# Single Sign-On with PingOne **PingOne** is a service providing single sign-on (SSO) for web and mobile applications. As a CodeScan administrator, you can implement **Security Assertion Markup Language (SAML) 2.0 SSO** when your company uses PingOne. Users can then log in to CodeScan without providing their authentication credentials since their identity was previously validated when logging in to their PingOne session. This enables orgs to restrict login IPs via SSO. This procedure involves the following steps: 1. Enabling Single Sign-On in CodeScan 2. Adding CodeScan as an App in PingOne 3. Entering PingOne- Identity Provider Data in CodeScan 4. Adding Attribute Mappings in PingOne 5. Testing the Single Sign-On Configuration ### Step 1: Enabling Single Sign-On in CodeScan Before configuring SSO in PingOne, you must enable SSO in CodeScan. 1. In **CodeScan**, click on the **`Profile`** icon on the right corner of the screen and select your organization (under **`My Organizations`**).

Profile

2. Go to **`Administration > SAML Connections`**.

SAML Connections

3. Click on **`Create Connection`**.

Create Connection

4. In the **`Connection name`** field, enter the *identity provider* name as you want to appear (use only Latin characters without spaces and any special characters).\ **Example-** `PingOne-SAML` 5. Enter a valid domain name of the organization in the **`Corporate domain`** field that can be authenticated in the Identity Provider. ***This property cannot be updated after SAML Connection creation.***\ **Example**- *In case of `abc@autorabit.com`, the **corporate domain** will be `autorabit.com`*. 6. Keep the **`Enforce SSO`** checkbox unchecked for now. You can enable Enforce SSO later when your domain has been confirmed. Once enabled, only SSO authentication will be allowed for email addresses of your corporate domain. {% hint style="info" %} **Point to Note:** 1. Enforcing SSO affects both login and signup. Existing *Auth0* users won't be able to login. 2. Signup with email domain same as corporate domain won't be allowed. 3. If the **`Enforce SSO`** is enabled prematurely, it will prevent all **users in their organisation** from accessing CodeScan. Consider enforcing SSO only after admins have logged in to CodeScan using SSO. 4. Keep the **`SAML Connection status`** checkbox as **`Enabled`** and click on **`Create`** button. ![](https://1912836914-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9vAxMuDrkUkB4OXlH9CL%2Fuploads%2FYE2v5XjdCJbemYlpWOS6%2Fimage.png?alt=media\&token=0745f1ae-3c89-4a3f-9039-0ee51e563193) 5. You will be able to see the **`Metadata URL`** generated for your SSO configuration. Keep the current page open while you continue to add the CodeScan app to PingOne. {% endhint %} ### Step 2: Adding CodeScan as an App in PingOne Set up the PingOne application to provide necessary configuration information for CodeScan. 1. Log in to your [PingOne Administrator](https://admin.pingone.com/web-portal/login) account. 2. Select the **`Environment`**. 3. Go to the **`Connections`** tab and select **`Applications`** as a sub-tab.
4. Click on the![](https://1912836914-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9vAxMuDrkUkB4OXlH9CL%2Fuploads%2FbxSXWWQuv6F0i2SE2TLb%2Fimage.png?alt=media\&token=0d5bccc2-aa48-4f21-8074-80b165d418fc)icon besides **`Applications`** to add a new app. 5. In the **`Add Application`** section, * Enter **`CodeScan`** for the application name and give a short description. * Choose **`Application Type`** as **`SAML Application`**.
6. Click **`Configure`**. 7. In the **`SAML Configuration`** section, select the **`Import From URL`** option. 8. Enter the same **`Metadata URL`** which you have generated inside CodeScan.
9. Click on the **`Import`** button. The metadata should be successfully imported, and you should see the parsed metadata values.
10. Click **`Save`**. ### Step 3: Entering Identity Provider Data in CodeScan Once the application is created, you will need to enter the identity provider data from PingOne into CodeScan. 1. In **CodeScan**, on the **`SAML`** page, go to **`Actions`** and click on **`Edit`**.
2. You will need to paste the *mandatory/optional* details below into CodeScan from PingOne Identity Provider. * **Mandatory Settings**: 1. Provider Entity ID 2. Sign In URL 3. X509 Signing Certificate 4. SAML user email attribute 5. SAML user name attribute * **Optional Settings**: 1. SAML user login attribute 2. SAML group attribute
3. In **PingOne**, go to the **`Configuration`** tab. 4. Copy the following values: * **`Issuer ID`**: Copy **Issuer ID** value and paste it into **`Provider Entity Id`** inside Codescan. * **`Single Signon Service`**: Copy **Single Signon Service** value and paste it into **`Sign In URL`** inside Codescan.
5. Click on the **`Edit`** icon in the top-right corner.
6. Click on **`Download Signing Certificate`** in **X509 PEM (.crt)** format and copy the content of the file (certificate) into the **`X509 Signing Certificate`** field of Codescan SAML connection.
7. Click **`Update`** on the CodeScan page. 8. The next step is to confirm your corporate domain to get the SSO working. You can confirm domain via raising a request to [Codescan Support](https://mailto:support@autorabit.com/). ### Step 4: Adding Attribute Mappings in PingOne It’s necessary to sync attributes of IDP users with properties of CodeScan users. 1. In **PingOne**, go to the **`Attribute Mappings`** tab of your SAML Application and click on the **`Edit`** icon. 2. Add these attributes and map to corresponding PingOne properties:
CodeScan AttributePingOne AttributeRequiredDescription
saml_subjectUser IDYesUser ID is a default required in PingOne
saml_usernameUsernameYesPingOne username will be used for newly created CodeScan users
saml_emailEmail AddressYesPingOne email will be copied to user profile in CodeScan
saml_nameFormattedOptionalPingOne formatted name will be copied to user profile in CodeScan
saml_groupsGroup NamesOptionalPingOne user groups will be automatically created in CodeScan Organization, and user will be added to these groups
3. Click **`Save`**. 4. Enable the **`CodeScan`** app.
### Step 5: Testing the Single Sign-On Configuration 1. Log out of the CodeScan Console, and then log back in using the **`Log in with SAML2`** option.\ ![](https://1912836914-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9vAxMuDrkUkB4OXlH9CL%2Fuploads%2FYp5RMCmQh4Tb73NpvN23%2Fimage.png?alt=media\&token=ae46637c-7ec6-412d-954b-8b6cd897ae79) 2. Enter the domain name of your organization in the **`Your Company email`** field. **For example**- *autorabit.com*. 3. You should successfully redirect to the CodeScan **`Organization`** page after authentication.