1. Good Grants Help Centre
  2. Getting started
  3. 03. Registration and authentication

Configuring SAML with Ping Identity

Alex Bon Ami
Updated

These instructions explain how to configure your Good Grants account for SAML single sign-on (SSO) using Ping Identity as the identity provider. You’ll need an active Ping Identity account as well as a Good Grants account.

Step 1: create a new application in Ping Identity

  1. Log in to your Ping Identity account
  2. In the main menu, go to Applications > Applications
  3. Click the + icon at the top to create a new application
  4. Enter a Name for the application
  5. Select SAML Application from the list of application types, then click Save

Step 2: enter application metadata

  1. Select Manually enter for the application metadata
  2. Complete the input fields as follows, replacing {YOUR GOOD GRANTS URL} with your program’s Good Grants URL:
    • ACS URLs: https://{YOUR GOOD GRANTS URL}/saml/callback
    • Entity ID: https://{YOUR GOOD GRANTS URL}/saml/metadata
      Add application ACS URLs and Entity ID example
  3. Click Save

Step 3: copy SSO details to Good Grants

In the 'Overview' section of Ping Identity, download the certificate and locate the Issuer and Single sign-on URL values. You’ll need these for Good Grants.

  1. Log in to Good Grants
  2. In the Manage workspace, go to Settings > Users > Registration
  3. Copy the following details from Ping Identity into the corresponding fields in Good Grants
    • Issuer
    • SSO service URL
    • Certificate

Step 4: configure NameID settings

  1. Return to Ping Identity:
  2. Go to Configuration and click the edit icon.
  3. Under Subject NameID format, select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    Format persistent option in Subject NameID Format drop-down
  4. Select the persistent NameID option
  5. Click Save

Step 5: add attribute mappings

  1. In Ping Identity, go to Attribute mappings
  2. Add the following mappings exactly as shown:
Attribute name Mapped to
email Email address
firstName Given name
lastName Family name

The attribute names—email, firstName, and lastName—must match exactly, including capitalisation. These values are sent to Good Grants to validate each user’s identity.

Step 6: enable the application

Finally, switch the toggle on in Ping Identity to enable your SAML application.

Good to know

  • Only one SAML SSO provider can be active in Good Grants at a time.
  • Ensure that your certificate in Good Grants remains current—expired certificates will prevent user authentication.
  • Test your SSO setup with a single user before rolling it out to all users.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more