Configuring user and group provisioning with Ping Identity

  • Updated


To set up First name, Last Name and group mappings when provisioning users with Ping Identity. 

If you have not yet set up your Ping Identity SSO integration, please refer to our documentation here for SaaS customers and here for On-Premises.


Create groups in Contrast to be mapped to Ping Identity

Ping Identity can send group affiliations in SAML assertions based on search strings.

For this example, we will be using groups with names that make the search string simple.  Other names or more advanced regex searches can be used instead.

1) Within the Contrast UI, as an Admin: Select your profile in the top right and click on Organization settings.

2) Proceed to Groups and add the following group names:

  • contrast_admin (with admin access to all applications)
  • contrast_edit (with edit access to all applications)
  • contrast_view (with view access to all applications)
  • Additionally, you can create a project-specific group like contrast_acme_proj


For more help on Contrast groups see our documentation.


Create Ping Identity groups for Contrast users

1) Within Ping Identity: Under Directory -> Groups. Select the to add a group

2) Create groups with the following names.

name description
contrast_admin Has admin access to applications within Contrast UI
contrast_edit Has edit access to applications within Contrast UI
contrast_view Has view access to applications within Contrast UI
contrast_acme_proj Has edit access to the Acme project applications developers are working on

3) Add users into these groups and assign them to the Contrast application you have created for SSO authentication.

Add Attribute Mappings for users and groups

Within Ping Identity, navigate to the application configuration screen for the Contrast application. 

1) Select the Attribute Mappings tab.

2) To map NameID to the user's Email Address (required for SSO Integration to function), create the following mapping:

Attributes Ping One Mappings
saml_subject Email Address

3) To map each user's first and last name (optional, but recommended), create the following mapping:

Attributes Ping One Mappings Family Name Given Name

4) To map only those Ping Identity groups that match a specified filter (in this example, starting with "contrast") add the following:

Attributes Ping One Mappings
contrast_groups user.memberOfGroupNames.?[#string.startsWith(#this, 'contrast')]

 For example:

6) Save the configuration.


Turn on group mappings in Contrast SSO settings

To finalize the setup and enable the mappings for newly on-boarded users proceed to the Contrast UI.

1) Under Organizational Settings --> Single Sign-On

2) Select Edit and check off "Enable user provisioning" and "Add users to their Contrast groups upon SSO login".   Additionally you can create a no access group for users on-boarded to Contrast but containing no group affiliations in Ping Identity. 



3) Save the settings.

The mappings are complete at this point and newly on-boarded users should automatically be provisioned to the groups associations within Ping Identity. 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request