# PingIdentity

### PingIdentity Configuration

1. Login as an Administrator for PingIdentity. From the PingIdentity menu, click **Applications > Add Application**
2. Give the Application a name such as "KCM," select **SAML** and **Save**.

<figure><img src="/files/KtegTa9oWUwQX5QjWkf5" alt=""><figcaption><p>Add Application</p></figcaption></figure>

3. Next, you'll encounter the SAML configuration. Select **Manually Enter**, then add the URL of your KCM server to the **ACS URLs** box as follows: **https\://\<YOUR DOMAIN>/api/ext/saml/callback**
4. Then add the URL of your KCM server to the **Entity ID** box as follows: **https\://\<YOUR DOMAIN>** and press **Save**.

<figure><img src="/files/TLg80PqNcykzBEqIUl0X" alt=""><figcaption><p>SAML Configs</p></figcaption></figure>

5. Next, **Edit Attribute Mappings**. Since saml\_subject is immutable, leave it as is. *Add an attribute* named **EMAIL** that has a Mapping of **Username**, and an attribute named **groups** that has a Mapping of **Group Names**.

<figure><img src="/files/zAH7bMe1kpOjk5gtPCQq" alt=""><figcaption><p>Attribute Mappings</p></figcaption></figure>

6. Then **Edit Configuration** and scroll down to **SUBJECT NAMEID FORMAT** and select the option **urn:oasis:names:to:SAML:1.1:nameid-format:emailAddress**. And hit **Save**.

<figure><img src="/files/a1iAoqutYvPb03RCdvEV" alt=""><figcaption><p>Email to nameid Mapping</p></figcaption></figure>

7. On the **Overview** section, verify that **Access** is for **All Users** (or the group you specified). Leave the **Signon URL** as the **Default Signon Page**. And **Enable the Application** by **clicking the slider** at the top of the application.

<figure><img src="/files/epKTMbOzBVyCZ4Axx22B" alt=""><figcaption><p>Settings to Turn Application On</p></figcaption></figure>

8. **Download** the **Metadata file** from the **Configuration tab**, and ensure that it is **named to metadata.xml**.

<figure><img src="/files/66mA3hiviuuFGRouf9L3" alt=""><figcaption><p>Download the Metadata</p></figcaption></figure>

9. Ensure that all users are added with a **Username** that matches the **email address** of a user in your Keeper Connection Manager. **\*\*When you add users to Keeper Connection Manager use the matching email address, but leave the password blank.**

<figure><img src="/files/BGSid0ySMfEBsFTCEZsl" alt=""><figcaption><p>Match Email Addresses to KCM Accounts</p></figcaption></figure>

## Video Example

{% embed url="<https://vimeo.com/823770810>" %}
Video Proof of Concept
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeper-connection-manager/authentication/authenticating-users-with-saml/pingidentity.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.