Configure Ping Identity with Password Safe

  1. Log in to the Ping Identity admin portal.
  2. Screen Capture of Ping Identity New SAML Application Option

  3. Click the Add Application button, and then select New SAML Application from the menu.


Screen Capture of Ping Identity Application Details Screen for New SAML Application

  1. Fill in Application Name and Description.
  2. Set Category to Other, and then click Continue to Next Step.


Screen Capture of SAML Configuration Window for Ping Identity

  1. Set the following:
    • Set Assertion Consumer Service (ACS) to


    • Set Entity ID to https://<ServerURL>/eEye.RetinaCSSAML/.
    • Set Single Logout Binding Type to Redirect.
    • Upload Primary Verification Certificate (use SP Public Certificate.cer from \WebSiteSAML\Certificates). The certificate is automatically generated when the BI SAML configuration is saved.
    • Click Continue to Next Step.


Service provider settings for SAML configuration

When setting up SAML configuration through the web console, the administrator needs to download the certificate from the web console.


Screen Capture of Ping Identity SSO Attribute Mapping

  1. Add the following attributes, and then click Save & Publish:
    • Group: Check the As Literal box. This must match the group created in BeyondInsight.
    • Name (required).
    • Email (optional).
    • Surname (optional).
    • GivenName (optional).



The following is applicable only to BI version 6.3.1. It is not required for 6.4.4 or later releases. In 6.4.4 and later releases, the user is automatically logged in to Password Safe, and can then navigate to BeyondInsight, if they have the proper permissions.

To create an application that goes to Password Safe when IdP-initiated login is used, add a new attribute called Website. When the value of Website is set to Password Safe, the user is logged in to Password Safe. If the attribute is not present or is set to anything other than Password Safe, the user will be directed to BeyondInsight.


  1. Download the Signing Certificate.
  2. Download SAML Metadata.


  1. Click Finish.

Configure SAML in Password Safe

  1. Go to the Dashboard or Menu and click Configuration, then, under Authentication Management, click SAML Configuration.

Screenshot of SAML Configuration information fields, with Ping values entered.

  1. For Identifier, enter the Okta value Identity Provider Issuer.
  2. For Single Sign-on Service URL, enter the Okta value Identity Provider Single Sign-On URL.
  3. If available, set Single Logout Service URL to Okta value Identity Provider Single Logout URL.
  4. Click HTTP POST Protocol Binding for SSO and SLO.


Screenshot of SAML Configuration details of Service Provider certificate and update button.

  1. Under Encryption and Signing Configuration, check applicable boxes. A typical configuration is shown, however, depending on your Ping settings, some configuration selections may be different.


Screenshot of SAML Configuration Service Provider settings, and Save button.

  1. Upload Ping X.509 certificate.
  2. Enter the service provider Entity ID.
  4. Once the SAML configuration is saved, a public SP certificate is available to download. It can be uploaded to the IdP if required.


Disable Forms Login

In environments where SAML, smart card, or claims-aware is configured, we recommend enabling the Disable Forms Login authentication option to disallow users from using the standard login form in BeyondInsight.

To disable forms login for existing users, enable this option directly on a user account as follows:

  1. Click the vertical ellipsis for the user account, and then click Edit User Details.

Screenshot of Disable Forms Login option on a User account.

  1. Under Authentication Options, toggle Disable Forms Login to enable the option.

Please contact support for assistance if you need to bulk-apply this setting to existing accounts.


To configure login forms to automatically be disabled for newly created users:

Screenshot of the Forms Login Options

  1. Navigate to Configuration > Authentication Management > Authentication Options.
  2. Under Forms Login Options, enable one or both options as applicable:
    • Disable Forms Login for new directory accounts
    • Disable Forms Login for new local accounts