Configuring PingOne Authentication

PingOne is a cloud-based identity management system that provides secure authentication and integrated single sign-on (SSO) for the Echo360 active learning platform.

Before You Begin

Workflow

Creating PingOne account credentials

Configure authentication method in PingOne

Configuring SAML authentication

Configuring active directory (AD) authentication

Enabling PingOne authentication in Echo360

Before You Begin

The PingOne integration offers the following single sign-on methods for customers:

Echo360 recommends that you select which option to implement in advance of performing the procedures on this page. To use Active Directory, understand that it requires software installation as noted above, and that the system must reside outside the firewall.

IMPORTANT: Echo360 does not yet allow for single sign-on authentication for the Windows PowerPoint ribbon add-on. Using this application requires users to establish a direct login to Echo360. Echo360 does support SSO for the Mobile App, Personal Capture (PCAP) or Classroom Capture (for instructors logging in to generate an ad-hoc recording).
The user email remains the same as that used by the SSO authentication mechanism (typically the institution or .edu email address) but they establish a password within Echo360. This can be the same password as used for the SSO system or a different one.

Workflow

The following workflow, and the instructions on this page, identify the steps necessary to set PingOne up to provide SSO services to Echo360 through your network. For information on the subsequent steps needed to add and configure users to access Echo360 content, see Configuring Authentication.

  1. Register for a PingOne one account.
  2. Register the Echo360 configuration with PingOne.
  3. Select the desired authentication method.
  4. Configure the authentication method in PingOne, and exchange the required metadata with the authentication source.
  5. Create or import the desired user accounts into Echo360.

Email addresses must match! Echo360 uses email addresses as user identifiers; when creating users in Echo360, be SURE the email address for each user is the same as it is in the system through which they are being authenticated.

When a user selects to open Echo360, the authentication request is sent through PingOne to the selected authentication system, then back to Echo360 for access.

Creating PingOne account credentials

You must register in PingOne first and create your account credentials, then enable PingOne in Echo360.

To register PingOne

  1. Go to https://admin.pingone.com/web-portal/register.
  2. Under Account Type, select PingOne for Enterprise.
  3. Under Profile setup, complete all details.

    NOTE: Your email address will become your username.

  4. In the Registration key field, enter PingForEcho360_FP.
  5. Enter and confirm your account password.
  6. Click Register.

After registering, you receive a confirmation email at the address entered on the form. Click the link in the email to complete the account registration process.

Configure authentication method in PingOne

PingOne needs to know which authentication method you want to use, and then you must configure that authentication method through PingOne.

NOTE: The procedures below are provided as guidelines to the PingOne authentication setup process. Refer to the PingOne documentation for additional details, or contact PingOne support if you need further assistance.

Configuring SAML authentication

Configuring SAML authentication involves sharing identity key and certification information between PingOne and a SAML identity provider (IdP), allowing the two to communicate securely and provide appropriate user authentication.

To configure SAML authentication

  1. Log in to PingOne.
  2. Select the Setup tab.
  3. Select the appropriate SAML identity bridge.
  4. Click View/Edit.
  5. Select to Download the PingOne metadata to exchange with your identity provider (IdP). This tells PingOne to generate all of the necessary field parameters, then generates a downloadable file for you to upload into the IdP.
  6. Once you have uploaded the PingOne metadata and configured the IdP, you must enter the provider's configuration information back into PingOne. You have the following choices:
  7. When finished, click Save Configuration.

Configuring active directory (AD) authentication

Using Active Directory authentication with PingOne requires that you have IIS installed and configured and AD Connect installed and configured.

PingOne provides a download of the AD Connect installer to user if needed. AD Connect requirements include:

To install and configure IIS

NOTE: The installation instructions linked below are for Windows 2008 server with IIS 7.0. If you are using a different operating version, please find the Technet articles that relate to your specific supported environment.

  1. Install and Configure IIS: http://technet.microsoft.com/en-us/library/cc771209(WS.10).aspx
  2. Create a Certificate Request: http://technet.microsoft.com/en-us/library/cc732906(v=ws.10).aspx
  3. Complete the Certificate Request: http://technet.microsoft.com/en-us/library/cc771816(v=ws.10).aspx
  4. Import an existing certificate: http://technet.microsoft.com/en-us/library/cc732785(v=ws.10).aspx
  5. Add HTTPS protocol and port 443 binding to IIS: By default, IIS may not be configured to support the HTTPS protocol. To implement HTTPS on 443, follow these instructions to create the binding: http://technet.microsoft.com/en-us/library/cc771438(v=ws.10).aspx

To install and configure AD Connect

  1. Log on to your PingOne account.
  2. Download the AD Connect software.
  3. Extract the zipped file and launch the installation package by double-clicking the “run-as-administrator.cmd” file in the extracted folder.
  4. Click Next to proceed with the installation.
  5. Select Full with IIS to install the full AD connect package in IIS.
  6. Click Next. The AD Connect installer checks that the prerequisites are in place. If all prerequisites are in place, the installation proceeds to the activation tab.
  7. The installer checks whether the .Net 4.0 framework is installed. If the .Net 4.0 framework isn't installed, you can install it using the .Net 4.0 distribution located in the AD Connect installation directory. When the .Net 4.0 framework installation is complete, return to this AD Connect screen, and click Verify Install.
  8. Click Next. The installer then checks whether the IIS Server role is installed. If it isn't, install this role service using Windows Server Manager, return to this dialog and click Verify Install to proceed.
  9. Click Next. The installer then checks whether the Windows Authentication role is installed for IIS. If it isn't, install this role service for IIS using Windows Server Manager, then return to this screen and click Verify Install to proceed.
  10. Click Next. The AD Connect activation screen appears. The Organization ID and the Product Key values are on the setup screen in PingOne.
  11. In the AD Connect activation screen, enter the Organization ID and Product Key, then click Activate and Next.  

    NOTE: If the product is activated properly, you will see the following acknowledgement: “AD Connect has been activated”

  12. Select the IIS web site that you want the AD Connect software installed to.
  13. Enter the installation location for the AD connect software and click Next.
  14. Click Install to complete the installation process of AD Connect.
  15. Click Finish to complete the installation process.

Enabling PingOne authentication in Echo360

To enable PingOne

  1. Log on as administrator.
  2. Select the Settings icon in upper-right of the screen.
  3. From the Settings menu, select Configurations.
  4. From the left panel, select PingOne configuration.
  5. In the Identify Provider ID field, enter a descriptive value for your identity provider.
  6. Click CONNECT TO PINGONE.
  7. A pop-up box appears on the screen with a checkbox. Click a check in this Enable Single-Sign on checkbox.
  8. A link to PingOne appears below the checkbox. Click this link.
  9. Log in to PingOne.
  10. Complete the PingOne application configuration by adding the proper identity bridge attribute for the application.
  11. Continue to Next Step, then add your institution Logo, Icon, Name and Description as needed.
  12. When finished click Save and Publish.

Once PingOne is configured for Echo360, users can select to Log in with their school ID. See Configuring Authentication for the process steps needed to allow users to access Echo360 content through their institutional login.