SSO with PingOne
With Cyral, you can authenticate database users against your PingOne Cloud Platform solution.
In Cyral management console, create a SAML integration
Create a new SAML integration: Log in to your Cyral control plane UI, navigate to the Integrations section, find the SAML integration tile, and click Configure.
Create a new SAML connection:
Specify a Display Name. This display name is used to identify the IdP to the user when they log in.
In Attribute Names in SAML Assertion section, enter the IdP field name for each required attribute (first and last name, email, SSO groups) or accept the defaults. This determines how the Cyral SP expects to receive user attributes:
caution
These attributes cannot be modified once the integration has been saved in Cyral. When you configure your IdP, be sure to use the attributes you've specified here.
Enable IdP-initiated login checkbox: When you add any IdP integration in Cyral, your users can log in using the Cyral Access Portal. If selected, this checkbox gives your users a second way to log in: from your IdP portal.
Set IdP-initiated login to
ON
to give users the added option of logging in from your IdP-based portal (for example, an Okta portal).tip
Enabling IdP-initiated login requires a second ACS URL in your SAML app.
Set IdP-initiated login to
OFF
to disable IdP-initiated login. Do this if login is not supported by your IdP, or if you don't want to let users log in from your IdP portal.
Click Continue
On the next screen, download the SP metadata file. You'll need this in the next step to set up your IdP. You are free to close the page. Your SAML Integration will save as a draft, and you will be able to return to it at a later time to finish entering the required configuration values.
Create SAML IdP app in PingOne
Perform the following steps in PingOne.
Open the PingOne and navigate to Connections ➡️ Applications. Select the + icon. Give your application and name, and optionally add a description and an icon that end users will see upon logging in. Choose SAML Application as the Applications Type. Click save.
Select Import Metadata, and import the SP Metadata document that was downloaded from the Cyral management console while creating a SAML integration. Click save.
On the Attribute Mappings edit view, and specify the user attributes will be sent to Cyral in the SAML Assertion. Add the following attributes, and mark each one as required:
Email: Enter
email
as the 'Attribute' and selectEmail Address
from the 'PingOne Mappings' drop-down list.First Name: Enter
firstName
as the 'Attribute' and selectGiven Name
from the 'PingOne Mappings' drop-down list.Last Name: Enter
lastName
as the 'Attribute' and selectFamily Name
from the 'PingOne Mappings' drop-down list.Group Names: Enter
memberOf
as the 'Attribute' and selectGroup Names
from the 'PingOne Mappings' drop-down list.Click save.
Navigate to the Configure view. Click Download Metadata and save the downloaded file. You'll upload it later in the Cyral control plane UI.
On the Applications page, click the slider on the right to enable the application for all users.
In Cyral management console, complete the SAML integration
In this final step, you will supply the IdP Metadata you downloaded from PingOne to the Cyral management console.
Return to your SAML integration in the Cyral management console. Upload the IdP Metadata XML file you retrieved from PingOne.
Click Save.
Your SAML Integration is complete. You can verify it by logging into your CP using the new G Suite integration.
Next step
See Set up SSO authentication for users for the steps to activate SSO authentication on each repository that will use it.