Single Sign-On with Ping Identity
In this tutorial, you will learn how to integrate your Updraft Organization with your Ping Identity Users Directory through SAML. Please follow the next steps.
Last updated
In this tutorial, you will learn how to integrate your Updraft Organization with your Ping Identity Users Directory through SAML. Please follow the next steps.
Last updated
Only Owner of an Updraft Organization is able to add an SSO Integration
Open your Account Settings as an Owner
Go to the Security Page
Click Add new SSO
Click CUSTOM SSO
You will see now your SAML configuration
Ensure the ACS URL is set to: https://getupdraft.com/saml2_auth/acs/
Store them
Login to your Ping Identity Console
Click on Applications.
Then select the Application section and click on the blue circular + button at the top of the page.
Enter your Application Name, select SAML Application, and click the Configure button when available.
From the SAML Configuration, select Manually Enter, then enter your Single Sign On URL and Audience Restriction from Step 1.
Click the Save Button.
From the Applications page, locate and select the application you just created, then enable the toggle switch.
Select the application and go to the Attribute Mapping tab. Click the pencil icon to edit the mappings.
For the saml_subject attribute, select Email Address from the PingOne Mappings drop-down and click + Add.
Next, add email to the Attributes field, select Email Address from the drop-down, and click + Add.
Next, add frist_name to the Attributes field, select Given Name from the drop-down, and click + Add.
Then, add last_name to the Attributes field, choose Family Name from the drop-down, and click + Add.
Then, add username to the Attributes field, choose Email Address from the drop-down, and click + Add.
Finally, add groups to the Attributes field, select Group Names from the drop-down, and click + Add.
Once configured, click the Save Button.
On the Access tab:
If you want to restrict who can access the SSO app, create another user group in your Ping Identity console and assign it to the SSO app.
Select the Configuration tab and click the pencil icon to edit the configuration. Choose the Sign Assertion & Response option, then click Save to apply your changes.
Once the configuration is complete, you will need to click on the Download Metadata button, as this will download the Metadata XML to complete the integration in Updraft.
-
Upload the .xml metadata to your Updraft OrganizationClick Choose File and select your Metadata XML file
Click Save
After following all the above steps, log in to your Updraft account to verify that you are now able to sign in with your Custom SSO (Ping Identity).
If the integration was successful:
If you are opening your subdomain.getupdraft.com/login page you will see the Login with Custom SSO Button
When your assigned Users click on the Login with SSO Button they will be redirected to the Ping Identity login page
upon successful authentication with Ping Identity, your users will be logged into Updraft automatically and redirected to the dashboard page of Updraft
A new account for your uses will be created in Updraft after they logged-in the first time
Now you can assign projects and apps to your users.
If you encounter any issues, please refer back to the previous steps or reach out to the support team for assistance.
Updraft requires specific attributes to be included in the SAML assertion from your Identity Provider (IdP). If any of these attributes are missing or incorrectly mapped, authentication will fail.
Attribute Name
Required?
Expected Value
Description
saml_subject
✅ Required
Email Address
Used as the unique identifier for user authentication.
email
✅ Required
Email Address
Must be present and case-sensitive.
first_name
✅ Required
Given Name
The user's first name.
last_name
✅ Required
Family Name
The user's last name.
username
✅ Required
Email Address
Used for internal user management.
groups
✅ Required (if used)
Group Names
Used for role-based access control (RBAC).
Error: User is not found in Updraft
Fix: Ensure that the email
and saml_subject
attributes are correctly mapped in your IdP.
Error: SSO login succeeds, but user has no permissions
Fix: Check if the groups
attribute is included in the SAML assertion and mapped correctly in Updraft.
Updraft treats email addresses as case-sensitive. If the email address in the SAML assertion does not match the case exactly as stored in Updraft, authentication may fail.
Issue
Example
Fix
Email in SAML does not match stored case
John.Doe@company.com
≠ john.doe@company.com
Ensure the email attribute is consistently formatted in the IdP.
User exists but cannot log in
User Not Found
error despite correct email
Normalize email casing in the IdP or update the stored email in Updraft.
Configure Ping Identity or other IdPs to always send emails in lowercase to Updraft.
Ensure that user records in Updraft match the exact email case as sent in SAML.
The ACS URL tells the IdP where to send the authentication response. If this URL is incorrect, SSO will fail.
Error Message
Cause
Fix
Invalid ACS URL
The IdP is sending the SAML response to the wrong URL.
Ensure the ACS URL is set to: https://getupdraft.com/saml2_auth/acs/
Audience Restriction Error
The SAML Audience does not match what Updraft expects.
Ensure the saml:Audience
value matches https://getupdraft.com/
.