# PingIdentity Configuration
## Steps to follow
* [Create a new Application](#create-a-new-application)
* [Set up Single Sign-On](#set-up-single-sign-on)
* [Configure Attributes](#configure-attributes)
* [Enter PingIdentity's metadata into Sleuth](#enter-pingidentitys-metadata-into-sleuth)
* Option 1: Link to metadata file
* Option 2: Input metadata manually
* [Assign Groups to the Application](#assign-groups-to-the-application)
## Create a new Application
Sign in to **PingIdentity** as an administrator. In the left-hand menu, expand the " **Applications**" section and click "**Applications**:
On the "**Applications** "page click the :heavy\_plus\_sign: icon to add a new Application. In the "**Add Application**" pane provide an "**Application Name**" (*e.g., Sleuth*), a "**Description**" and an "**Icon**" for the Application, select "**SAML Application**" as the "**Application Type**", and click "**Configure**":
## Set up Single Sign-On
You have the choice between **Importing Metadata** (*from a file you downloaded from Sleuth*), **Importing from URL**, or **Manually Entering** the metadata into PingIdentity.
{% tabs %}
{% tab title="Import Metadata" %}
On the "**SAML Configuration**" page, select "**Import Metadata**", and click "**Select a file**" to find and select the metadata file on your computer (*click* [*here*](https://help.sleuth.io/settings/organization/signup/saml#gather-sleuth-service-provider-metadata) *to find out how to download the file*):
The "**ACS URLs**" and "**Entity ID**" fields will populate automatically. Click "**Save**".
{% endtab %}
{% tab title="Import From URL" %}
On the "**SAML Configuration**" page, select "**Import From URL**", **paste the following URL** into the "**Import URL**" field, and click "**Import**":
```url
https://app.sleuth.io/saml/metadata/
```
The "**ACS URLs**" and "**Entity ID**" fields will populate automatically. Click "**Save**".
{% endtab %}
{% tab title="Manually Enter" %}
On the "**SAML Configuration**" page, select "**Manually Enter**", and **fill in the necessary metadata** (*found in Sleuth*), using the following reference:
| PINGIDENTITY | SLEUTH | EXAMPLE |
| ------------- | -------------------------- | -------------------------------------- |
| **ACS URLs** | Assertion Consumer Service | `https://app.sleuth.io/complete/saml/` |
| **Entity ID** | SAML Entity ID | `https://app.sleuth.io/saml/metadata/` |
Click "**Save**".
{% endtab %}
{% endtabs %}
On the Application, switch to the "**Configuration**" tab, and click the **pencil icon** to enter edit mode:
**Fill in any missing metadata** (*found in Sleuth*), using the following reference:
| PINGIDENTITY | SLEUTH | EXAMPLE |
| ---------------------------- | -------------------------- | -------------------------------------------------------------------------------------- |
| **ACS URLS** | Assertion Consumer Service | `https://app.sleuth.io/complete/saml/` |
| **ENTITY ID** | SAML Entity ID | `https://app.sleuth.io/saml/metadata/` |
| **SLO ENDPOINT** | Single Logout Service | `https://app.sleuth.io/saml/sls/` |
| **SUBJECT NAMEID FORMAT** | n/a | `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` |
| **TARGET APPLICATION URL** | Default Relay State | (unique to each Sleuth org, usually your `orgSlug`) |
| **VERIFICATION CERTIFICATE** | Sleuth x509 Certificate | if not already filled in, can be found in Sleuth (*needs to be saved as a `crt` file*) |
Leave other settings as they are and click "**Save**".
### Configure Attributes
Once again on the Application, switch to the "**Attribute Mappings**" tab, and click the **pencil icon** to enter edit mode:
Edit the default Attribute `saml_subject` from `User ID` to `Email Address`, click the `...` to reveal the contextual menu, and click `Update NameFormat`:
Select `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified` from the list of options and click "**Update**":
Add the remaining required Attributes using the following reference and click "**Save**" when done:
| Attributes | PingOne Mappings | NameFormat |
| ------------ | ---------------- | --------------------------------------------------- |
| `first_name` | Given Name | `urn:oasis:names:tc:SAML:2.0:attrname-format:basic` |
| `last_name` | Family Name | `urn:oasis:names:tc:SAML:2.0:attrname-format:basic` |
| `email` | Email Address | `urn:oasis:names:tc:SAML:2.0:attrname-format:basic` |
{% hint style="info" %}
Don't forget to **enable your Application** by flipping the toggle!
{% endhint %}
## Enter PingIdentity's metadata into Sleuth
You can choose between **pointing Sleuth to a URL** where the IdP's metadata is now available, or **entering the metadata into Sleuth manually**.
{% tabs %}
{% tab title="Option 1: Link to metadata file" %}
In PingIdentity on the "**Configuration**" tab on your Application, click the **clipboard icon** next to the "**IDP Metadata URL**" to copy the URL:
In Sleuth, click the "**point Sleuth to metadata file URL**" link to trigger the input modal and **paste the copied URL** into the field, then click "**Save**":
The remaining fields in Sleuth will get **populated automatically**, just click "**Test Metadata and Save**":
{% hint style="info" %}
Sleuth defaults all of the Advanced configuration to the most commonly used values, but depending on your IdP configuration you might need to adjust "**Advanced settings**".
{% endhint %}
{% endtab %}
{% tab title="Option 2: Input metadata manually" %}
You'll find the data needed for this in PingIdentity on the "**Configuration**" tab on your Application under "**Connection Details**":
**Fill in the necessary metadata**, using the following reference, and click "**Test Metadata and Save**":
| SLEUTH | PINGIDENTITY | EXAMPLE |
| --------------- | ---------------------------- | --------------------------------------------------------------------------------------------------------------- |
| **Entity ID** | Issuer ID | `https://auth.pingone.eu/<...>` |
| **SSO URL** | Single Signon Service | `https://auth.pingone.eu/<...>/saml20/idp/sso` |
| **SLO URL** | Single Logout Service | `https://auth.pingone.eu/<...>/saml20/idp/slo` |
| **Certificate** | Download Signing Certificate |
|
{% hint style="info" %}
Sleuth defaults all of the Advanced configuration to the most commonly used values, but depending on your IdP configuration you might need to adjust "**Advanced settings**".
{% endhint %}
{% endtab %}
{% endtabs %}
## Assign Groups to the Application
On the Application, switch to the "**Access**" tab, and click the **pencil icon** to enter edit mode, and select Group which should have access to this Application, and click "**Save**":
