Configure Ping Identity with Password Safe

  1. Log in to the Ping Identity admin portal.
  2. Screen Capture of Ping Identity New SAML Application Option

  3. Click the Add Application button, and then select New SAML Application from the menu.


Screen Capture of Ping Identity Application Details Screen for New SAML Application

  1. Fill in Application Name and Description.
  2. Set Category to Other, and then click Continue to Next Step.


Screen Capture of SAML Configuration Window for Ping Identity

  1. Set the following:
    • Set Assertion Consumer Service (ACS) to


    • Set Entity ID to https://<ServerURL>/eEye.RetinaCSSAML.
    • Set Single Logout Binding Type to Redirect.
    • Upload Primary Verification Certificate (use SP Public Certificate.cer from \WebSiteSAML\Certificates). The certificate is automatically generated when the BI SAML configuration is saved.
    • Click Continue to Next Step.


Screen Capture of Ping Identity SSO Attribute Mapping

  1. Add the following attributes, and then click Save & Publish:
    • Group: Check the As Literal box. This must match the group created in BeyondInsight.
    • Name (required).
    • Email (optional).
    • Surname (optional).
    • GivenName (optional).


The following is applicable only to BI version 6.3.1. It is not required for 6.4.4 or later releases. In 6.4.4 and later releases, the user is automatically logged in to Password Safe, and can then navigate to BeyondInsight, if they have the proper permissions.

To create an application that goes to Password Safe when IdP-initiated login is used, add a new attribute called Website. When the value of Website is set to Password Safe, the user is logged in to Password Safe. If the attribute is not present or is set to anything other than Password Safe, the user will be directed to BeyondInsight.

  1. Download the Signing Certificate.
  2. Download SAML Metadata.


  1. Click Finish.

Configure SAML in Password Safe

  1. Go to the Dashboard or Menu and click Configuration, then, under Multi-Factor Authentication, click SAML Configuration.

Screenshot of SAML Configuration information fields, with Ping values entered.

  1. For Entity ID, enter the Okta value Identity Provider Issuer.
  2. For Single Sign-on Service URL, enter the Okta value Identity Provider Single Sign-On URL.
  3. If available, set Single Logout Service URL to Okta value Identity Provider Single Logout URL.
  4. Click HTTP POST Protocol Binding for SSO and SLO.


Screenshot of SAML Configuration details of Service Provider certificate and update button.

  1. Under Encryption and Signing Configuration, check applicable boxes. A typical configuration is shown, however, depending on your Ping settings, some configuration selections may be different.


Screenshot of SAML Configuration Service Provider settings, and Save button.

  1. Upload Ping X.509 certificate.
  2. Enter the service provider Entity ID.
  4. Once the SAML configuration is saved, a public SP certificate is available to download. It can be uploaded to the IdP if required.