Ping Identity
To configure Appsmith to use Ping Identity as a SAML provider, follow the steps below:
Prerequisites
-
A self-hosted Appsmith instance. See the installation guides for installing Appsmith.
-
Before setting up Single Sign-On (SSO), ensure that you have already configured a custom domain for your instance.
-
In Appsmith, go to Admin Settings > Authentication and click Enable on SAML 2.0.
-
Copy the Redirect URL and Entity ID from the SAML 2.0 configuration page to add them later in the Ping Identity settings.
Create application on Ping Identity
-
Log into your PingOne account. On the homepage, click Add Environment from the top right corner.
-
On the Create Environment screen, select Build your own solution.
a. Click PingOne SSO from Cloud Services under the Select solution(s) for your Environment section. Click Next
b. Enter the environment name and description. Click Finish.
-
Open the newly created environment and click on Manage Environment.
-
On the environment homepage, click on Application from the sidebar, then click the + icon to create a new application.
a. Enter the application name and description.
b. Select the Application Type as SAML Application. Click Configure.
c. On the SAML Configuration panel, select Manually Enter.
d. Add the Redirect URL in the ACS URLs field.
e. Add the Entity ID in the Entity ID field.
f. Click Save.
- If you are only interested in simple authentication via SAML, you can skip this step. However, if you want to configure custom claims, follow the steps below:
Open your application, go to the Attribute Mapping tab, click on the Edit ✏️ icon, and add your custom claims:
-
Attributes: Enter the attribute name in the desired format (e.g.,
userName
,email
). Copy the claim name to add it later in the Appsmith SAML configurations. -
PingOne Mappings: Select the appropriate value from the dropdown menu. This mapping connects the attribute in your application to the corresponding value in PingOne.
-
Open your application, go to the Configurations tab, and copy the IDP Metadata URL to add it later in the SAML configurations in Appsmith.
-
On your application panel, switch the toggle button at the top right corner to enable user access to the application.
Register Ping Identity in Appsmith
To complete the SAML configuration, you must register the identity provider on Appsmith. Appsmith provides three options to register the identity provider, as mentioned below:
- Metadata URL (recommended)
- Metadata XML
- IdP data
To register Ping Identity as the identity provider on Appsmith, follow the steps below:
- If you are running Appsmith on Google Cloud Run, AWS ECS, or Azure Container Instances, make sure to configure the service before setting up SSO. For more information, see:
-
Go to the SAML 2.0 configuration page in Appsmith, and navigate to Register Identity Provider section.
-
Add the copied IDP Metadata URL in the Metadata URL field under the Register Identity Provider section.
-
To configure custom SAML claims (if added in the Ping Identity's User Attribute) in Appsmith, Click the Advanced section.
a. For each custom claim, enter a name in the Key field that references the custom SAML claim within Appsmith.
b. In the Value field, enter the exact Attributes name that you copied from the Attribute Mapping section.
To set up SAML using the raw Metadata XML file, follow the steps below:
- If you are running Appsmith on Google Cloud Run, AWS ECS, or Azure Container Instances, make sure to configure the service before setting up SSO. For more information, see:
-
Open your Ping identity application, go to Configurations, and click Download Metadata.
-
Open the downloaded Metadata file in a browser and copy the XML content.
-
Navigate to Appsmith and add the raw XML in the Metadata XML field under the Register Identity Provider section in the SAML 2.0 configuration page.
-
To configure custom SAML claims (if added in the Ping Identity's User Attribute) in Appsmith, Click the Advanced section.
a. For each custom claim, enter a name in the Key field that references the custom SAML claim within Appsmith.
b. In the Value field, enter the exact Attributes name that you copied from the Attribute Mapping section.
If you have Identity provider data like X509 Public Certificate, Email, you can choose this option to configure SAML.
- If you are running Appsmith on Google Cloud Run, AWS ECS, or Azure Container Instances, make sure to configure the service before setting up SSO. For more information, see:
-
Open your Ping identity application, go to Configurations, and click Download Metadata.
-
Open the downloaded Metadata file in a browser.
-
Add the following values from XML tags in IdP Data under the Register Identity Provider section in the Appsmith SAML 2.0 configuration page:
IdP Data Field | Metadata XML Tag |
---|---|
Entity ID | Enter the value of the entityID attribute specified in the <EntityDescriptor> tag. |
Single Sign-On URL | Enter the value of location attribute specified in the <SingleSignOnService> tag. |
X509 Public Certificate | Enter the value specified in the <X509Certificate> tag. |
Enter the value specified in the <NameIDFormat> tag. |
- To configure custom SAML claims (if added in the Ping Identity's User Attribute) in Appsmith, Click the Advanced section.
a. For each custom claim, enter a name in the Key field that references the custom SAML claim within Appsmith.
b. In the Value field, enter the exact Attributes name that you copied from the Attribute Mapping section.
Once you have added the details, click the SAVE & RESTART button to save the configuration and restart the instance.
If you're running Appsmith on a Kubernetes cluster with an HA configuration, after completing the setup, run the following command to ensure the new authentication settings are properly applied:
kubectl rollout restart deployment/appsmith -n
After the Appsmith instance restarts, try logging in again to your account. You'll see a login screen with the SIGN IN WITH SAML SSO button.
Troubleshooting
If you are facing issues contact the support team using the chat widget at the bottom right of this page.