PingIdentity Setup Guide

Single Sign-on is a useful feature to increase security and user adoption of new tools. It means that your employees can auto-login to connected applications using their default company password, which is for instance stored in your LDAP or Active Directory system. While Small Improvements doesn't integrate with LDAP or AD directly, it does integrate with a middleware called PingIdentity.

  • PingIdentity is a web based middleware that connects the cloud applications you use with your internal Active Directory or LDAP servers. It has tons of features, but the one you need to enable is the Small Improvements app, so that your SI users can log in via PingIdentity (using SAML 2.0 behind the scenes)
  • Once configured, your staff can either access Small Improvements from the PingIdentity dashboard or, if they access Small Improvements via your subdomain (e.g. https://mycompany.small-improvements.com) then we'll rely on PingIdentity to ask for the password (if they aren't logged in already).

Important: The PingIdentity integration is only for SSO. We do not automatically synchronize your user accounts between systems yet. This is planned for the future, but right now you will have to keep your Small Improvements user accounts in sync with your directory service. If a user doesn't have an account in SI, then they won't be able to log in. You can create user accounts manually, or send us an Excel spreadsheet to upload your users.

 

How to set it up in less than 5 minutes

First, log in into PingIdentity as an administrator. Go to the "Application Catalog", under "Applications" and search for Small Improvements.

Click the arrow on the right side of the entry. Click the now visible "Setup" button at the bottom.

The first screen of the setup will appear. It contains detailed instructions about how to configure Small Improvements at the bottom of the page. Follow them very closely.

Once you are done, click "Continue to Next Step".

On the the second screen you need to replace "${sub_domain}" with your Small Improvements subdomain in the two text fields at the top. Afterwards, click "Continue to Next Step".

On the third screen click the "Advanced" button. A new dialog will appear.

Select "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" (note the "2.0") for the "Name ID Format to send to SP" field at the top of the dialog. Confirm by clicking "Save".

Afterwards, click "Continue to Next Step".

On the next screen simply click the "Save & Publish" button. The setup is complete, a summary of the setup will appear.

To test if everything is set up correctly, visit the shown "Initiate Single Sign-On (SSO) URL" in your browser. You should be logged in to your Small Improvements account.

 

Add user-accounts

Now add user-accounts to Small Improvements via Administration -> Company Directory or import them from an Excel worksheet. Note: A user needs to be created in SI before he/she can login.

 

Adjusting the welcome email

Important: You must adjust some emails to avoid confusion!

  • Whenever you invite staff into Small Improvements, they receive an email telling them about Small Improvements. This email also explains how to define their new password. But since they will use PingIdentity's password instead, that email template needs to get changed!.
  • Please locate the "Access to Small Improvements: Welcome Mail" email template, and remove any mention passwords setting. You can write that people should use the password defined in your intranet instead.

 

That's it!

For this to work you will need a Small Improvements subdomain. Just let us know and we'll have it up and running within a business day.

  • Also, you will of course need to set up an account with PingIdentity.
  • Remember: The PingIdentity integration is only for SSO, it doesn't yet help with user management. All users need to have an account on both systems already.
  • And before you roll out the PingIdentity integration, you should definitely test it with two or three accounts, just to be sure everything it set up properly!

 

Trouble shooting

In case something doesn't work with a login via PingIdentity (for instance because a user exists in SI but not in LDAP, or PingIdentity doesn't pull it from LDAP), and you still want that person to be able to log in, please manually define a password for them: Go to the SI user profile page, locate "admin" in the dropdown, and change their password.

Tell the person their new password, and direct them to log in via the main SI website: https://www.small-improvements.com. Don't use your company-specific subdomain, since that will typically redirect to PingIdentity instantly unless you enabled the "log in with username/password"-option already. The www option will allow the user to log in manually while keeping the subdomain on "auto-login"

Still need help? Contact Us Contact Us