Configuring PingOne Authentication
PingOne is a cloud-based identity management system
that provides secure authentication and integrated single sign-on (SSO)
for the Echo360 active learning platform.
Before You Begin
The PingOne integration offers the following single sign-on
methods for customers:
- Active Directory (requires IIS and AD Connect
software from PingOne)
- SAML Identity Providers
Echo360 recommends that you select which option to implement
in advance of performing the
procedures on this page. To use Active Directory, understand that it requires
software installation as noted above, and that the system must reside
outside the firewall.
does not yet allow for single sign-on authentication for the Windows
PowerPoint ribbon add-on. The PPT Ribbon requires users to establish
a direct login to Echo360. The user email remains the same (typically
the institution or .edu email address) but users must establish a password
within Echo360. This can be the same password as used for the SSO system
or a different one.
Echo360 does support SSO for the Mobile
Capture (PCAP) or Classroom
Capture (for instructors logging in to generate
an ad-hoc recording). For these applications, users are directed through
the SSO authentication process with their institution email address and
The following workflow, and the instructions on this page,
identify the steps necessary to set PingOne up to provide SSO services
to Echo360 through your network. For information on the subsequent steps
needed to add and configure users to access Echo360 content, see Configuring
- Register for a PingOne one account.
- Register the Echo360 configuration with PingOne.
- Select the desired authentication method.
- Configure the authentication method in PingOne,
and exchange the required metadata with the authentication source.
- Create or import the desired user accounts
must match! Echo360 uses email addresses as user identifiers; when
creating users in Echo360, be SURE the email address for each user is
the same as it is in the system through which they are being authenticated.
When a user selects to open Echo360, the authentication
request is sent through PingOne to the selected authentication system,
then back to Echo360 for access.
Creating PingOne account credentials
You must register
in PingOne first and create your account credentials, then enable PingOne
To register PingOne
- Go to https://admin.pingone.com/web-portal/register.
- Under Account Type, select PingOne
- Under Profile setup, complete all details.
email address will become your username.
- In the Registration key field, enter PingForEcho360_FP.
- Enter and confirm your account password.
- Click Register.
After registering, you receive a confirmation email at the address entered
on the form. Click the link in the email to complete the account registration
Configure authentication method in PingOne
PingOne needs to know which authentication method you want
to use, and then you must configure that authentication method through
NOTE: The procedures
below are provided as guidelines to the PingOne authentication setup process.
Refer to the PingOne documentation for additional details, or contact
PingOne support if you need further assistance.
Configuring SAML authentication
Configuring SAML authentication involves sharing identity
key and certification information between PingOne and a SAML identity
provider (IdP), allowing the two to communicate securely and provide appropriate
To configure SAML authentication
- Log in to PingOne.
- Select the Setup
- Select the appropriate SAML
- Click View/Edit.
- Select to Download
the PingOne metadata to exchange with your identity provider
(IdP). This tells PingOne to generate all of the necessary field parameters,
then generates a downloadable file for you to upload into the IdP.
- Once you have uploaded the PingOne metadata
and configured the IdP, you must enter the provider's configuration
information back into PingOne. You have the following choices:
a metadata file obtained from your identity provider into
PingOne. This populates the PingOne configuration with the proper
information from the provider.
enter the appropriate field information. You may have received
this data from the identity provider, or you may need to re-type the
data into the corresponding fields for the identity provider.
- When finished, click Save
Configuring active directory (AD) authentication
Using Active Directory authentication with PingOne requires
that you have IIS installed and configured and AD Connect installed and
PingOne provides a download of the AD Connect installer
to user if needed. AD Connect requirements include:
- One of the following platforms:
- Microsoft Windows Server® 2012 with IIS 8.0
- Microsoft Windows Server 2008 R2 with IIS 7.5
- Microsoft Windows Server 2008 with IIS 7.0
- Administrator privileges on the Windows Server
- The Windows Server IIS host must reside in
an Active Directory domain, but for security reasons, must not be
a domain controller (DC).
- Port 443 (HTTPS) must be open to your organization.
- Time synchronization must be set up on the
Windows Server IIS host.
- Microsoft Net 4.0 Framework installed. The
framework installation file is packaged with the AD Connect distribution.
- IIS Server role service installed.
- Windows Authentication role service installed
To install and configure IIS
NOTE: The installation
instructions linked below are for Windows 2008 server with IIS 7.0. If
you are using a different operating version, please find the Technet articles
that relate to your specific supported environment.
and Configure IIS: http://technet.microsoft.com/en-us/library/cc771209(WS.10).aspx
- Create a
Certificate Request: http://technet.microsoft.com/en-us/library/cc732906(v=ws.10).aspx
the Certificate Request: http://technet.microsoft.com/en-us/library/cc771816(v=ws.10).aspx
- Import an
existing certificate: http://technet.microsoft.com/en-us/library/cc732785(v=ws.10).aspx
- Add HTTPS
protocol and port 443 binding to IIS: By default, IIS may not
be configured to support the HTTPS protocol. To implement HTTPS on
443, follow these instructions to create the binding: http://technet.microsoft.com/en-us/library/cc771438(v=ws.10).aspx
To install and configure AD Connect
- Log on to your PingOne account.
- Download the AD Connect software.
- Extract the zipped file and launch the installation
package by double-clicking the “run-as-administrator.cmd” file in
the extracted folder.
- Click Next
to proceed with the installation.
- Select Full
with IIS to install the full AD connect package in IIS.
- Click Next.
The AD Connect installer checks that the prerequisites are in place.
If all prerequisites are in place, the installation proceeds to the
- The installer checks whether the .Net 4.0
framework is installed. If the .Net 4.0 framework isn't installed,
you can install it using the .Net 4.0 distribution located in the
AD Connect installation directory. When the .Net 4.0 framework installation
is complete, return to this AD Connect screen, and click Verify
- Click Next.
The installer then checks whether the IIS Server role is installed.
If it isn't, install this role service using Windows Server Manager,
return to this dialog and click Verify Install to proceed.
- Click Next.
The installer then checks whether the Windows Authentication role
is installed for IIS. If it isn't, install this role service for IIS
using Windows Server Manager, then return to this screen and click
Verify Install to proceed.
- Click Next.
The AD Connect activation screen appears. The Organization ID and
the Product Key values are on the setup screen in PingOne.
- In the AD Connect activation screen, enter
the Organization ID and Product Key, then click Activate
NOTE: If the
product is activated properly, you will see the following acknowledgement:
“AD Connect has been activated”
- Select the IIS web site that you want the
AD Connect software installed to.
- Enter the installation location for the AD
connect software and click Next.
- Click Install
to complete the installation process of AD Connect.
- Click Finish
to complete the installation process.
Enabling PingOne authentication in Echo360
To enable PingOne
- Log on as administrator.
- Select the Settings
icon in upper-right of the screen.
- From the Settings menu, select Configurations.
- From the left panel, select PingOne
- In the Identify
Provider ID field, enter a value that can be considered unique
to your institution, such as your institution name, or preferably
the institution domain being used for your identity provider (i.e.,
Use a unique
IDPID value. While the Identity Provider ID (IDPID) field can
be any value you want, if another PingOne client institution who also
uses Echo360 has the same value, neither institution will be able
to access Echo360. Furthermore this value is very difficult to change
once established. Using a unique value at setup avoids having to address
any conflict later.
- Click CONNECT
- A pop-up box appears on the screen with a
checkbox. Click a check in this Enable
Single-Sign on checkbox.
- A link to PingOne appears below the checkbox.
Click this link.
- Log in to PingOne.
- Complete the PingOne application configuration
by adding the proper identity bridge
attribute for the application.
to Next Step, then add your institution Logo,
and Description as needed.
- When finished click Save
Once PingOne is configured for Echo360, users can select to Log in with
their school ID. See Configuring
Authentication for the process steps needed to allow users to access
Echo360 content through their institutional login.