Objective
To set up First name, Last Name and group mappings when provisioning users with Ping Identity.
If you have not yet set up your Ping Identity SSO integration, please refer to our documentation here for SaaS customers and here for On-Premises.
Process
Create groups in Contrast to be mapped to Ping Identity
Ping Identity can send group affiliations in SAML assertions based on search strings.
1) Within the Contrast UI, as an Admin: Select your profile in the top right and click on Organization settings.
2) Proceed to Groups and add the following group names:
- contrast_admin (with admin access to all applications)
- contrast_edit (with edit access to all applications)
- contrast_view (with view access to all applications)
- Additionally, you can create a project-specific group like contrast_acme_proj
For more help on Contrast groups see our documentation.
Create Ping Identity groups for Contrast users
1) Within Ping Identity: Under Directory -> Groups. Select the to add a group
2) Create groups with the following names.
name | description |
contrast_admin | Has admin access to applications within Contrast UI |
contrast_edit | Has edit access to applications within Contrast UI |
contrast_view | Has view access to applications within Contrast UI |
contrast_acme_proj | Has edit access to the Acme project applications developers are working on |
3) Add users into these groups and assign them to the Contrast application you have created for SSO authentication.
Add Attribute Mappings for users and groups
Within Ping Identity, navigate to the application configuration screen for the Contrast application.
1) Select the Attribute Mappings tab.
2) To map NameID to the user's Email Address (required for SSO Integration to function), create the following mapping:
Attributes | Ping One Mappings |
saml_subject | Email Address |
3) To map each user's first and last name (optional, but recommended), create the following mapping:
Attributes | Ping One Mappings |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Family Name |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Given Name |
4) To map only those Ping Identity groups that match a specified filter (in this example, starting with "contrast") add the following:
Attributes | Ping One Mappings |
contrast_groups | user.memberOfGroupNames.?[#string.startsWith(#this, 'contrast')] |
For example:
6) Save the configuration.
Turn on group mappings in Contrast SSO settings
To finalize the setup and enable the mappings for newly on-boarded users proceed to the Contrast UI.
1) Under Organizational Settings --> Single Sign-On
2) Select Edit and check off "Enable user provisioning" and "Add users to their Contrast groups upon SSO login". Additionally you can create a no access group for users on-boarded to Contrast but containing no group affiliations in Ping Identity.
(example)
3) Save the settings.
The mappings are complete at this point and newly on-boarded users should automatically be provisioned to the groups associations within Ping Identity.