Objective
Configuration of PingOne (also known as Ping Identity) and 8x8 Admin Console for SAML 2.0 SSO user login.
At this time, PingOne active user sync (SCIM) to 8x8 is not supported.
Applies To
- PingOne identity management
- 8x8 Admin Console
- SAML 2.0 SSO
Procedure
You'll need to perform the following as an admin of both PingOne and 8x8 Admin Console:
- Add the 8x8 Application to PingOne
- Set Up Identity Management in 8x8 Admin Console
- Configure a User in 8x8 Admin Console for SSO Login
- 8x8 Work Desktop SSO Login Process
Add the 8x8 Application to PingOne
To begin, you'll need to add the 8x8 application to your PingOne configuration.
- From Applications > My Applications, make sure the SAML tab is selected.
- Click on Add Application and select Search Application Catalog.
- In Application Catalog, search for 8x8 if needed.
- Click on the arrow at the far right of the 8x8 app to expand the app details.
- Click Setup.
- Click Download from Signing Certificate to download the .crt certificate file. You'll need this file later, when you configure SSO in your 8x8 Admin Console account.
- If you have more than one certificate type available, select an option that will provide a PEM formatted certificate, which is the required type for 8x8 SSO authentication.
- Copy the URLs from the following fields (or return to this window later). You’ll need these later, as well.
- Issuer
- Initiate Single Sign-On (SSO) URL
- Scroll down and click Continue to Next Step.
- In section 2. Connection Configuration, verify that the ACS URL and Entity ID fields both contain the following URL: https://sso.8x8.com/saml2
- Scroll down and click Continue to Next Step.
- In section 3. Attribute Matching, nothing is required to be changed from the default settings. Click Continue to Next Step.
- In section 4. PingOne App Customization - 8x8, nothing is required to be changed from the default settings. Click Continue to Next Step.
- In section 5. Group Access, click Add for any user groups that should have access to 8x8 application authentication. Then click Continue to Next Step.
- In section 6. Review Setup, review your configuration information compiled from all of the previous steps.
- Scroll down and click Finish.
- You'll be returned to the Application Catalog, where the 8x8 application should now be marked as Installed. Continue with steps for configuring 8x8 Admin Console, below.
Set Up Identity Management in 8x8 Admin Console
Next, you'll configure your 8x8 account to allow the use of your PingOne SSO service.
- From https://vo-cm.8x8.com, log into your 8x8 Admin Console account.
- From Home, click on Identity Management.
- Click the check box for Single Sign-On (SSO) to enable it.
- Note that 8x8 supports only one ID management app per account.
- Un-check the 8x8 Username and Password check box only if you want to prevent users from authenticating with 8x8 Work credentials.
- Doing this will allow only the SAML SSO identity provider credentials to be used.
- Keep the 8x8 Username and Password check box checked if users should be allowed to use both authentication methods.
- Select Other SAML SSO Provider. The screen will expand with more configuration options.
Now you simply need to fill in the blanks with the information you collected earlier, and upload your PingOne certificate.
- In SAML SSO Provider Information > SAML SSO Provider Name, enter a label you want for this SSO provider.
- Match the 8x8 fields with the PingOne URL information you collected earlier, and add the PingOne URLs into the appropriate fields in SAML Settings.
8x8 PingOne
IDP Login URL > Initiate Single Sign-On (SSO) URL
IDP Issuer URL/URN > Issuer URL
IDP Login URL > Initiate Single Sign-On (SSO) URL
IDP Issuer URL/URN > Issuer URL
- In Certificate in use, click on Click to attach a certificate file and choose the PingOne certificate you downloaded earlier. The file name of the certificate will appear in the field.
- Finally, click Save at the bottom of the page. You should see a green confirmation banner for a few seconds at the top of the screen.
- Continue with the next steps below to make the necessary changes to your 8x8 users in Admin Console.
Important: If after saving you find that you’ve made a mistake with the certificate, just un-check the Single Sign-On (SSO) check box and click Save to clear out the SSO information. Then follow the above process again with the correct information.The URLs can be edited without clearing the entire SSO configuration.
Configure a User in 8x8 Admin Console for SSO Login
This is a very quick process for an 8x8 user's login configuration.
- In 8x8 Admin Console, click on Home > Users.
- Search for the user you’re configuring, and click the pencil icon to edit the user.
- Scroll down to Single Sign-On (SSO) and add the user’s PingOne Username to the Federation ID field. Note: This field only appears after an identity provider is configured in Identity Management.
- Click Save.
- You should then see a green confirmation banner at the top of the screen for a few seconds.
This completes the 8x8 Admin Console configuration of PingOne.Your configured users should now be able to log into 8x8 applications such as 8x8 Work Desktop.A brief example of the 8x8 Work login process is shown, below.
8x8 Work Desktop SSO Login Process
This login process may vary, depending on the PingOne administrator’s configuration of that service.
- First, launch 8x8 Work Desktop on your PC.
- Enter the PingOne Username of the assigned user into the 8x8 Username or Email field and click Continue.
- Click Log in using SSO.
- In the PingOne Sign On page, Enter the user’s Username and associated Password.
- Click Sign On.
- This will complete the user's login to 8x8 Work Desktop.
Other login options and login persistence may be available depending on the PingOne administrator’s configuration of that service.
Login Issues
Invalid SAML Profile
If users receive the error Invalid SAML profile error: No valid certificate found when attempting to log in to an 8x8 app, the PingOne certificate was probably not added to the 8x8 Admin Console account.
Note: 8x8 uses only PEM-formatted certificates. If you've already applied a certificate to Admin Console, you should confirm that the certificate you are using is the PingOne certificate supplied for the 8x8 application. In this case, you would need to clear the Admin Console Identity Management information, and re-apply the correct certificate and URL data.
- In PingOne, navigate to Applications and click on the arrow to expand the 8x8 application info.
- Scroll down to signing Certificate and click Download to download and save the certificate, as needed.
- Using the configuration steps above, add the certificate to your 8x8 Admin Console Identity Management setup, and click Save.
We could not verify your SSO account
If users see this error when attempting to log in, the configuration in either PingOne or 8x8 Admin Console could be incorrect, and should be reviewed and corrected as needed.
If the applications are correctly configured, then the 8x8 user profile in Admin Console is not configured correctly.
- We could not verify your SSO account. Please contact your 8x8 administrator.
To correct the user configuration issue, verify that the Admin Console user profile in Home > Users has the correct PingOne Username applied to the Single Sign-On > Federation ID field.