PingOne is a cloud-based identity management system that provides secure authentication and integrated single sign-on (SSO) for the Echo360 active learning platform.
Before You Begin
The PingOne integration offers the following single sign-on methods for customers:
- Active Directory (requires AD Connect software from PingOne)
- SAML Identity Providers
Echo360 recommends that you select which option to implement in advance of performing the procedures on this page. To use Active Directory, understand that it requires software installation as noted above, and that the system must reside outside the firewall.
IMPORTANT: Echo360 does not yet allow for single sign-on authentication for the Windows PowerPoint ribbon add-on. The PPT Ribbon requires users to establish a direct login to Echo360. The user email remains the same (typically the institution or .edu email address) but users must establish a password within Echo360. This can be the same password as used for the SSO system or a different one. Echo360 does support SSO for the Mobile App or Universal Capture (for instructors logging in to generate an ad hoc recording). For these applications, users are directed through the SSO authentication process with their institution email address and password.
The following workflow, and the instructions on this page, identify the steps necessary to set PingOne up to provide SSO services to Echo360 through your network. For information on the subsequent steps needed to add and configure users to access Echo360 content, see Configuring Authentication.
- Register for a PingOne account.
- Register the Echo360 configuration with PingOne.
- Select the desired authentication method.
- Configure the authentication method in PingOne, and exchange the required metadata with the authentication source.
- Create or import the desired user accounts into Echo360.
Email addresses must match! Echo360 uses email addresses as user identifiers; when creating users in Echo360, be SURE the email address for each user is the same as it is in the system through which they are being authenticated
When a user selects to open Echo360, the authentication request is sent through PingOne to the selected authentication system, then back to Echo360 for access.
You may also want to review the procedures provided in Configuring PingOne for SSO-Enabled Section Access Links. The changes discussed in that article allow for more appropriate flow of users accessing Echo360 sections via postable URL links, and the authentication of those users as appropriate.
Creating PingOne account credentials
You must register in PingOne first and create your account credentials, then enable PingOne in Echo360.
To register PingOne
- Go to https://admin.pingone.com/web-portal/register.
- Under Account Type, select PingOne for Enterprise.
- Under Profile setup, complete all details.
NOTE: Your email address will become your username.
- In the Registration key field, enter PingForEcho360_FP.
- Enter and confirm your account password.
- Click Register.
After registering, you receive a confirmation email at the address entered on the form. Click the link in the email to complete the account registration process.
Configure authentication method in PingOne
PingOne needs to know which authentication method you want to use, and then you must configure that authentication method through PingOne.
The procedures below are provided as guidelines to the PingOne authentication setup process. Refer to the PingOne documentation (https://documentation.pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml#selectRepo.html), or contact Echo360 support if you need further assistance.
Configuring SAML authentication
Configuring SAML authentication involves sharing identity key and certification information between PingOne and a SAML identity provider (IdP), allowing the two to communicate securely and provide appropriate user authentication.
To configure SAML authentication
- Log in to PingOne.
- Select the Setup tab.
- Select the appropriate SAML identity bridge.
- Click View/Edit.
- Select to Download the PingOne metadata to exchange with your identity provider (IdP). This tells PingOne to generate all of the necessary field parameters, then generates a downloadable file for you to upload into the IdP.
- Once you have uploaded the PingOne metadata and configured the IdP, you must enter the provider's configuration information back into PingOne. You have the following choices:
- Upload a metadata file obtained from your identity provider into PingOne. This populates the PingOne configuration with the proper information from the provider.
- Manually enter the appropriate field information. You may have received this data from the identity provider, or you may need to re-type the data into the corresponding fields for the identity provider.
- When finished, click Save Configuration.
Configuring Active Directory authentication
Using Active Directory (AD) authentication with PingOne requires that you have AD Connect installed and configured. You may also have IIS installed and configured but it is not required.
PingOne provides a download of the AD Connect installer to use if needed. The following information is copied from the PingOne documentation, regarding AD Connect requirements and Installation instructions for the provided installer. We recommend that you refer to the PingOne documentation in case there have been changes since this page was last updated. It is located at the following URL: https://documentation.pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml#connectAD.html
AD Connect requires the following:
- One of the following platforms:
- Microsoft Windows Server® 2012 R2
- Microsoft Windows Server 2012
- Microsoft Windows Server 2008 R2
- Microsoft Windows Server 2008
- Microsoft Net 4.5.2 Framework installed. The framework installation file is packaged with the AD Connect distribution.
- Port requirements:
- TCP 443 inbound/outbound (Websocket connections to PingOne)
- (If IWA is enabled) TCP 80 internal, inbound/outbound (IWA connections)
- Ensure that the Active Directory account lockout option is enabled for all PingOne users. This is necessary to protect user information in PingOne.
- AD Connect does not support authentication using IWA with Office 365™ or mobile devices (IWA doesn't work with iOS).
You'll need to install AD Connect on a Windows Server host that resides in an Active Directory domain. When you download AD Connect from the PingOne admin portal, you'll either download to the Windows Server host or copy the AD Connect distribution to the host. If you are installing AD Connect on a host in a DMZ, you'll need to ensure some ports are open.
If you ARE using IIS along with AD Connect, refer to the PingOne documentation on how to Install AD Connect with IIS (https://documentation.pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml#connectAdcFull.html).
To install and configure IIS (optional)
NOTE: The installation instructions linked below are for Windows 2008 server with IIS 7.0. If you are using a different operating version, please find the Technet articles that relate to your specific supported environment.
- Install and Configure IIS: http://technet.microsoft.com/en-us/library/cc771209(WS.10).aspx
- Create a Certificate Request: http://technet.microsoft.com/en-us/library/cc732906(v=ws.10).aspx
- Complete the Certificate Request: http://technet.microsoft.com/en-us/library/cc771816(v=ws.10).aspx
- Import an existing certificate: http://technet.microsoft.com/en-us/library/cc732785(v=ws.10).aspx
- Add HTTPS protocol and port 443 binding to IIS: By default, IIS may not be configured to support the HTTPS protocol. To implement HTTPS on 443, follow these instructions to create the binding: http://technet.microsoft.com/en-us/library/cc771438(v=ws.10).aspx
To install and configure AD Connect
- Log on to your PingOne account.
- Download the AD Connect software.
- Extract the zipped file and launch the installation package by double-clicking the “run-as-administrator.cmd” file in the extracted folder.
- Click Next to proceed with the installation.
- (Optional) Select Full with IIS to install the full AD connect package in IIS. Only needed if you are using IIS.
- Click Next. The AD Connect installer checks that the prerequisites are in place. If all prerequisites are in place, the installation proceeds to the activation tab.
- The installer checks whether the appropriate version of the .Net framework is installed. If it is not, you can install it using the .Net distribution located in the AD Connect installation directory. When the .Net framework installation is complete, return to this AD Connect screen, and click Verify Install.
- Click Next. If you are using IIS, the installer then checks whether the IIS Server role is installed. If it isn't, install the role service using Windows Server Manager, return to this dialog and click Verify Install to proceed.
- Click Next. If you are using IIS, the installer then checks whether the Windows Authentication role is installed for IIS. If it isn't, install the role service for IIS using Windows Server Manager, then return to this screen and click Verify Install to proceed.
- Click Next. The AD Connect activation screen appears. The Organization ID and the Product Key values are on the setup screen in PingOne.
- In the AD Connect activation screen, enter the Organization ID and Product Key, then click Activate and Next.
NOTE: If the product is activated properly, you will see the following acknowledgment: “AD Connect has been activated”
- If applicable, select the IIS web site that you want the AD Connect software installed to.
- Enter the installation location for the AD connect software and click Next.
- Click Install to complete the installation process of AD Connect.
- Click Finish to complete the installation process.
Enabling PingOne authentication in Echo360
To enable PingOne
Use a unique IDPID value. While the Identity Provider ID (IDPID) field can be any value you want, if another PingOne client institution who also uses Echo360 has the same value, neither institution will be able to access Echo360. Furthermore, this value is very difficult to change once established. Using a unique value at setup avoids having to address any conflict later.
- Log on as an administrator.
- Select the Settings icon in the upper-right of the screen.
- From the Settings menu, select Configurations.
- From the left panel, select PingOne configuration.
- In the Identify Provider ID field, enter a value that can be considered unique to your institution, such as your institution name, or preferably the institution domain being used for your identity provider (i.e., institutionName.edu).
- Click CONNECT TO PINGONE.
- A pop-up box appears on the screen with a checkbox. Click a check in this Enable Single-Sign on checkbox.
- A link to PingOne appears below the checkbox. Click this link.
- Log in to PingOne.
- Complete the PingOne application configuration by adding the proper identity bridge attribute for the application.
- Continue to Next Step, then add your institution Logo, Icon, Name, and Description as needed.
- When finished click Save and Publish.
Once PingOne is configured for Echo360, users can select to Log in with their school ID. See Configuring Authentication for the process steps needed to allow users to access Echo360 content through their institutional login.