ComplianceScout.ai
Sign InFree Trial

Ping Identity (PingOne) SSO

Sign in to ComplianceScout with PingOne over SAML 2.0.

SAML 2.0

Before you start

  • These steps are for PingOne (cloud, console.pingone.com) — the current mainstream Ping IdP — not the legacy PingOne for Enterprise or PingFederate.

Values to give Ping Identity (PingOne)

Copy these from ComplianceScout → Settings → SSO when you create the connection. The exact, per-connection values are shown there.

SP Entity ID (Identifier / Audience)urn:guardstream:sp:<tenant_id>

Included in the SP metadata below. Most IdPs can import the metadata URL instead of typing this.

ACS URL (Reply URL / Assertion Consumer Service)https://<your-app-host>/sso/saml/callback/<connectionId>
SP metadata URLhttps://<your-app-host>/sso/saml/metadata/<connectionId>

Contains the SP entity ID, ACS URL, and SP certificate. Import this into your IdP when it supports metadata import — it is the least error-prone path.

Required NameID formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Configure your IdP to send the user's email address as the NameID. ComplianceScout rejects any other NameID format.

Configure Ping Identity (PingOne)

Steps verified against the vendor documentation linked at the bottom of this page. Labels can change — that link is the source of truth.

  1. Sign in to the PingOne admin console and go to Connections → Applications (some builds show Applications → Applications).

  2. Click the + (Add Application) icon. Enter an Application Name, select Advanced Configuration, and next to SAML click Configure.

  3. On Configure SAML Connection, choose Import From URL and paste ComplianceScout's SP metadata URL (this auto-fills Entity ID, ACS, and SP cert). Or choose Manually Enter and set ACS URLs = the ACS URL shown in ComplianceScout and Entity ID = urn:guardstream:sp:<tenant_id>.

  4. For signing, select Sign Assertion & Response with RSA_SHA256, then Save.

  5. Open the app's Attribute Mappings tab. On the saml_subject row, map the value to Email Address, then open the row's Advanced control and set "Name ID Format to send to SP:" = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

  6. Enable the application and assign the appropriate users/groups.

  7. On the app's details panel, copy the IDP Metadata URL (or Download Metadata) — it contains the Issuer ID (IdP Entity ID), the Single Sign-On Service URL, and the signing certificate.

Values to enter in ComplianceScout

Back in Settings → SSO, paste these into the connection and save.

IdP metadata URL<pingone-idp-metadata-url>

Importing this one URL into ComplianceScout supplies the entity ID, SSO URL, and signing certificate.

— or — IdP Entity ID (Issuer ID)<issuer-id>
— and — Single Sign-On Service URL<sso-url>

Role mapping (optional)

On Attribute Mappings, click + Add, set the application attribute name to groups (or roles), and map it to the directory group attribute (e.g. Group Names / memberOf). Set ComplianceScout's role-mapping attribute to match.

Things to watch for

  • ComplianceScout always requires the assertion to be signed (this is not optional). You can additionally require the SAML response to be signed and/or the assertion to be encrypted to the SP certificate — toggle those per connection in Settings → SSO.
  • Email addresses containing a + character can break SAML_SUBJECT-as-email in PingOne.

Vendor documentation

Ready to turn on Ping Identity (PingOne) SSO?

Configure the connection in Settings → SSO, then test sign-in before rolling it out to your team.

Open SSO settingsAll SSO guides →