PrecisionLender allows clients to set up Single Sign-On (SSO) to allow their users to access the PrecisionLender application by signing in to a central identity provider.
Single sign-on (SSO) makes life easier and more secure for everyone. You can put the identity provider you already trust in charge of authentication, while your users can access PrecisionLender without another password to manage.
PrecisonLender has partnered with Ping Identity to offer a pre-configured SAML 2.0 interface for our application. Ping Identity is an industry-leading identity management solution provider serving over 1,000 clients including over half of Fortune 100 including many leading financial institutions.
- Setting up ADFS Claim Rule for PrecisionLender Single Sign On
- Creating a PrecisionLender application within Azure Active Directory to support Single Sign-On
Requesting SSO setup
To begin the process of getting your accountset up with SSO, please create a support ticket and someone on our staff will contact you to get the ball rolling.
SSO Setup Process Overview
When your company is ready to turn on SSO, contact your account manager or PrecisionLender support to get the process started. Once we enable SSO for your account, your users will temporarily be able to log in using either your SSO system or PrecisionLender credentials. Once your setup is complete, we will disable PrecisionLender credentialing for your users and SSO will be the only option available to them.
- Client maintains a SAML 2.0 Identity Provider (IdP) either within its secure network or exposed to the internet. The network location will determine whether end users will be able to log-in to PrecisionLender while off-site and without access to the IdP server.
- 100% of end users will authenticate using SSO (normal credentials will be disallowed after initial setup period)
- PrecisionLender SSO does not handle user provisioning or de-provisioning... only authentication. Client will still be responsible for creating and activating or deactivating accounts for its lenders within the PrecisionLender administrative system.
SSO Login Diagram
- SP : Service Provider. This is the PingOne SAML gateway for the PrecisionLender application
- IdP : Identity Provider. This is your corporate Identity server.
Modes of SSO operation:
- SSO Mode : Users can log into PrecisionLender using their own Single Sign-On Identity Provider. This is accomplished via the "Company Login" button. Standard PrecisionLender credentials are disabled in this mode.
- SSO-Optional Mode : Users can log in with either standard credentials or using their own Single Sign-On Identity Provider.
Note regarding Salesforce and Microsoft Dynamics Connectors:
- Using PrecisionLender in conjunction with a CRM connector such as our Salesforce or Dynamics connector products provides an additional login method for all users having an active account in both systems.
- Clicking the "Price in PrecisionLender" button within the CRM system will automatically log that user into PrecisionLender. In this way, the CRM connector product can act as an additional SSO method for users of both systems.
1. Configure your identity provider
To get started, go to your identity provider's site and follow the provider's instructions to configure single sign-on. Here are the SAML parameters you'll need:
- PrecisionLender uses SAML2 with the HTTP Redirect binding for SP to IdP and expects the HTTP Post binding for IdP to SP.
- Entity ID : PingConnect
- The PrecisionLender post-back URL (also called the Assertion Consumer Service URL) is
- The Launch URL will depend on which stack your PrecisionLender tenant resides
- PrecisionLender requires that the NameID contain the user’s email address. Technically we are looking for:
2. Configure PrecisionLender
Once you have configured your SAML IdP (Identity Provider), you will need to work with the PrecisionLender support team to have SSO enabled and configured for your account.
You will need to provide the following information. The easiest way to do this is to send us an xml metadata file or provide a metadata URL. This will contain information such as IdP Entity-Id, Login and Logout URLs, and a Public Key x509 Certificate.
We will also need the email address for person responsible for managing SSO at your location. This could be a person or a distribution list and is who we will contact if we need help with your SSO connection in the future.
PrecisionLender can also send you a PingOne invitation email that will allow you to configure and self-manage your PrecisionLender SAML settings within PingOne.
Turning on SSO for your account
The PrecisionLender support team will need to enable SSO for your account. We will need to know the following:
- Optional or Required? Do you want to enable your users to use SSO or their PrecisionLender credentials? Or do you want SSO to be the only method of authentication for your users? We recommend using Optional for a period of time to before switching to Required.
- Which email domains need to be allowed to authenticate via your SAML server? We need a list of all the email domains that your users will be using to access your PrecisionLender system. Public domains (e.g., gmail.com, outlook.com, etc) are not permitted.
3. Notify your users of the impending change to Single Sign-On
We recommend notifying your users to let them know that they will be using their corporate SSO login for PrecisionLender. If needed, we can assist with this communication process.
4. Choosing your final SSO state
Once SSO is up and running and you've notified your users, let us know and we can disable standard credentialing (non-SSO) for your users. From this point on, your users will be able to log in using your SSO IdP only (unless you also use the Salesforce connector - see above).
You may also choose to remain in 'SSO-Optional' mode which means your users would be able to log in using either SSO or with standard PrecisionLender credentials from the main login screen.
Troubleshooting Single Sign-On
Unable to Connect to PingIdentity SSO servers through firewall
For clients that must white-list specific IP addresses to be allowed by firewall, make sure that your users are able to reach all IP addresses that aliased to sso.connect.pingidentity.com.
You can get a list of possible IP addresses by using the nslookup (windows) or dig (linux) commands like the following
- nslookup sso.connect.pingidentity.com
- dig sso.connect.pingidentity.com
Try running each command a few times to see if you get consistent results, since geography can play a part in the IP address resolution.
As of 2015-09-03, this server resolved to the following IP addresses
"SAML_003: We received an unsuccessful response from your IdP"
Based on our past experience, this can be caused by enabling the local firewall on the IdP/ADFS server which has the potential to restrict or prevent claim mappings required for SSO Logins.
- Reference: https://ping.force.com/Support/PingOne/PingOne-General/SAML-003-We-received-an-unsuccessful-response-from-your-IdP