PrecisionLender allows you to set up Single Sign-On (SSO) to allow your users to access the PrecisionLender application by signing in to a central identity provider.
Single sign-on (SSO) makes life easier and more secure for everyone. You can put the identity provider you already trust in charge of authentication, while your users can access PrecisionLender without another password to manage.
PrecisonLender has partnered with Ping Identity to offer a pre-configured SAML 2.0 interface for our application. Ping Identity is an industry-leading identity management solution provider serving over 1,000 clients including over half of Fortune 100 including many leading financial institutions.
In this Article
- SSO Process Overview
- System Requirements
- Contact PrecisionLender to get started
- Configuration Steps
- Troubleshooting Single Sign-On
SSO Process Overview
Our default setup for SSO is Service Provider (SP) initiated. This is when PingOne will be used first as the SAML gateway for the PrecisionLender application. With SP initiated SSO the user will typically:
- Go to the PrecisionLender Login page and follow the 'Company Login' process outlined here: Logging into PrecisionLender.
- When the 'Company Login' button is first selected, in the browser, the user's credentials will be routed through the authentication process
- First, they will go to PingOne for authentication.
- Once authenticated, the user's credential is routed to your organization's Identity Provider.
- Once authenticated by your Identity Provider, credentials are routed back to PrecisionLender.
- If successful, the user will be able to login to PrecisionLender
- Alternatively, using an SSO specific URL, you can SP initiate SSO through your directory
We also support Identity Provider (IdP) initiated SSO, where login and authentication begins directly within your directory to bring the user into the PrecisionLender application. We will need a bit more information from you to understand the configuration of your Identity Provider. If you move forward with IdP initiation, SP initiation will still be available to you in most cases.
For clients using force.com or Microsoft Dynamics Connectors
Using PrecisionLender in conjunction with a CRM connector such as our Salesforce or Dynamics connector products provides an additional login method for all users having an active account in both systems. Clicking the "Price in PrecisionLender" button within the CRM system will automatically log that user into PrecisionLender.
- If you'd like to use your organization's SSO setup as part of this process, please let us know and we will work with you to setup this configuration.
If some of your users will have the ability to log into PrecisionLender outside of the CRM (direct login), you also have the option to enable SSO for direct login users.
- You must have and maintain a SAML 2.0 Identity Provider (IdP) either within your secure network or exposed to the internet. The network location will determine whether end users will be able to log-in to PrecisionLender while off-site and without access to the IdP server.
- PrecisionLender SSO does not handle user provisioning or de-provisioning. It only handles authentication. You will still be responsible for creating and activating or deactivating accounts for its lenders within the PrecisionLender administrative system.
Contact PrecisionLender to get started
When your organization is ready to turn on SSO, please review the configuration steps below and then contact your account manager or PrecisionLender support to get the process started. In some cases, it may be helpful to set up a call to complete the setup process. If interested, please let us know.
In your message, please include:
- The name of your identity provider and method of initiation (SP or IdP)
- The email address of the person/team who will manage the SSO connection for your organization
1. Configure your identity provider
To get started, go to your identity provider's site and follow the provider's instructions to configure single sign-on.
Instructions for frequently used identity providers are:
- Azure Active Directory
- If using ADFS, steps for creating a claim rule
- Alternatively, PrecisionLender can also send you a PingOne invitation email that will allow you to configure and self-manage your PrecisionLender SAML settings within PingOne.
Here are the SAML parameters you'll need:
PrecisionLender uses SAML2 with the HTTP Redirect binding for SP to IdP and expects the HTTP Post binding for IdP to SP.
Entity ID : PingConnect
The Assertion Consumer Service (ACS) URL: https://sso.connect.pingidentity.com/sso/sp/ACS.saml2
The Launch URL/SSO URL
This will depend on which stack your PrecisionLender tenant resides as well as method of initiation (SP or IdP). We will provide this to you during the configuration process.
A NameID containing the user’s email address. Most typically, we are looking for:
2. Notify PrecisionLender to initiate application setup
Once you've completed the initial setup steps in your identity provider, provide PrecisionLender with the XML metadata file. This file will contain information such as IdP Entity-Id, Login and Logout URLs, and a Public Key x509 Certificate.
Additionally, if users in your organization have various email domains, we'll need all potential email domains that may have accounts accessing the system. Public domains (e.g., gmail.com, outlook.com, etc) are not permitted.
3. PrecisionLender will configure application
We will use your metadata file to set up your connection for the PrecisionLender application. The initial configuration will be done in SSO optional mode, which allows for testing that all configurations have been completed properly while still enabling users to log in using their PrecisionLender credentials.
4. Notify your users of the impending change to Single Sign-On
We recommend notifying your users to let them know that they will be using their corporate SSO login for PrecisionLender. If needed, we can assist with this communication process.
5. Choosing your final SSO state
Once testing is complete and you are ready to go live, you have the option to keep SSO in optional mode or make it required for all users to login with SSO. If making SSO required, please let us know, and we'll update the configuration accordingly.
Troubleshooting Single Sign-On
Unable to Connect to PingIdentity SSO servers through firewall
For clients that must white-list specific IP addresses to be allowed by firewall, make sure that your users are able to reach all IP addresses that aliased to sso.connect.pingidentity.com.
You can get a list of possible IP addresses by using the nslookup (windows) or dig (linux) commands like the following
- nslookup sso.connect.pingidentity.com
- dig sso.connect.pingidentity.com
Try running each command a few times to see if you get consistent results, since geography can play a part in the IP address resolution.
As of 2015-09-03, this server resolved to the following IP addresses
"SAML_003: We received an unsuccessful response from your IdP"
Based on our past experience, this can be caused by enabling the local firewall on the IdP/ADFS server which has the potential to restrict or prevent claim mappings required for SSO Logins.
- Reference: https://support.pingidentity.com/s/article/SAML-003-We-received-an-unsuccessful-response-from-your-IdP