DocumentationRelease Notes
Log In
Documentation

Configure Password Safe and Ping Identity for PingOne

Suggest Edits

Using the PingOne Application Catalog, leverage the Password Safe app to configure the integration between Password Safe or Password Safe Cloud and PingOne.

Configure Password Safe App in PingOne Application Catalog

  1. Access the Application Catalog for your Ping Identity environment, and search for BeyondTrust.
  2. Click the + sign next to BeyondTrust Password Safe Cloud application.
  3. In the Instance Name box, enter the unique part of your instance URL, and then click Next.
  4. On the Map Attributes page, add a group. The Group attribute is mandatory and corresponds to the group that will be included in the SAML Assertion for users. In this guide, we configure a static value that is the same for all users accessing Password Safe using this application. Optionally, you can map this attribute to a Ping user attribute.
  5. Click the gear icon to open the Expression Builder for the Group attribute. Add a Password Safe group name within double-quotes, and then click Save.
  6. The Map Attributes page will look similar to the screen capture shown. Click Next.

You can use access control groups in PingOne to allow access to the app. In this scenario, access is open to all users.

  1. Click Save. The Connection Details page is displayed.

  2. To configure the SAML identity provider in Password Safe, you need: Issuer ID, Single Signon Service URLs, and the certificate. On the Connection Details page, copy the Issuer ID and Single Signon Service URLs to use later.

  3. Click Download Signing Certificate.  You will import the certificate in Password Safe.

Create a SAML identity provider in BeyondInsight

  1. On the SAML configuration page for PingOne, copy the Identifier (Issuer ID) and Single Sign-On Service URL values from the previous procedure.
  2. Import the certificate downloaded from PingOne in the previous procedure.
  3. Save the SAML configuration settings.

PingOne users can now log on to Password Safe using single sign-on.

If an account does not already exist in Password Safe, then the SAML assertion sent by PingOne creates the account. The account is added to the group configured on the Attribute Mapping page.

Updated 6 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.