Configuring PingOne

This section describes how to configure PingOne as a SAML (2.0) identity provider for Cloud App Security to use.

Before you begin configuring PingOne, make sure that:

  • You have a valid subscription with PingOne that handles the sign-in process and eventually provides the authentication credentials to the Cloud App Security management console.

  • You are logged on to the management console as a Cloud App Security global administrator. For details, see Administrator and Role.


The steps contained in these instructions were valid as of March 2023.

  1. Sign in to the PingOne console with an Organization Admin account.
  2. Select an environment.
  3. Choose Connections > Applications.
  4. Create a SAML application for Cloud App Security.
    1. Click next to the screen title Applications.
    2. In the Add Application panel, create the application profile by specifying the following settings:
      • Application Name: A unique identifier for the application. For example, Cloud App Security.

      • (Optional) Description: A brief description of the application.

      • (Optional) Icon: A graphic representation of the application. Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.

    3. For the application type, select SAML Application, and click Configure.
    4. Click Manually Enter and specify the following settings.



      ACS URL

      The Assertion Consumer Service URL that Cloud App Security uses to receive the SAML response.

      Type the ACS URL {Cloud App Security_admin_site}/ssoLogin depending on your serving site. For example, if the URL of your Cloud App Security management console is "", the ACS URL is

      Entity ID

      The globally unique name that identifies Cloud App Security.

      Type the Cloud App Security logon URL of your serving site. For example, if the URL of your Cloud App Security management console is "", the entity ID is

    5. Click Save. The application is successfully created and the application overview is displayed.
  5. Configure the SAML application.
    1. Click the Configuration tab and click .
    2. Select Sign Assertion & Response under SIGNING KEY and click Save.
    3. On the Configuration tab, download the signing certificate of PingOne by clicking Download Signing Certificate and then X509 PEM (.crt), and record the Issuer ID and Initiate Single Sign-On URL.

      The certificate and settings are used when you configure single sign-on in the Cloud App Security management console.

    4. Click the Attribute Mappings tab and click .
    5. For the attribute saml_subject, change PingOne Mapping to Email Address and click Save.

      This attribute specifies that the authenticated principal is in the format of an email address.

  6. Click the toggle on the top right to enable the application.