Safeguard.sh Documentation Center
SSO AuthenticationSAML 2.0

Ping Identity

Configure PingOne / Ping Identity as a SAML 2.0 identity provider for Safeguard.

Ping Identity

  1. In PingOne, go to Connections → Applications → +, and choose SAML.
  2. Set ACS URL to the ACS URL Safeguard shows after Save and SP Entity ID to the SP Entity ID Safeguard shows after Save.
  3. Set the Subject NameID format to Email Address, mapped to the user's Email Address attribute.
  4. Under Attribute Mappings, add an outgoing attribute named email sourced from the user's Email Address — separate from the Subject NameID mapping above.
  5. On the Configuration tab, download the Signing Certificate and copy the Issuer ID and SSO endpoint URL.
  6. In Safeguard, click Add Provider → SAML 2.0 → Ping Identity, and enter those three values.
  7. Assign the groups/users who should have access under the app's Access tab, then enable the connection.
  8. Click Test in Safeguard to confirm.

Common errors: sign-on succeeds at PingOne but the user is rejected at Safeguard — check that the Subject NameID mapping is set to Email Address, not Username, in the SAML assertion configuration.

On this page