How-to set up HCP SAML SSO setup with PingOne Identity Provider

Avatar
Brian Waobikeze
  • Updated

Introduction

This page explains how to set up SSO in HashiCorp Cloud Platform (HCP) with the PingOne identity provider.

Configure SSO

Organization owners and admins can set up SSO. To begin configuring SSO:

  1. Log in to HCP and go to your organization.
  2. Click Organization settings and then click SSO. The Single Sign-On page appears.
  3. Click Configure SSO for your Organization. The Setup SAML SSO page appears, where you will enter the required information for Google Workspaces.

Verify Your Domain

You need a DNS record (secret value to set as TXT) to prove ownership of a domain. HCP uses the domain to match the email addresses for SSO. You must use different SSO domains for each HCP organization. If you try to reuse a domain name, the DNS connection request will fail.

To verify your domain:

  1. Copy the verification TXT record from the HCP SSO configuration to the DNS records of any email domains your organization uses.
  2. Return to the HCP Settings page and add your email address domains.
  3. Click Verify domains.

If the verification is successful, you can continue configuring SSO. If the request fails, your changes to the DNS records may not have propagated yet. It can take up to 72 hours.

Initiate SAML Integration

You must add information from the Initiate SAML Integration section in HCP to the SAML configuration for a web app in your PingOne SSO.

To add the required integration information in PingOne SSO:

  1. Log in to your PingOne admin and go to Applications and select Applications.
  2. Click in the top right next to theApplications” title.
  3. Enter your App name & description (optional) and then click SAML Application and click Configure.
  4. Select the Manually Enter Option.
  5. Enter the following information:
    • ACS URL: https://auth.hashicorp.com/login/callback
      • NOTE: This URL is not the same as the "SSO Sign-On URL" provided in the "Initiate SAML Integration" instructions. PingOne does not require a connection argument.
    • Entity ID: The Entity ID from HCP.
    • Click Continue.
  6. Navigate to the Attribute Mappings tab & Click the edit icon in the top right corner of the panel.
  7. For the default saml_subject select userID from the dropdown underneath PingOne Mappings.
  8. Click the + add button in the top left corner of the panel and in the In the Attribute field copy & paste the Email Attribute Assertion Name from HCP then underneath the  PingOne Mappings select email address from the dropdown.
  9. Click Save.

Finalize SSO Settings

To finish configuring SSO:

  1. Under Overview > Connection Details copy the Single Signon Service URL and paste it in the SAML IDP Single Sign-On URL field in HCP.
  2. Click on Download Signing Certificate then select X509 PEM (.crt).
  3. Copy & Paste Certificate in the SAML IDP Certificate field in HCP.
  4. Click Save SSO Settings.

Now, users can sign in to your organization through PingOne SSO.

Testing SAML configuration

To test, please use the HCP portal login page since HCP SSO is SP-initiated and not IdP-initiated. If you try to test the SAML app directly from PingOne SSO, you'll encounter and "Oops. Something went wrong" message which is expected.

Articles in this section

See more

Related articles