PingFederate

Last Updated: April 07, 2026

An identity provider (IdP) uses an authentication token to vouch for a person's identity. Vasion Automate uses IdPs for several tasks, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.

If you use an IdP, the Control Panel Application (CPA) supports only badge and PIN authentication.

Key Points

Review the following key point:

  • This document does not include instructions on how to connect your user management solution, such as Lightweight Directory Access Protocol (LDAP) domain, to PingFederate. Refer to the PingFederate documentation, and complete those steps before following this documentation.

Configure Connection

To add and configure enterprise app properties for the Vasion Print connection, do the following:

  1. Create the PingFederate App.
  2. Add the IdP Settings Template.
  3. Configure Single Sign-On (SSO).
  4. Configure Assertion Creation.
  5. Map Adapter and Attributes.
  6. Define Protocol Settings.
  7. Select the Certificate.
  8. Add the X-509 Certificate.
  9. Apply the Issuer URL.
  10. Just-in-Time (JIT) Provisioning.
  11. Add Vasion Print Admins.

1. Create the PingFederate App

  1. Log in to your PingFederate portal.
  2. Select Applications.
  3. Select SP Connections.
  4. Select the Create Connection button.
  5. On the Connection Template tab, select Do Not Use A Template For This Connection and then select Next.
  6. On the Connection Type tab, select Browser SSO Profiles.
  7. From the Protocol dropdown menu that appears, select SAML 2.0. Then select Next.
  8. On the Connection Options tab, select Browser SSO and then select Next.
  9. On the Import Metadata tab, select None and then select Next.
  10. Leave the current browser open on the new app screen for the following steps.

PingFederate portal showing Applications tab and SP Connections option.

2. Add the IdP Settings Template

If the IdP Settings modal does not look like the image below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

  1. Open your Vasion Print Admin Console in a new browser tab, and log in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select the IdP that you want to configure from the IdP Template dropdown menu.
  5. Select SAML2 in the Authentication Protocol section.
  6. In the Provisioning section, select the JIT checkbox.

    The PingFederate configuration does not support Systems for Cross-domain Identity Management (SCIM) provisioning.

  7. In the Name field, enter the name that you want to appear on the login button for users. For example, My Company, Login, or Acme Corp.
  8. Scroll down, and select the desired settings.
    • Enable for End User Login: Allows end users to log in using this IdP. (Self-service Portal)
    • Enable for Admin Login: Allows admins to log in using this IdP. (Admin Console)
    • You can select both checkboxes when you are using a single IdP or the admin and end users use the same IdP to log in.

Keep the IdP Settings modal open so that the Service Provider Information section at the bottom is available for the following steps.

IdP Settings showing multiple fields and Service Provider Information section.

3. Configure Single Sign-On (SSO)

  1. In the Vasion Print Admin Console, copy the Identifier (Entity ID).
  2. On the PingFederate General tab, paste the Identifier (Entity ID) in the Partner's Entity ID (Connection ID) field.
  3. In the Connection Name field, enter a name for your app. This name appears on the SP Connections tab in PingFederate.
  4. In the Base URL field, enter "https://gw.app.printercloud.com."

  5. In the Application name field, enter the same name that you entered in the Connection Name field.

    All other fields are optional. Enter data as needed.
  6. Select Next.
  7. On the Browser SSO tab, select Configure Browser SSO.
  8. Select the IDP-Initiated SSO and SP-Initiated SSO options.
  9. Leave the Single Logout (SLO) Profiles options deselected, and then select Next.
  10. Modify the Minutes Before and Minutes After values as needed, and then select Next.

4. Configure Assertion Creation

  1. In PingFederate, select Configure Assertion Creation.
  2. On the Identity Mapping tab, select Standard and then select Next.
  3. In the Subject Name Format section, select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. (This option should already be selected by default).
  4. In the Extend the Contract section, add new entries for the following attributes:
    1. Extend the Contract: Email, Attribute Name Format: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified. Then select Add.
    2. Extend the Contract: FirstName, Attribute Name Format: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified. Then select Add.
    3. Extend the Contract: LastName, Attribute Name Format: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified. Then select Add.
    4. Extend the Contract: Login, Attribute Name Format: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified. Then select Add.
  5. Select Next.

PingFederate showing Assertion Creation tab and four entries in "Extend the Contract" section.

5. Map Adapter & Attributes

  1. In PingFederate, select Map New Adapter Instance.
  2. From the Adapter Instance dropdown menu, select PingOne HTML Form Adapter, and then select Next.
  3. On the Mapping Method tab, select Use Only The Adapter Contract Values In The SAML Assertion and then select Next.
  4. On the Attribute Contract Fulfillment tab, select the following:
    1. Attribute Contract: Email, Source: Adapter, Value: mail.
    2. Attribute Contract: FirstName, Source: Adapter, Value: givenName.
    3. Attribute Contract: LastName, Source: Adapter, Value: sn.
    4. Attribute Contract: Login, Source: Adapter, Value: username.
    5. Attribute Contract: SAML_Subject, Source: Adapter, Value: username.
  5. Select Next.
  6. The Issuance Criteria tab is optional. Configure as needed, and then select Next.
  7. On the Summary tab, select Done.
  8. Select Next on the Authentication Source Mapping tab.
  9. On the Summary tab, select Done.
  10. Select Next on the Assertion Creation tab.

PingFederate showing Attribute Contract Fulfillment tab and five entries.

6. Define Protocol Settings

  1. On the PingFederate Protocol Settings tab, select Configure Protocol Settings.

  2. In the Action column, select Add.

    Copy and paste the following URL in the Endpoint URL field. Replace <your_instance_subdomain> with your subdomain, and replace <idp_id> with the IdP Identifier from the Admin Console IdP Settings modal:

    Copy Code 
    /<your_instance_subdomain>/authn/idp/<idp_id>/saml2/acs?&RelayState=https%3A%2F%2F<your_instance_subdomain>.printercloud.com%2Fauth%2Fasserted-login%3FonLogin%3D%252Fadmin%26onLoginError%3D%252Fadmin%253Fidp%253D<idp_id>%26requireAdmin%3Dtrue
    Update the <your_instance_subdomain>.printercloud.com adjusted for your region.
  3. In the Binding dropdown menu, select Post. Select Add, and then select Next.
  4. Deselect Artifact and SOAP. You only need POST and Redirect selected, and then select Next.
  5. On the Signature Policy tab, select Next.
  6. On the Encryption Policy tab, select None and then select Next.
  7. On the Summary tab, select Done.
  8. On the Protocol Settings tab, select Next.
  9. On the Summary tab, select Done.

7. Select the Certificate

  1. On the PingFederate Browser SSO tab, select Next.
  2. On the Credentials tab, select Configure Credentials.
  3. From the Signing Certificate dropdown menu, select your certificate.
  4. Select Include The Certificate In The Signature <KeyInfo> Element.
  5. Select Next.
  6. On the Summary tab, select Done.
  7. On the SP Connections summary tab, copy the SSO Application Endpoint URL, and paste it in the Admin Console SSO URL field.

PingFederate showing SP Connections tab and Configure Credentials button.

8. Add the X-509 Certificate

  1. In PingFederate, scroll down to the Credentials section and select Digital Signature Settings.
  2. Select Manage Certificates.
  3. Select Select Action then Export.
  4. Select Certificate Only, and then select Next.
  5. Select Export.
  6. Open the CRT file in your preferred text editor.

  7. Copy the certificate body, including the Begin / End headers, and paste it in the X-509 Certificate field in the Vasion Print Admin Console.

    Security Assertion Markup Language (SAML) certificate in Notepad showing body of content selected, including beginning and ending certificate lines.

  8. In PingFederate, select Done.
  9. On the Certificate Management tab, select Done.
  10. On the Summary tab, select Save.

PingFederate showing Certificate Management tab, certificate, and Select Action menu.

9. Apply the Issuer URL

  1. In PingFederate, select System from the top menu.
  2. From the left-side menu, select Server.

  3. Copy the PingFederate SAML 2.0 Entity ID, and paste it in the Admin Console Issuer URL field.

    The PingFederate configuration does not use an issuer ID. Leave this field blank.

  4. Select Apply in the Admin Console.
  5. Select Save in the Admin Console.

PingFederate showing System tab and Server option.

10. Just-in-Time (JIT) Provisioning

JIT does not support the provisioning of group membership associations, so you cannot apply Role-Based Access Control (RBAC) roles, printer deployments, or portal security roles to groups. You must create assignments individually for each user.

When using JIT provisioning, the app creates users during the first login attempt:

  1. Access your Vasion instance, and select Sign In With <IdP Name>.
  2. Attempt to log in with your IdP credentials.

  3. This login attempt fails and returns you to the login screen.

    This behavior is expected. With JIT, this action triggers user creation in the Vasion instance.

  4. The second login attempt with valid credentials initiates a typical login sequence.

For admins who need access to the Admin Console, you still need to add them to the Users page located in Tools then Users.

11. Add Vasion Print Admins

For steps on assigning users and roles to the Vasion Print and Vasion Automate Admin Console, refer to Admin Console Users.