Ping Identity SAML SSO
Ping Identity is an Identity Provider (IdP) that enables secure single sign-on (SSO), allowing your company’s users to access multiple applications with one login.
With Security Assertion Markup Language (SAML) SSO, employees sign in once using their company credentials (typically email and password). The IdP, such as Ping Identity, verifies their identity and grants seamless, secure access to all connected services, without requiring separate logins for each application.
Company owners or IT administrators can link their organization’s email domain (e.g., @mycompany.com) to the IdP so that anyone with a company email address is automatically recognized and can securely sign in to SAML-enabled tools.
Using Kinsta SAML SSO, you can connect Ping Identity to MyKinsta by creating a SAML application within Ping Identity, verifying your company’s email domain, and adding the required Ping Identity details in MyKinsta. This allows your team to log in with their existing company credentials, eliminating the need to create or manage separate MyKinsta accounts.
Enable SSO in MyKinsta
When you set up SAML SSO, you can click Save and exit setup at any stage to store your progress and return later.
In MyKinsta, go to your username > Company settings > Single sign-on, and click Enable.
Read through the introduction, which explains how SSO will be set up, and click Continue.
The next page provides all the information you need to set up your SAML app within Ping Identity.
Set up the app integration in Ping Identity
In MyKinsta, the Create SAML app tab provides all the information you need to set up your SAML app within Ping Identity. The following steps explain where to add this information.
Log in to Ping Identity as a user with admin access, and within Environments, click Create Environment.
Click Create a Workforce Solution and then click Manage Environment.
Click Applications and then click the plus sign to add a new application.
Enter the Application name from MyKinsta. You can also download the App icon from MyKinsta and upload it to the Icon, if required. Select SAML Application and click Configure.
Select Manually Enter and complete the SAML Configuration in Ping Identity as follows:
- ACS URLs: Copy and paste the SSO/ACS URL from MyKinsta.
- Entity ID: Copy and paste the Entity ID from MyKinsta.
Click Save.
Map your Ping Identity attributes
Click Attribute Mappings and then click the edit icon.
Add the following attributes:
| Attributes | PingOne Mappings | Required |
|---|---|---|
| firstName | Given Name | Selected |
| lastname | Family Name | Selected |
| Email Address | Selected |
Click Save.
Assign user access in Ping Identity
By default, the new application will allow all users to access it. To define specific user groups for access to this, in Ping Identity, navigate to Applications, select the application you set up for the MyKinsta Dashboard, click Access, and then click the edit icon. You can choose whether you want only admin users to access the application or select which groups should have access.
Kinsta setup
In MyKinsta, on Create SAML app, click Continue so that you are on the Kinsta setup page.
Email domain
In the Domain name, enter the email domain users will use to sign in using SAML SSO, and click Add domain.
Only MyKinsta accounts with an email address matching the verified domain can authenticate via SAML. For example, if SAML is enabled for example.com, only users with an @example.com email address will be able to sign in for that company.
If the domain has already been verified in MyKinsta through DNS management or as a site domain, it will automatically be verified. If it hasn’t, you’ll be prompted to add a TXT record to your DNS management service to confirm domain ownership.
Because DNS changes can take time to propagate, you can click Save and exit setup to store your progress and return later.
Set up Kinsta SAML
In Ping Identity, go to Applications, select the application you set up for the MyKinsta Dashboard, click Overview, and then scroll down to Connection Details.
This page provides all the information you need to set up SAML in MyKinsta.
In MyKinsta, within the Single sign-on Kinsta setup tab, complete the fields as follows:
- SSO URL: Copy and paste the Initiate Single Sign-On URL from Ping Identity.
- Entity ID: Copy and paste the Issuer ID from Ping Identity.
- Public certificate: Within Ping Identity, click Download Signing Certificate, select X509 PEM (.crt). Open this file in any text editor, and copy and paste the contents into MyKinsta.
Click Continue.
Test the authentication in MyKinsta
You cannot enable SAML SSO within MyKinsta without first testing the authentication.
In MyKinsta, within the Single sign-on Test and finish tab, click Test authentication.
A notification appears if the test was successful or if the test fails.
If the test fails, click Back and check your SAML settings within Ping Identity and within MyKinsta.
If the test is successful and you want to enable SAML, click Save and set changes live.
Your MyKinsta company users will now be able to sign in with SAML SSO or by entering their username and password. Users who sign in through an IdP are not required to complete Kinsta’s 2FA, as authentication is handled directly by the IdP.
If you want to force users to sign on via SAML, you can enable Mandatory SSO and add Exceptions. You can also enable JIT provisioning to allow users authorized by your IdP to access your MyKinsta company without requiring an invitation.
Change the session duration
Your Identity Provider (IdP) determines how long your SSO session remains active and when it expires. If your IdP doesn’t specify a session duration, MyKinsta defaults to a 24-hour session.
When your SSO session expires, you’ll be logged out of SSO. If you’re working within a company that uses SSO, you’ll be prompted to reauthenticate. If you have access to multiple companies in MyKinsta, you’ll remain logged in overall but will need to reauthenticate before accessing any company that requires SSO.
For details on adjusting session duration, refer to the Ping Identity documentation.