administrator to Ping Identity, click the Add Application button, and search the catalog for Pacific Timesheet. Use that to create a new application, leaving all values at their default except for ACS URL and SP entityId. For these two properties make sure to replace the ${Customer's subdomain} expression with your Pacific Timesheet subdomain. For example, if your Pacific Timesheet URL is https://xyz.pacifictimesheet.com, then your subdomain is 'xyz' and the values would be:


ACS URL     -> https://xyz.pacifictimesheet.com/timesheet/home.do

SP entityId -> https://xyz.pacifictimesheet.com/timesheet/home.do


Once you have created the Pacific Timesheet application icon in Ping Identity you must then configure the security settings in Pacific Timesheet. First, find the values you need to enter into Pacific Timesheet by going to the Ping Identity Admin > Applications page. Locate and click the Pacific Timesheet application you created above to load the configuration parameters. Enter the following values into Pacific Timesheet:


Property

Description

Name

This is the name used in the login button on the Pacific Timesheet login page.

Initiate SSO URL

The value from Ping Identity, for example: https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=b04a3a23-0ccf-b8a5-b4d2f7f4f086

SSO Relay State

The value from Ping Identity, for example: https://pingone.com/1.0/b04a3a23-0ccf-b8a5-b4d2f7f4f086

Certificate

The Ping Identity X.509 security certificate. You can specify both a primary certificate, and optionally a secondary certificate. When a login request is authenticated the primary certificate is used first, and if that fails then the secondary certificate will be used. You would typically provide a secondary certificate a few days or weeks before the primary one expires to ensure there is no loss of access to the application when the primary certificate expires. Once the primary certificate is fully expired you can replace it with the secondary certificate at your earliest convenience, then clear the secondary certificate field.


Note that the X.509 certificate should be in PEM format, meaning it should start with the header line -----BEGIN CERTIFICATE----- and end with the footer line -----END CERTIFICATE-----

Logging

Check this option to help troubleshoot authentication failures. Errors are logged to the System Event Log, and can be view with the Reports > System Event Log report. For self-hosted systems you can also view detailed information in the log files located in the <PacificTimesheet>/tomcat/logs directory.


When you use an identity provider to connect to Pacific Timesheet, you will need a corresponding employee account in Pacific Timesheet. The identity provider's account information (be it email address, login, etc.) will be used to find a corresponding Pacific Timesheet account. The match will be made against the Pacific Timesheet account's login name, employee ID or email address, in that order.


Note: Even if SSO is enabled you can allow some employees to log in using Pacific Timesheet's standard authentication (user name and password). On the login page the employee can choose either to log in with the standard user name and password, or use the configured identity provider's SSO option. This allows you to have Pacific Timesheet accounts that do not use the configured identity provider, such as the 'admin' account, or client approver accounts, still able to log in with a user name and password.