icon-unified.svg
Experience Center

Configuring PingOne as an External IdP

This guide provides information on how to configure PingOne as the OpenID Provider (OP) for the ZIdentity to facilitate single sign-on (SSO) to various Zscaler services for admin access management.

Zscaler and Ping Identity are technology partners. To learn more about integrating Zscaler and Ping Identity, see the Zscaler and Ping Identity Deployment Guide.

Prerequisites

Ensure that you have:

  • A subscription to PingOne
  • An existing user directory in PingOne
  • A ZIdentity account with an admin role that allows you to add an IdP configuration

Configuring PingOne as OP for ZIdentity

Complete the following steps to set up PingOne as an OP for ZIdentity:

    1. Log in to the PingOne admin console.
    2. Go to Applications > Applications.

    3. Click the Add Application icon.

    4. In the Add Application drawer:

      1. Application Name: Enter a name for the application.
      2. Description: (Optional) Enter a description for the application.
      3. Icon: (Optional) Upload an icon for the application.
      4. Application Type: Select the OIDC Web App option.
      5. Click Save.

      The OIDC web application is created.

    5. In the application drawer, click the Configuration tab, and do the following:

      1. Under the General section, copy the Client ID and Client Secret values.

      2. Under the URLs section, copy the OIDC Discovery Endpoint value.

    6. Go to the Resources tab and click the Edit icon.

      The Edit Resources page appears within the application drawer.

    7. In the Edit Resources page:

      1. Under the Scopes tab, select email and Profile to include them as allowed scopes.
      2. Click Save.

    8. Click the toggle on the top right to enable the application.

    Close
    1. Log in to the Admin Portal.
    2. Go to Administration > Identity > ZIdentity > External Identities.
    3. Click Add Primary IdP (or Add Secondary IdP).
      The Add Primary Identity Provider or Add Secondary Identity Provider window appears.
    4. On the Basic tab:

      1. Under the General section:

        1. Name: Enter a name for the IdP.
        2. Identity Vendor: Select PingOne from the drop-down menu.
        3. Domain: Select the domain for which the IdP is responsible for authenticating the users. This allows the Zscaler service to display the correct IdP to authenticate an incoming user.
        4. Protocol: Select OIDC.
        5. Status: Select Enabled.

        6. Login ID Attribute: Enter an attribute to map it with the Login ID attribute. You can use any attribute that has the email address format e.g., <user_name>@domain.com>. However, Zscaler recommends using the preferred_username as the Login ID attribute.

          • If you are using email as the Login ID attribute, ensure that your email domain matches with one of the domains added to ZIdentity for the Primary Email attribute.
          • You can use any email domain for your primary email if you are using any attribute other than email as the source for the Login ID attribute.
          • Ensure that the attribute you enter in the Login ID field matches exactly with the attribute received in the ID tokens.

      2. Under the OIDC Configuration section:

        1. Paste the Client ID and Client Secret values copied from the PingOne admin console to the respective fields.
        2. Paste the OIDC Discovery Endpoint value copied from the PingOne admin console to the Metadata URL field and click Fetch.
        3. Copy the Redirect URI value. The value copied in this step is used in the subsequent steps for configurations in the PingOne admin console.
        4. Under the Requested Scopes section, add profile and email scopes.

    5. In the PingOne admin console, go to Applications > Applications and click the OIDC web application created in the previous step.

    6. Go to the Configuration tab, and click the Edit icon.

      The Edit Configuration page appears within the application drawer.

    7. In the Edit Configuration page:

      1. Paste the Redirect URI value copied from the Admin Portal to the Redirect URIs field.
      2. Click Save.

    Close
      1. In the Admin Portal, go to Administration > Identity > ZIdentity > External Identities.
      2. Locate the IdP entry created for PingOne under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.
      3. In the Edit Primary IdP (or Edit Secondary IdP) window:
        1. Select the Provisioning tab.
        2. Select Enable Just-in-time (JIT) Provisioning.

        3. Map ZIdentity user attributes with the appropriate PingOne attributes as necessary. The mapping of the Primay Email attribute is mandatory as it is required for password resetting and multi-factor authentication. By default, the following attributes in ID tokens are mapped with the corresponding user attributes in ZIdentity.

          Attribute in ID TokensDefault ZIdentity User Attributes
          given_nameFirst Name
          family_nameLast Name
          nameDisplay Name

          If the external IdP is configured to send different attributes for First Name, Last Name, or Display Name, then you must map those attributes. For example, if the ID token from the external IdP includes Surname instead of family_name, then you must map it with the Last Name user attribute in ZIdentity.

        4. Select Enable SCIM Provisioning.

        5. Copy the SCIM Endpoint URL. This value is used in a subsequent step.

          The SCIM Endpoint URL field appears only if the configurations for the IdP on the Basic tab are completed and saved.

          A screenshot showing the SCIM Endpoint URL in ZIdentity Admin Portal

        6. Click Generate Token and copy the Bearer Token value. This value is used in a subsequent step.

        7. (Optional) Map the SCIM attribute (e.g., addresses) with the corresponding ZIdentity user attribute. This mapping is required only for attributes that need to be mapped to a custom user attribute in ZIdentity. To learn more about the SCIM attributes that require custom attribute mapping, see Understanding SCIM.

        8. Click Update.
      Close
      1. In the PingOne admin console, go to Applications > Applications.
      2. Locate and click the application created for ZIdentity.

      3. In the application drawer that appears, select the Attributes Mapping tab, and click the Edit icon in the Custom Attributes section.

        The Edit Attribute Mappings page appears within the application drawer.

      4. In the Edit Attribute Mappings page:

        1. Click Add and map the necessary attributes configured in the Admin Portal.

          To map an expression with an attribute, locate the attribute for which you want to add an expression, and click the Advanced Expressions icon, and configure the expression. For example, the name attribute in ZIdentity is mapped combining Given Name and Family Name attributes in PingOne.

        2. Click Save.

      5. In the left-side navigation, go to Integration > Provisioning.

      6. Click the Add icon and add a new connection.

      7. In the Create a new connection drawer:

        1. Select Identity Store as the connection type.

        2. Search for scim and the SCIM Outbound app appears.

        3. Select the SCIM Outbound app and click Next.

        4. Enter a name for the connection and click Next.

        5. Paste the SCIM Endpoint URL copied from the Admin Portal to the SCIM Base URL field.
        6. Select OAuth 2 Bearer Token from the Authentication Method drop-down menu and paste the Bearer Token copied from the Admin Portal to the Oauth Access token field.

        7. Click Test Connection to ensure the connection is successful and click Next.

        8. Click Save.

          A new SCIM Outbound connection is created.

        9. Enable the toggle.

      8. Click the Add icon and select New Rule.

        The Create New Rule drawer appears.

      9. In the Create New Rule drawer:
        1. Name: Enter a name for the rule.

        2. Description: Enter a description for the rule.

        3. Click Create Rule.

          The rule is created, and the rule configuration drawer opens with the Configuration tab selected.

      10. In the rule configuration drawer:

        1. Select the SCIM Outbound app connection created for ZIdentity as the target.

        2. Click Save.

          The connection is saved and the options to apply user filter, attribute mapping, and group provisioning appears.

        3. In the User Filter section, click the Edit icon.

          The Edit User Filter page appears.

        4. In the Edit User Filter page, configure the necessary conditions for user filter. For example, you can filter users based on specific Group Names.

        5. Click Save.

        6. Go to Attribute Mapping and modify the attributes if necessary.

        7. Go to Group Provisioning, and in the Group Provisioning section, click the Edit icon or click Add Groups.

          The Edit Group Provisioning page appears within the rule configuration drawer.

        8. In the Edit Group Provisioning page:

          1. Select the groups that you want to be provisioned for ZIdentity.

          2. Click Save.

          3. Confirm group overwriting for the matching groups.

            The selected groups are added for group provisioning.

        9. Enable the toggle.

      Close
    Close

  • You can configure step-up authentication to extend the existing authentication process by requiring multi-factor authentication (MFA) when needed, ensuring that access to high-risk or sensitive data is protected.

    Before configuring step-up authentication, make sure you have configured authentication levels and access policies. To learn more, see Understanding Step-Up Authentication.

    To enable step-up authentication:

    1. In the Admin Portal, go to Administration > Identity > ZIdentity > External Identities.
    2. Locate the IdP entry created for PingOne under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.
    3. In the Edit Primary IdP (or Edit Secondary IdP) window:
      1. Go to the Advanced tab.

      2. Under the Levels to Authentication context mapping section, enter the ACR Claim value for each authentication level. To learn more about the supported ACR Claims in PingOne, refer to the PingOne Technical documentation.

        Ensure that you map proper ACR claims for each level depending on the hierarchy. The highest level of authentication must be mapped to the ACR value for the strongest context.

    4. Click Update.
    Close
Related Articles
About External Identity ProvidersAdding OpenID ProvidersAdding SAML Identity ProvidersConfiguring Okta as an External IdPConfiguring Microsoft Entra ID as an External IdPConfiguring Microsoft AD FS as an External IdPConfiguring PingOne as an External IdPConfiguring Auth0 as an External IdPConfiguring OneLogin as an External IdPConfiguring PingFederate as an External IdP