SSO AuthenticationSAML 2.0
Ping Identity
Configure PingOne / Ping Identity as a SAML 2.0 identity provider for Safeguard.
Ping Identity
- In PingOne, go to Connections → Applications → +, and choose SAML.
- Set ACS URL to the ACS URL Safeguard shows after Save and SP Entity ID to the SP Entity ID Safeguard shows after Save.
- Set the Subject NameID format to Email Address, mapped to the user's Email Address attribute.
- Under Attribute Mappings, add an outgoing attribute named
emailsourced from the user's Email Address — separate from the Subject NameID mapping above. - On the Configuration tab, download the Signing Certificate and copy the Issuer ID and SSO endpoint URL.
- In Safeguard, click Add Provider → SAML 2.0 → Ping Identity, and enter those three values.
- Assign the groups/users who should have access under the app's Access tab, then enable the connection.
- Click Test in Safeguard to confirm.
Common errors: sign-on succeeds at PingOne but the user is rejected at Safeguard — check that the Subject NameID mapping is set to Email Address, not Username, in the SAML assertion configuration.