This guide tells you how to configure Single Sign-On (SAML) in your Ping Identity tenant for Hoxhunt service.

• Single Sign-On allows your employees to login to e.g. Hoxhunt Dashboard at https://game.hoxhunt.com and Admin Portal at https://admin.hoxhunt.com/.

NOTE: Setting up SSO is optional. Single Sign-On is not required to report emails with Hoxhunt button. If you don't wish to configure SSO, employees can log in to Hoxhunt App via Magic Links.

1. SSO

1.1 Create the Hoxhunt SSO application

1. Log in to your PingIdentity environment and navigate to Applications > Applications in the left-hand side menu.
2. Create a new application by clicking icon in the opening view.

3. Give your application a name, such as Hoxhunt SSO.

4. Select the application type to be SAML Application.
5. Click Configure.
   
   
   
   
6.  On the SAML Configuration page select Manually Enter.
   
   
   
7. Switch to Hoxhunt Admin Portal , and navigate to Settings > Single Sign-On > Identity providers.
8. Click Add Provider button to start configuring a new provider.
   
   
   
   
9. In the opening view, give your SSO provider a name, for example Ping.
10. Make a note of the ACS Url (Entity ID) field above the provider name. (This is unique to your organisation's Hoxhunt tenant).
    
    
    
    
11. Switch back to Ping, and paste ACS Url (Entity ID) to the ACS URLs and Entity ID fields.
12. Click Save.
    
    
    
    

1.2 Configure Hoxhunt application on Ping side

This section will outline the required settings for the SAML Application.

1. Jump to the Configuration page of the application you created earlier.
2. Click on the icon to edit the newly created application.
   
   
   
   
3. Change the SIGNING KEY settings to Sign Assertion & Response.
4. Select the SUBJECT NAMEID FORMAT to be:
   

   urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

5. Save the changes by clicking Save.
   
   
   
   

1.3 Attribute mappings of the Hoxhunt application on Ping side

1. Navigate to Attribute Mappings tab.
2. Click on the icon to edit the newly created application.
   
   
   
   
3. Add two new rows by clicking + Add.
4. Enter the attribute mappings as shown in the picture and in the below table:
   
   

   Attributes	PingOne Mappings
   saml_subject	Email Address
   firstName	Given Name
   lastName	Family Name

   
   
   

   NOTE: The attribute which is mapped to saml_subject should match with the primary mail (SMTP) address of the user in your mail environment.

5. Save the settings by clicking Save.

1.4 Finalize the configuration

1. Define the users who are allowed to log in via the Hoxhunt SSO Application, by navigating to the Access page of the application.
   
   Note: This guide will not go into detail on specifying the membership details as this will vary from organization to organization.
   
   
   
   
2. Turn on the application by using the toggle switch at the top-right hand corner.
   
   
   
   
3. Move back to the Configuration page.
4. Click Download Signing Certificate as X509 PEM (.crt) file.
5. Copy the Single Signon Service URL.
   
   
   
   
6.  Move back to Hoxhunt Admin Portal Settings > Single Sign-On > Identity providers.
   
   
7. Paste the Single Signon Service URL (from step 4.5.) to SAML 2.0 endpoint (HTTP) field.
8. Open the signing certificate you downloaded (in step 4.4) with a text editor, copy the contents of the file and paste it to the Public certificate field.
   
   
9. (OPTIONAL) Select if you want to use this provider as default for new email domains in Hoxhunt as well.
10. Save the configuration by clicking Save.
    
    
    
    
11. Set/Verify the newly created Ping Identity provider to be used for your current domains by moving to the Domain settings page in Hoxhunt Admin Portal.
12. Select the newly created Identity provider configuration to be used.
    
    

Ping SSO has now been created and enabled for the selected domains.

1.5 Test the configuration

1. Open a browser and navigate to game.hoxhunt.com or admin.hoxhunt.com.
2. Log in using an address you configured for the SSO, and click Ping Sign In.
   
   
   
   
3. You should now be forwarded to Ping Identity for signing in.
   
   
   
   
4. After signing in, you'll be redirected back to Hoxhunt Dashboard or Hoxhunt Admin Portal.

2. SCIM

2.1 Retrieve your SCIM authentication token from the Hoxhunt admin portal 

1. Go to Automated user provisioning in Hoxhunt Admin Portal and retrieve the SCIM token by clicking Generate new token.
   
   

   IMPORTANT: Once generated, the token cannot be seen on the page anymore. If for any reason you lose your SCIM token, you must generate a new one. Hoxhunt cannot retrieve the current SCIM token for you.

   

   
   A warning will appear, letting you know that the token you are generating will replace the existing one. If this is your first time setting up SCIM for Hoxhunt, you can ignore this message.

   

   
   
   
2. Copy the SCIM authentication token and the SCIM endpoint url from the Hoxhunt Admin Portal.

IMPORTANT: Once generated, the token cannot be seen on the page anymore. If for any reason you lose your SCIM token, you must generate a new one. Hoxhunt cannot retrieve the current SCIM token for you.

2.2 Create a Provisioning connection

1. Navigate to your PingIdentity administrative console and start creating a new Provisioning connection under Integrations
   
   
   
   
   
2. Choose Identity Store as the connection type
   
   
   
   
3. From the opening view, select SCIM Outbound as the integration
   
   
   
   
4. Give your new connection a descriptive name, description (optional) and an icon (optional)
   
   TIP: If you want to use the Hoxhunt logo, you can find it here.
   
   
   
   
   
   
   
5. Configure the authentication
   1. Enter the SCIM base url as copied in step 2.1.2
   2. Select OAuth 2 Bearer Token as the authentication method.
      1. Enter the authentication token from step 2.1.2 to the Oauth Access Token field
   3. Test the connection by clicking on the connection test button.
      
      
      
      
6.  If the connection was successful, move forward with Next
   1. If not, please verify that the token you copied previously and/or the SCIM endpoint URL is valid.
7.  Configure the connection preferences
   1. Select workEmail as the User Identifier
   2. Enter a Custom Attribute Schema URN
      

      urn:ietf:params:scim:schemas:extension:hoxhunt:2.0:User

   3. Otherwise you can retain the default options.
      
      
      
      
8. Save the connection

2.3 Create the provisioning rule

1. Navigate to your PingIdentity administrative console and start creating a new Provisioning rule under Integrations
   
   
   
   
   
   
2.  Give your new rule a descriptive name and save
3. In the opening view, select the previously created Hoxhunt SCIM provisioning connection by pressing on the plus icon.
   
   
   
   
4. Save the configuration
5. Configure the user filter per your organisations requirements.
   
   NOTE: This guide will not go into detail on specifying the membership details as this will vary from organization to organization.
   
6. Select Attribute Mapping to start configuring the mappings for this rule.
7. Enter the editing mode by clicking on the pencil icon
   
   
   
   
8. These are the mandatory, minimum attributes we need.
   
   

active
familyName
givenName
userName <- Please map from the users primary SMTP address
workEmail <- Please map from the users primary SMTP address

2.4 Turning on the connection and rules

1. After you've configured the connection, rule and defined the mappings - last step is to turn the provisioning on.
   
   NOTE: If you'd like to define more mappings than the minimum, please see section 2.5 of this guide.
   
   
2. Under Integrations -> Provisioning, select the created Connection and use the toggle switch to turn it on.
   
   
   
3. Under the same menu (Integrations -> Provisioning) - move to the Rules tab and enable the rule you created.
   
   
   
4. After enabling, the initial run will be ran and user accounts will be provisioned.

2.5 Configuring the attribute mappings

Here's a table of attributes and how they correspond to the attributes in the Hoxhunt UI.

Please note that customAttributes1-10 and employmentStartDate are currently not supported for Ping, we are currently working to support these.

Frequently asked questions

I enabled SSO but the configuration doesn't work, how can I sign back in?

You can sign in using the Hoxhunt add-in in your mail client as well, use the Go to dashboard button at the bottom of the add-in pane and you'll be moved to the game dashboard.

Move to the Admin Portal from the top-left hand corner.