Limited support: You must be using either Active Directory with the PingOne AD Connect plugin, or a SAML-enabled identity provider (e.g., PingFederate, ADFS, SalesForce, etc.).

Trust your SAML-enabled corporate identity provider to authenticate users so that they can experience single sign-on. Browser-based single sign-on is a well-established win-win for system admins and users: admins have fewer identity silos and authentication mechanisms to maintain, and users have to remember fewer passwords and are able to seamlessly transition from one web app to another. Browser-based single sign-on in the context of AppNeta Performance Manager (APM) means that as an admin, you don’t have to manage a separate user directory via the Manage Users page, and as a user, you don’t have to log in when you click on a deep-link.

Set up SSO

Regardless of which identity provider you’re using, some setup is required on both side on your side and ours:

  1. In your identity provider, create the following custom attributes exactly as written:

    email
    the attribute value must correspond to user email address.
    groups
    the attribute value must correspond to one or more named collection of users, each of which will eventually be mapped to an APM role.
  2. Add your identity provider to APM:
    1. Contact Customer Care and ask them to add the identity provider to your APM organization. They will ask you for the following:
      1. A SAML metadata file generated by your identity provider.
      2. A keyword to use for your new federated endpoint url, which will take the form <keyword>.pv.appneta.com.
      3. The organizations that should use single sign-on.
    2. Register APM as a service provider on your identity provider; support will provide you the required SAML metadata.
    3. Navigate to > Manage Identity Provider.
    4. Select the users that should have access to APM by editing the identity provider and mapping your groups to an APM role. All users that intend to log in via the custom url must belong to a group that is mapped to an APM role; all mapped groups will have access to all identity provider enabled organizations.
  3. Once Customer Care enables single sign-on, users may log in by customizing this url with the keyword you selected.

SSO behavior

Upon enabling SSO:

  • Users in a mapped security group may sign in via your custom url.
  • Access via APM login will be disabled for affected users upon logging via the custom url for the first time.

Upon disabling SSO:

  • Single sign-on is disabled for the listed organizations.
  • Users in mapped security groups will have their federated profiles converted to local profiles, which must then be managed via the Manage Users page.
  • Affected users must revert to logging in via APM login.
  • Affected users must reset their passwords before they can log in again.
  • Notifications will continue to be delivered to affected users.