Configuring PingOne Authentication
PingOne is a cloud-based identity management system that provides secure authentication and integrated single sign-on (SSO) for the Echo360 active learning platform.
Before You Begin
The PingOne integration offers the following single sign-on methods for customers:
- Active Directory (requires IIS and AD Connect software from PingOne)
- SAML Identity Providers
Echo360 recommends that you select which option to implement in advance of performing the procedures on this page. To use Active Directory, understand that it requires software installation as noted above, and that the system must reside outside the firewall.
IMPORTANT: Echo360 does not yet allow for single sign-on authentication for the Windows PowerPoint ribbon add-on. The PPT Ribbon requires users to establish a direct login to Echo360. The user email remains the same (typically the institution or .edu email address) but users must establish a password within Echo360. This can be the same password as used for the SSO system or a different one.
Echo360 does support SSO for the Mobile App, Personal Capture (PCAP) or Classroom Capture (for instructors logging in to generate an ad-hoc recording). For these applications, users are directed through the SSO authentication process with their institution email address and password.
The following workflow, and the instructions on this page, identify the steps necessary to set PingOne up to provide SSO services to Echo360 through your network. For information on the subsequent steps needed to add and configure users to access Echo360 content, see Configuring Authentication.
- Register for a PingOne one account.
- Register the Echo360 configuration with PingOne.
- Select the desired authentication method.
- Configure the authentication method in PingOne, and exchange the required metadata with the authentication source.
- Create or import the desired user accounts into Echo360.
Email addresses must match! Echo360 uses email addresses as user identifiers; when creating users in Echo360, be SURE the email address for each user is the same as it is in the system through which they are being authenticated.
When a user selects to open Echo360, the authentication request is sent through PingOne to the selected authentication system, then back to Echo360 for access.
Creating PingOne account credentials
You must register in PingOne first and create your account credentials, then enable PingOne in Echo360.
To register PingOne
- Go to https://admin.pingone.com/web-portal/register.
- Under Account Type, select PingOne for Enterprise.
- Under Profile setup, complete all details.
NOTE: Your email address will become your username.
- In the Registration key field, enter PingForEcho360_FP.
- Enter and confirm your account password.
- Click Register.
After registering, you receive a confirmation email at the address entered on the form. Click the link in the email to complete the account registration process.
Configure authentication method in PingOne
PingOne needs to know which authentication method you want to use, and then you must configure that authentication method through PingOne.
NOTE: The procedures below are provided as guidelines to the PingOne authentication setup process. Refer to the PingOne documentation for additional details, or contact PingOne support if you need further assistance.
Configuring SAML authentication
Configuring SAML authentication involves sharing identity key and certification information between PingOne and a SAML identity provider (IdP), allowing the two to communicate securely and provide appropriate user authentication.
To configure SAML authentication
- Log in to PingOne.
- Select the Setup tab.
- Select the appropriate SAML identity bridge.
- Click View/Edit.
- Select to Download the PingOne metadata to exchange with your identity provider (IdP). This tells PingOne to generate all of the necessary field parameters, then generates a downloadable file for you to upload into the IdP.
- Once you have uploaded the PingOne metadata and configured the IdP, you must enter the provider's configuration information back into PingOne. You have the following choices:
- Upload a metadata file obtained from your identity provider into PingOne. This populates the PingOne configuration with the proper information from the provider.
- Manually enter the appropriate field information. You may have received this data from the identity provider, or you may need to re-type the data into the corresponding fields for the identity provider.
- When finished, click Save Configuration.
Configuring active directory (AD) authentication
Using Active Directory authentication with PingOne requires that you have IIS installed and configured and AD Connect installed and configured.
PingOne provides a download of the AD Connect installer to user if needed. AD Connect requirements include:
- One of the following platforms:
- Microsoft Windows Server® 2012 with IIS 8.0 (32-bit/64-bit)
- Microsoft Windows Server 2008 R2 with IIS 7.5 (32-bit/64-bit)
- Microsoft Windows Server 2008 with IIS 7.0 (32-bit/64-bit)
- Administrator privileges on the Windows Server IIS host.
- The Windows Server IIS host must reside in an Active Directory domain, but for security reasons, must not be a domain controller (DC).
- Port 443 (HTTPS) must be open to your organization.
- Time synchronization must be set up on the Windows Server IIS host.
- Microsoft Net 4.0 Framework installed. The framework installation file is packaged with the AD Connect distribution.
- IIS Server role service installed.
- Windows Authentication role service installed for IIS.
To install and configure IIS
NOTE: The installation instructions linked below are for Windows 2008 server with IIS 7.0. If you are using a different operating version, please find the Technet articles that relate to your specific supported environment.
- Install and Configure IIS: http://technet.microsoft.com/en-us/library/cc771209(WS.10).aspx
- Create a Certificate Request: http://technet.microsoft.com/en-us/library/cc732906(v=ws.10).aspx
- Complete the Certificate Request: http://technet.microsoft.com/en-us/library/cc771816(v=ws.10).aspx
- Import an existing certificate: http://technet.microsoft.com/en-us/library/cc732785(v=ws.10).aspx
- Add HTTPS protocol and port 443 binding to IIS: By default, IIS may not be configured to support the HTTPS protocol. To implement HTTPS on 443, follow these instructions to create the binding: http://technet.microsoft.com/en-us/library/cc771438(v=ws.10).aspx
To install and configure AD Connect
- Log on to your PingOne account.
- Download the AD Connect software.
- Extract the zipped file and launch the installation package by double-clicking the “run-as-administrator.cmd” file in the extracted folder.
- Click Next to proceed with the installation.
- Select Full with IIS to install the full AD connect package in IIS.
- Click Next. The AD Connect installer checks that the prerequisites are in place. If all prerequisites are in place, the installation proceeds to the activation tab.
- The installer checks whether the .Net 4.0 framework is installed. If the .Net 4.0 framework isn't installed, you can install it using the .Net 4.0 distribution located in the AD Connect installation directory. When the .Net 4.0 framework installation is complete, return to this AD Connect screen, and click Verify Install.
- Click Next. The installer then checks whether the IIS Server role is installed. If it isn't, install this role service using Windows Server Manager, return to this dialog and click Verify Install to proceed.
- Click Next. The installer then checks whether the Windows Authentication role is installed for IIS. If it isn't, install this role service for IIS using Windows Server Manager, then return to this screen and click Verify Install to proceed.
- Click Next. The AD Connect activation screen appears. The Organization ID and the Product Key values are on the setup screen in PingOne.
- In the AD Connect activation screen, enter the Organization ID and Product Key, then click Activate and Next.
NOTE: If the product is activated properly, you will see the following acknowledgement: “AD Connect has been activated”
- Select the IIS web site that you want the AD Connect software installed to.
- Enter the installation location for the AD connect software and click Next.
- Click Install to complete the installation process of AD Connect.
- Click Finish to complete the installation process.
Enabling PingOne authentication in Echo360
To enable PingOne
- Log on as administrator.
- Select the Settings icon in upper-right of the screen.
- From the Settings menu, select Configurations.
- From the left panel, select PingOne configuration.
- In the Identify Provider ID field, enter a value that can be considered unique to your institution, such as your institution name, or preferably the institution domain being used for your identity provider (i.e., institutionName.edu).
Use a unique IDPID value. While the Identity Provider ID (IDPID) field can be any value you want, if another PingOne client institution who also uses Echo360 has the same value, neither institution will be able to access Echo360. Furthermore this value is very difficult to change once established. Using a unique value at setup avoids having to address any conflict later.
- Click CONNECT TO PINGONE.
- A pop-up box appears on the screen with a checkbox. Click a check in this Enable Single-Sign on checkbox.
- A link to PingOne appears below the checkbox. Click this link.
- Log in to PingOne.
- Complete the PingOne application configuration by adding the proper identity bridge attribute for the application.
- Continue to Next Step, then add your institution Logo, Icon, Name and Description as needed.
- When finished click Save and Publish.
Once PingOne is configured for Echo360, users can select to Log in with their school ID. See Configuring Authentication for the process steps needed to allow users to access Echo360 content through their institutional login.