PingOne

Last Updated: April 07, 2026

An identity provider (IdP) uses an authentication token to vouch for a person's identity. Vasion Automate uses IdPs for several tasks, including logging in to the application, building and completing forms, approving workflows, and more.

Configure Connection

To add and configure enterprise app properties for the Vasion Print connection, do the following:

  1. Create the PingOne App.
  2. Add the IdP Settings Template.
  3. Add the X-509 Certificate.
  4. Configure Single Sign-On (SSO).
  5. Configure Provisioning.
  6. Complete IdP Settings.
  7. Just-in-Time (JIT) Provisioning.
  8. Add Vasion Print Admins.

1. Create the PingOne App

  1. Log in to your PingOne portal.

  2. Go to ApplicationsthenApplication Catalog.

    PingOne portal showing expanded Applications menu and Application Catalog option.

  3. Search for SCIM, and select an unused Ping SCIM SaaS Provisioner option.
  4. Enter a name for your app, and then select Next.
  5. Add the following attributes on the Map Attributes tab:
    1. SAML_Subject / Username
    2. FirstName / Given Name
    3. LastName / Family Name
    4. Email / Email Address
  6. Select Next.
  7. Add the desired Groups, and then select Save.

  8. Select View in Applications list.

    PingOne portal showing "View in Applications list" button next to new app.

  9. Select Enable Advanced Configuration, and then select Enable in the modal.

    PingOne portal showing Enable Advanced Configuration button.

  10. Leave the current browser open on the new app screen for the following steps.

PingOne portal showing Map Attributes section and Next button.

2. Add the IdP Settings Template

If the IdP Settings modal does not look like the image below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

When configuring this IdP through Vasion Print, select the Custom option from the IdP Template dropdown menu.

  1. Open your Vasion Print Admin Console in a new browser tab, and log in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select the IdP that you want to configure from the IdP Template dropdown menu.
  5. Select SAML2 in the Authentication Protocol section.

  6. In the Provisioning section, if you are using Systems for Cross-domain Identity Management (SCIM), leave the JIT option deselected.

    By default, the Admin Console assumes that you are using SCIM for provisioning. Only select JIT if you are not using SCIM.

  7. In the Name field, enter the name that you want to appear on the login button for users. For example, My Company, Login, or Acme Corp.
  8. Scroll down, and select the desired settings:
    • Enable for End User Login: Allows end users to log in using this IdP. (Self-service Portal)
    • Enable for Admin Login: Allows admins to log in using this IdP. (Admin Console)
    • You can select both checkboxes when you are using a single IdP or the admin and end users use the same IdP to log in.

Keep the IdP Settings modal open so that the Service Provider Information section at the bottom is available for the following steps.

IdP Settings showing multiple fields and Service Provider Information section.

3. Add the X-509 Certificate

  1. In the PingOne app, select the Configuration tab.
  2. Select Download Signing Certificate.
  3. Select the X509 PEM (.crt) option.
  4. Open the file in your preferred text editor.

  5. Copy the certificate body, including the Begin / End headers, and paste it in the X-509 Certificate field in the Vasion Print Admin Console.

    Security Assertion Markup Language (SAML) certificate in Notepad showing body of content selected, including beginning and ending certificate lines.

IdP Settings showing X-509 Certificate and other fields configured.

4. Configure Single Sign-On (SSO)

  1. In the PingOne app, select the Edit button in the upper-right corner of the Configuration tab.
  2. Copy the Admin Console Reply Url (ACS), and paste it in the PingOne ACS URLS field.
  3. Copy the Admin Console Identifier (Entity ID), and paste it in the PingOne Entity ID field.
  4. Copy the Admin Console Relay State, and paste it in the PingOne Target Application URL field.
  5. Select Save in PingOne.
  6. Copy the PingOne Issuer ID, and paste it in the Admin Console Issuer URL field.
  7. Copy the PingOne Single Signon Service URL, and paste it in the Admin Console SSO URL field.
  8. Select Apply in the Admin Console.
  9. Select Save in the Admin Console.

PingOne app showing Configuration tab and URLs.

5. Configure Provisioning

If you are configuring PingOne using JIT provisioning, skip to the 6. Complete IdP Settings section below.

SCIM Provisioning

Create Provisioning Connection

  1. In the PingOne portal, select Integrations from the left-side menu and select Provisioning.

    PingOne portal showing expanded Integrations menu and Provisioning option.

  2. Select the + (plus) button next to Provisioning, and select New Connection.

    PingOne portal showing + (plus) button and New Connection option.

  3. Select the Identity Store option.
  4. Select the SCIM Outbound option, and then select Next.
  5. Name the connection, and then select Next.
  6. In the Vasion Print Admin Console, select the PingOne IdP in the Identity Provider Settings section and then select Modify.
  7. Copy the Admin Console SCIM Tenant URL, and paste it in the PingOne SCIM Base URL field.
  8. Close the modal in the Admin Console.
  9. Select OAuth 2 Bearer Token in the PingOne Authentication Method dropdown menu.

PingOne showing Configure Authentication section.

Apply a SCIM Token

  1. In the Vasion Print General settings, select the SCIM option in the Identity Provider Settings section.
  2. Select your IdP configuration from the dropdown menu.

  3. Select Generate SCIM Token.

    Identity Provider Settings section showing SCIM option with IdP selected from dropdown menu and Generate SCIM Token button to right.

    Generating a SCIM token invalidates any previous tokens for that IdP.

  4. Copy the token, close the modal, and select Save in the upper-right corner of the General settings.
  5. Paste the token in the PingOne Oauth Access Token field.
  6. Select Test Connection to verify connectivity.
  7. Select Next, and adjust the preferences as needed.
  8. Select Save.
  9. Select the toggle switch in the upper-right corner of the Overview tab to enable the connection.

PingOne showing Overview tab and toggle switch.

Create a Rule

  1. On the Provisioning tab in the PingOne portal, select the + (plus) button next to Provisioning and select New Rule.

    PingOne portal showing + (plus) button and New Rule option.

  2. Name the rule.
  3. Select Create Rule.
  4. Select the + (plus) button to the right of the provisioning connection that you created.
  5. Select Save.

  6. In the Configuration tab, select the User Filter option and then the Edit button next to User Filter.

    Edit button next to User Filter.

  7. Do the following in the User Filter section:

    1. Select Any for of the conditions are true.
    2. From the Attribute dropdown menu, select Enabled.
    3. Enter "Equals" in the Operator field.
    4. In the Value dropdown menu, select true.
  8. Select Save.
  9. Do the following to provision groups:
    1. Select the Group Provisioning option in the Configuration tab.
    2. Select the Add Groups button.
    3. Search for and select the groups that you want to provision.
    4. Select Save.
    5. In the Overwrite Group Memberships modal, select I understand and want to continue.
    6. Select Save.
  10. In the Rule tab, select the toggle switch in the upper-right corner to enable the rule.

This action starts provisioning and displays the results in the Sync Summary tab.

PingOne showing User Filter section and user rule.

6. Complete IdP Settings

  1. In the General settings of the Vasion Print Admin Console, navigate to the Identity Provider Settings section.

  2. To have Vasion Print prompt users to authenticate through the IdP when performing any function that requires authorization, such as installing a printer, select the Automatically Open Browser to Login on Desktop Client option.

    If you do not select this option, users must manually navigate to the IdP login screen to log in.

  3. We recommend enabling the Use Loopback with Saml 2.0 (recommended) option. The IdP needs to provide an authentication token to the desktop Client whenever authentication happens. This option allows the Client to handle the token and automatically log in without interaction from end users.

    General settings showing Identity Provider Settings section with IdP option and other options selected.

  4. The option Use Domain User (Windows only) automatically authorizes domain-joined Windows users and does not require log in via the configured IdPs.
  5. Select Save in the upper-right corner of the General settings.

7. Just-in-Time (JIT) Provisioning

These steps are only for configurations using JIT provisioning. If you already configured PingOne using SCIM provisioning, skip to 8. Add Vasion Print Admins.

JIT Provisioning

JIT does not support the provisioning of group membership associations, so you cannot apply Role-Based Access Control (RBAC) roles, printer deployments, or portal security roles to groups. You must create assignments individually for each user.

When using JIT provisioning, the app creates users during the first login attempt:

  1. Access your Vasion instance, and select Sign In With <IdP Name>.
  2. Attempt to log in with your IdP credentials.

  3. This login attempt fails and returns you to the login screen.

    This behavior is expected. With JIT, this action triggers user creation in the Vasion instance.

  4. The second login attempt with valid credentials initiates a typical login sequence.

For admins who need access to the Admin Console, you still need to add them to the Users page located in Tools then Users.

8. Add Vasion Print Admins

For steps on assigning users and roles to the Vasion Print and Vasion Automate Admin Console, refer to Admin Console Users.