# PingIdentity Configuration
## Steps to follow
* [Create a new Application](#create-a-new-application)
* [Set up Single Sign-On](#set-up-single-sign-on)
* [Configure Attributes](#configure-attributes)
* [Enter PingIdentity's metadata into Sleuth](#enter-pingidentitys-metadata-into-sleuth)
* Option 1: Link to metadata file
* Option 2: Input metadata manually
* [Assign Groups to the Application](#assign-groups-to-the-application)
## Create a new Application
Sign in to **PingIdentity** as an administrator. In the left-hand menu, expand the " **Applications**" section and click "**Applications**:
On the "**Applications** "page click the :heavy\_plus\_sign: icon to add a new Application. In the "**Add Application**" pane provide an "**Application Name**" (*e.g., Sleuth*), a "**Description**" and an "**Icon**" for the Application, select "**SAML Application**" as the "**Application Type**", and click "**Configure**":
## Set up Single Sign-On
You have the choice between **Importing Metadata** (*from a file you downloaded from Sleuth*), **Importing from URL**, or **Manually Entering** the metadata into PingIdentity.
{% tabs %}
{% tab title="Import Metadata" %}
On the "**SAML Configuration**" page, select "**Import Metadata**", and click "**Select a file**" to find and select the metadata file on your computer (*click* [*here*](https://help.sleuth.io/settings/organization/signup/saml#gather-sleuth-service-provider-metadata) *to find out how to download the file*):
The "**ACS URLs**" and "**Entity ID**" fields will populate automatically. Click "**Save**".
{% endtab %}
{% tab title="Import From URL" %}
On the "**SAML Configuration**" page, select "**Import From URL**", **paste the following URL** into the "**Import URL**" field, and click "**Import**":
```url
https://app.sleuth.io/saml/metadata/
```
The "**ACS URLs**" and "**Entity ID**" fields will populate automatically. Click "**Save**".
{% endtab %}
{% tab title="Manually Enter" %}
On the "**SAML Configuration**" page, select "**Manually Enter**", and **fill in the necessary metadata** (*found in Sleuth*), using the following reference:
| PINGIDENTITY | SLEUTH | EXAMPLE |
| ------------- | -------------------------- | -------------------------------------- |
| **ACS URLs** | Assertion Consumer Service | `https://app.sleuth.io/complete/saml/` |
| **Entity ID** | SAML Entity ID | `https://app.sleuth.io/saml/metadata/` |
Click "**Save**".
{% endtab %}
{% endtabs %}
On the Application, switch to the "**Configuration**" tab, and click the **pencil icon** to enter edit mode:
**Fill in any missing metadata** (*found in Sleuth*), using the following reference:
| PINGIDENTITY | SLEUTH | EXAMPLE |
| ---------------------------- | -------------------------- | -------------------------------------------------------------------------------------- |
| **ACS URLS** | Assertion Consumer Service | `https://app.sleuth.io/complete/saml/` |
| **ENTITY ID** | SAML Entity ID | `https://app.sleuth.io/saml/metadata/` |
| **SLO ENDPOINT** | Single Logout Service | `https://app.sleuth.io/saml/sls/` |
| **SUBJECT NAMEID FORMAT** | n/a | `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` |
| **TARGET APPLICATION URL** | Default Relay State | (unique to each Sleuth org, usually your `orgSlug`) |
| **VERIFICATION CERTIFICATE** | Sleuth x509 Certificate | if not already filled in, can be found in Sleuth (*needs to be saved as a `crt` file*) |
Leave other settings as they are and click "**Save**".
### Configure Attributes
Once again on the Application, switch to the "**Attribute Mappings**" tab, and click the **pencil icon** to enter edit mode:
Edit the default Attribute `saml_subject` from `User ID` to `Email Address`, click the `...` to reveal the contextual menu, and click `Update NameFormat`:
Select `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified` from the list of options and click "**Update**":
Add the remaining required Attributes using the following reference and click "**Save**" when done:
| Attributes | PingOne Mappings | NameFormat |
| ------------ | ---------------- | --------------------------------------------------- |
| `first_name` | Given Name | `urn:oasis:names:tc:SAML:2.0:attrname-format:basic` |
| `last_name` | Family Name | `urn:oasis:names:tc:SAML:2.0:attrname-format:basic` |
| `email` | Email Address | `urn:oasis:names:tc:SAML:2.0:attrname-format:basic` |
{% hint style="info" %}
Don't forget to **enable your Application** by flipping the toggle!
{% endhint %}
## Enter PingIdentity's metadata into Sleuth
You can choose between **pointing Sleuth to a URL** where the IdP's metadata is now available, or **entering the metadata into Sleuth manually**.
{% tabs %}
{% tab title="Option 1: Link to metadata file" %}
In PingIdentity on the "**Configuration**" tab on your Application, click the **clipboard icon** next to the "**IDP Metadata URL**" to copy the URL:
In Sleuth, click the "**point Sleuth to metadata file URL**" link to trigger the input modal and **paste the copied URL** into the field, then click "**Save**":
The remaining fields in Sleuth will get **populated automatically**, just click "**Test Metadata and Save**":
{% hint style="info" %}
Sleuth defaults all of the Advanced configuration to the most commonly used values, but depending on your IdP configuration you might need to adjust "**Advanced settings**".
{% endhint %}
{% endtab %}
{% tab title="Option 2: Input metadata manually" %}
You'll find the data needed for this in PingIdentity on the "**Configuration**" tab on your Application under "**Connection Details**":
**Fill in the necessary metadata**, using the following reference, and click "**Test Metadata and Save**":
| SLEUTH | PINGIDENTITY | EXAMPLE |
| --------------- | ---------------------------- | --------------------------------------------------------------------------------------------------------------- |
| **Entity ID** | Issuer ID | `https://auth.pingone.eu/<...>` |
| **SSO URL** | Single Signon Service | `https://auth.pingone.eu/<...>/saml20/idp/sso` |
| **SLO URL** | Single Logout Service | `https://auth.pingone.eu/<...>/saml20/idp/slo` |
| **Certificate** | Download Signing Certificate |
|
{% hint style="info" %}
Sleuth defaults all of the Advanced configuration to the most commonly used values, but depending on your IdP configuration you might need to adjust "**Advanced settings**".
{% endhint %}
{% endtab %}
{% endtabs %}
## Assign Groups to the Application
On the Application, switch to the "**Access**" tab, and click the **pencil icon** to enter edit mode, and select Group which should have access to this Application, and click "**Save**":
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://help.sleuth.io/sleuth-dora/settings/organization/signup/saml/pingid-configuration.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.