DocumentationRelease Notes
Log In
Documentation

Ping Identity PingOne (SAML)

Suggest Edits

Ping Identity offers a PingOne SSO solution that integrates with BeyondTrust Privileged Remote Access. This guide shows how to configure PingOne and Privileged Remote Access integrations.

Configure PingOne

Configuring the PingOne integration with BeyondTrust Privileged Remote Access requires steps in both applications. Start in PingOne, and follow these steps:

  1. Log in to PingOne.
  2. Navigate to the Application Catalog.
  3. Search for BeyondTrust. The search results show the various BeyondTrust applications and their configuration status.
  4. Click the + icon at the end of the row for BeyondTrust - Privileged Remote Access.
  5. Enter your instance name.
  6. Click Next.
  7. On the Map Attributes page, complete the configuration for the Groups attribute. Privileged Remote Access requires one or more string values with multiple values separated by a configurable delimiter. It is possible to map a PingOne User Attribute or another method, but that is beyond the scope of this guide. We must configure an advanced expression for the groups attribute. Assign a static value, surrounded by double quotes, that corresponds to an existing group in Privileged Remote Access. In this example, team_a is used.
  8. The Map Attributes page should look like the image below.
  9. Click Save, then Next.
  10. Access Control Groups in PingOne can be used to limit access to the Application. Leave the page empty for now and click Save.
  11. On the Connection Details page, click Download Metadata.
  12. Continue the configuration in BeyondTrust Privileged Remote Access.

Configure Privileged Remote Access

Follow these steps to create a new SAML Provider for Ping Identity PingOne.

  1. Log in to BeyondTrust Privileged Remote Access.
  2. Click Users & Security on the left menu, and then click the Security Providers tab.
  3. Click Add and select SAML.
  4. Enter a name to identify this provider, such as SAML2.
  5. Under Identity Provider Settings, click UPLOAD IDENTITY PROVIDER METADATA.
  6. Browse to the metadata file downloaded from PingOne and select it.
  7. The Single Sign-On Service URL and the Entity ID are populated by the metadata file. Leave the SSO URL Protocol Binding as HTTP POST.
  8. Select the Available Groups and Default Group Policy.
  9. Click SAVE at the top of the screen.

PingOne supports Identity Provider(IdP) initiated Single Sign-On, via a direct link or the Apps portal for Users. Privileged Remote Access supports Service Provider(SP) initiated Single Sign-On. On the login page, click Use SAML Authentication for SP initiated SSO.

SAML Users are managed by the Identity Provider, which is PingOne.

Updated about 1 month ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.