Thank you for choosing Hive. This guide explains how to set up a Security Assertion Markup Language 2.0 (SAML 2.0) application on PingOne to provide your employees with Single Sign-On (SSO) capabilities for Hive. This is intended for employees with admin-level permissions on your company's PingOne Organization. If your company uses PingOne for Enterprise or a different PingIdentity solution, please contact us at [email protected] for onboarding assistance.

Setting Up Your PingOne Environment

To get started setting up a SAML integration on PingOne with Hive:

1. Login to your company's PingOne organization dashboard.

2. If you do not already have an existing PingOne environment, please complete the following steps.

   1. Under PingOne's Environments home page, click the Plus icon to create a new environment.

      

   2. Select Build your own solution and select PingOne SSO before clicking Next.

      

   3. Under Select how you want to deploy your services, please name your environment. Feel free to configure and change other settings according to your needs. Click Finish. You should be redirected back to the Environments home page with your newly created environment listed.

   
   

3. Click the desired PingOne environment to create the Hive Application under. This will be the environment created in step 2 or an existing environment you wish to use. Then, click Manage Environment.

4. If PingOne SSO has not been added as a service to your environment, please complete the following steps (this is not applicable to people who completed step 2).

   1. Click the Plus icon under the Services section.

   2. Click the Add button for PingOne SSO and click Finish to add PingOne SSO as a new service to this environment.

      
      

Creating the PingOne Application

After setting up your new or existing PingOne environment with PingOne SSO capabilities, follow these steps to create an SAML integration with Hive on PingOne:

1. Click the Applications tab on the left sidebar.

   
   

2. Click the Plus icon next to Applications to create a new application. A new window should slide in from the right. Fill in an appropriate Application Name and select the application type as SAML Application before clicking Configure.

   
   

3. Under the SAML Configuration window, select the Manually Enter radio button and fill in the following information:

   1. ACS URLs
      Please input https://portal-customer-api.thehive.ai/sso/saml/acs.

   2. Entity ID
      Please input hive.

      
      

4. Click Save. Your new application should appear in the applications list. Feel free to configure and change application settings according to your needs. However, all default values provided should work.

This completes the setup needed on PingOne for integration with Hive. However, Hive requires some additional information before SSO is fully configured.

Completing Integration with Hive

The IDP Metadata URL is the last piece of information Hive needs to complete SSO integration. This can be found under the Overview tab, in the Connection Details section of your application overview.

To copy the IDP Metadata URL to your clipboard, click the adjacent icon.

Once you have found the Metadata URL:

• If you do not have Self Serve SSO enabled, please send the Metadata URL value to your Hive representative. Shortly afterward, SSO with Hive will be fully set up. If you would also like to enable Self Serve SSO to further simplify integration with Hive in the future, please follow the instructions on the Enabling Self Serve SSO document to get started.
• If you do have Self Serve SSO enabled, please follow the instructions below.

1. Using any kind of program that can make HTTP GET requests, please send a HTTP GET request to the Metadata URL value to view the XML Metadata document. You will need to inspect the contents of the XML document for the following steps. Find more detailed instructions below explaining how to accomplish this step using a normal web browser or Postman.

   1. Using a Browser

      1. Open up a new tab in your preferred web browser. Input your Metadata URL into the URL search bar and hit enter.

      2. Some links entered into the browser will open up the XML document in the browser itself. If this is your case, you can immediately skip to step 2. Otherwise, please follow step c.

         

      3. Other links entered into the browser will prompt the browser to download the XML document instead. You may see the following pop-up:

         

         Click Allow to download the file to your computer. Alternatively, you may see a download screen pop up directly:

         
      
      

   2. Using Postman

      1. Enter your Metadata URL into the URL text field and click *Send.*

      2. The XML document should appear in the response body.

         

         
         

2. Next, we will inspect the XML document to find the Entity ID. This can be found as an attribute in the <md:EntityDescriptor> tag. Look for the value following "entityID" (not to be confused with "ID", which also appears sometimes).

   
   

3. Navigate to the Manage SSO tab on your Hive organization dashboard.

4. Click the Add button next to the Manage SAML Integration header.

   
   

5. A pop-up window should appear. Enter the following values:

   • For Identity Provider, select PingOne.

   • For Issuer, please enter the entityID found above in step 2.

   • For Metadata, please copy and paste the entire XML Document contents from step 1 into the text box.

   • For Audience, please enter the Entity ID that you entered when creating the application. If you followed this guide above, then this should simply be hive . Note: This is NOT the entityID found in step 2.

     
     

6. Click Add. SSO with Hive via SAML should now be fully set up.

Managing Groups

Hive offers Group-Based Permission Mapping for PingOne SAML. To create a group and include its information in the SAML assertion, follow the instructions below. Note: You can send multiple groups' information in one assertion.

1. Login to your company's PingOne Admin console.
2. Navigate to the Directory tab on the left sidebar. Click on the Groups tab within.
3. Here, you can create groups and add members by clicking the Plus sign in the top left.

4. Next, navigate to the Applications tab in the left sidebar and click on the Applications tab nested within.
5. Click on your SAML SSO application, then click on the Attribute Mappings tab.

6. Click on the pencil icon in the top right to add attributes.

7. Click on the + Add button in the top right. Then, fill in the attribute name as groups. From the drop-down menu under PingOne Mappings, select the option Group Names. Save your changes.