Configuring SSO Integration with Ping Identity
Last updated
Last updated
Follow the steps below one by one to integrate Parallels My Account with Ping Identity.
A domain is a part of the email addresses (after the @ symbol) used by the end users in your organization. When end users try to log in to Parallels My Account using SSO, they are prompted to enter their work email address. Parallels My Account checks the domain part of the email address and recognizes that the user belongs to your organization. Click on the title of Step 1 to expand it, and read the instructions carefully.
Add one or more domains your organization uses.
Each domain must be unique and can only be registered to one business account that your organization has registered with Parallels.
Make sure to add only the domains your organization can control.
The Parallels My Account service verifies the domain ownership by checking a specific TXT record that must be added to the DNS host of the corresponding domain. Make sure that all domains added to the list are verified before proceeding with the next steps.
Depending on the software and/or provider, a TXT record may take up to 72 hours to propagate. You can check whether it's been configured using the following command:
Registering the Parallels enterprise application (required for integrating with the Parallels My Account service) in the IdP Directory allows you to configure the SSO-related parameters and correctly provision the integration between your IdP and the Parallels My Account service.
The description below illustrates the registration procedure for Ping Identity. It is assumed that you have the permissions required to register and configure enterprise applications with Ping Identity. To register a Parallels enterprise application with Ping Identity:
Log into Ping Identity using an account that has privileges for registering and configuring enterprise applications for your organization.
Go to the Applications section and click on the Add (+) button.
A Create Environment wizard will appear where you need to select the Build your own solution option using the Ping SSO service, and click Next.
In the Add application stage, type in a name for the application you are registering (e.g., Parallels Desktop), choose SAML as your application type, and click Configure.
At the SAML Configuration step, choose the Manually Enter option and copy the respective parameter values from Step 4 (Configure SAML Integration) of the Parallels My Account as follows:
Assertion Consumer Service URL (My Account) -> ACS URLs (Ping Identity)
Service Provider Entity ID (My Account) -> Entity ID (Ping Identity)
The next step will require you to configure mapping attributes under the Attribute Mappings section. Use the Edit button and add the attributes as follows (note that the fields are case-sensitive):
saml_subject -> User ID
displayname -> Expression: {user.name.given + ' ' + user.name.family}
groups -> Group IDs
name -> Email Address
objectidentifier -> User ID
Switch the application configuration on using the toggle:
You must create user groups associated with the Parallels enterprise application in your IdP Directory. Later, you will add users to those groups to let Parallels My Account know which users should be able to activate their copies of Parallels Desktop for Mac Enterprise Edition via Single Sign-On (SSO) and which should have business account admin privileges in the Parallels ecosystem.
At least one user group is required for adding users with admin access to your organization’s business account registered with Parallels. Once the group is created, you should add the group's name and ID in Step 3 of the integration configurator page in Parallels My Account.
Start with creating the group in the IdP Directory. To do so, switch to your IdP management portal and follow the standard procedure of creating a user group and associating it with the Parallels enterprise application, as provided by your Organization’s IdP. The description below illustrates the registration procedure for Ping Identity. It is assumed that you have appropriate permissions that allow you to manage user groups in Ping Identity. If your organization uses a different IdP service, follow the instructions provided in the admin guide specific to your IdP of choice.
To create a user group for the Parallels enterprise application in Ping Identity:
Log into the Ping Identity portal using the account which has privileges for managing user groups and configuring enterprise applications.
On the Start page, choose Administrator environment (or any other environment what you could create before) to open the Ping Identity console page.
Navigate to Directory and switch to the Groups tab.
You need to create two groups, one for the users who are supposed to be granted the admin permissions to access your organization’s business account registered with Parallels, and another for the regular Parallels Desktop users who are expected to sign into their copies of Parallels products via SSO.
Click the Add (+) icon to launch the group creation wizard, and type in the group name and description. Click Save and wait while the group is being created.
Make sure you have configured both groups: for the Parallels Desktop users and for the Parallels business account admins. If everything is set, click Save at the bottom and proceed to the next step.
SAML 2.0 integration between Parallels My Account and your organization’s IdP allows your organization's users to activate their copies of Parallels Desktop for Mac Enterprise Edition using Single Sign-On (SSO) while your admins can use it to log into the business account registered with Parallels using their main corporate login credentials.
To complete this step, you must copy some parameters from your Parallels My Account to the settings section of the Parallels enterprise application registered in the IdP Directory and then copy certain data provided in the IdP Directory to the Parallels My Account admin panel.
The following description illustrates the procedure for Ping Identity. It is assumed that you have appropriate permissions that allow you to configure enterprise applications in Ping Identity. If your organization uses a different IdP service, follow the instructions provided in the chapter specific to your IdP of choice.
Parameters can be copied between Parallels My Account and the IdP Directory either via metadata files (assuming your IdP software supports transferring those parameters via external files) or manually.
The first group of parameters, Service Provider Entity ID and Assertion Consumer Service URL (both values are pre-set automatically and cannot be changed), is already copied from Parallels My Account to the IdP Directory during the creation of Enterprise Application in Step 2.
To transfer the second set of parameters from Ping IdP to My Account:
Switch to the IdP integration page in My Account, scroll down, and expand Step 4 ("Configure SAML integration"). Under Identity Provider Settings, click on the Upload a metadata file link and select the downloaded XML file.
Select the Configuration in the IdP Directory is done option at the bottom of the section and click Save.
Return to the Applications tab in Ping IdP and close the Configuration tab, after which ensure that the app access switch is on.
Proceed to the next step.
SCIM 2.0 integration between Parallels My Account and your Organization’s IdP allows you to keep user identity information in Parallels My Account in constant sync with the updates made to user identities in the IdP Directory.
The following description is based on the assumption that SCIM is supported.
The description below illustrates the procedure for Ping Identity. It is assumed that you have appropriate permissions that allow you to configure enterprise applications in Ping Identity. If your organization uses a different IdP service, follow the instructions provided in the admin guide specific to your IdP of choice.
To configure SCIM settings at the Ping Identity management portal:
Open the navigation sidebar and go to Integrations → Provisioning.
Create a new SCIM connection by clicking the Add (+) and selecting New connection.
From the connection catalog, select SCIM Outbound and click Next.
Enter a name and description for this provisioning connection (the actual name and description remain at your discretion). The connection name will appear on the list once you have completed and saved the connection.
Click Next.
On the Configure authentication screen, enter the following:
Select the authentication method to use: OAuth2 Bearer Token.
Select the Auth Type Header: Bearer.
Copy the contents of the Bearer Token from Parallels My Account and paste it into the respective field.
Click Test Connection and if successful, click Next.
For the User Filter Expression parameter, the exact value should be userName eq “%s”. Make sure that the N in the userName is capitalized.
The User Identifier parameter should be workEmail.
Click Save.
Turn on SCIM by toggling the switch.
Now you need to create a provisioning rule. Follow these steps:
While remaining on the Provisioning page, click the Add (+) button in the top-left corner again, and select New Rule.
Choose the name and description for the rule.
On the next page of the wizard, click on the Target box and select your newly created SCIM connection as the target by clicking on the (+) button. Click Save.
In the next step, set up the user filter by clicking the Edit button, configuring any rule to your liking, and clicking Save.
Switch to the Attribute Mapping step by clicking the respective icon. Click on the Edit button. Here, it is essential that you do two things:
Change the userName attribute value from the default Username to email. Use the respective drop-down selector in the left column to choose Email Address.
Add another mapping rule by clicking the + Add button. Map displayName to Given Name. Click Save.
Your attribute mapping section should look like this:
Return to the Configuration tab and switch to the final icon, Group Provisioning. Click the Add Groups button and add all the groups as required, making sure the Parallels Desktop administrators and users groups, and any other groups that may need to activate Parallels Desktop for Mac, are added. Click Save.
Once the groups have been selected, enable the new rule and test synchronization by clicking Resync.
Switch back to Parallels My Account and select the Configuration in the IdP Directory is done option at the bottom of the section to confirm that you have finished the configuration procedure in the IdP Directory. Then continue to the next step.
Add users to the groups created in Step 3 (described earlier) to enable end users to activate their copies of Parallels Desktop for Mac Enterprise Edition using SSO and grant administrators permission to log into your organization’s business account registered with Parallels.
To do so, navigate to the Start page and choose Administrator environment (or any other environment that you might have created before) to open the Ping Identity console page. Navigate to Identifies, then Users, and create users by clicking the Add User button. Once it is done, or if you plan to add users later, select the Configuration in the IdP Directory is done option at the bottom of the section.
Once users have been created, you need to add them to the groups created above. To do so, navigate back to the Identifies tab and switch to the Groups tab. Click on the group name and add users to it.
Warning: Once you have completed the integration process and activated the SSO functionality, only users from the Administrators group in your IdP signing in via SSO will retain access to managing the Parallels business account. All previous administrative privileges based on logins and passwords will become inactive.
Your designated backup login will continue to work.
Once the registration of the Parallels enterprise application in the IdP Directory is completed, switch back to the at Parallels My Account, expand the section of Step 2 and select the Configuration in the IdP Directory is done option at the bottom of the section. Then move on to the next step.
Copy the group's name that you have specified and its ID to Parallels My Account. To do so, switch back to the at Parallels My Account, expand the Step 3 section, use the click-to-edit link, paste the group's name and ID in the corresponding input fields of the section Parallels Business Account Admins, and click Save. Repeat that for the Parallels Desktop users group.
Expand the section of Step 4 on the in Parallels My Account. Note that there are two groups of parameters in the section. The first group has two values, Service Provider Entity ID and Assertion Consumer Service URL, which must be copied from Parallels My Account to the IdP Directory. The second group includes three parameters – Identity Provider Entity ID, Identity Provider SSO URL, and Public Certificate. The values for these parameters must be copied from your IdP Directory to Parallels My Account.
Navigate to the Application tab and click on the application that has been created in the previous step . Proceed to the Overview tab and click Download Metadata under Connection Details.
It is assumed that your IdP software supports SCIM. For this reason, the SCIM Support option in the Step 5 section on the in the Parallels My Account is enabled by default. If your IdP does not support SCIM, disable the option and move on to the next step.
To configure provisioning via SCIM, you must copy two parameters: SCIM Base URL and Bearer Token (both values are pre-set automatically and cannot be changed) from the Step 5 section of the in Parallels My Account to the IdP Directory.
SCIM Base URL. The fully qualified URL to use for the SCIM resources is .
The backup login can be used to access your organization’s business account registered with Parallels, bypassing Single Sign-On in the event of an SSO malfunction. By default, the backup login is set to the email address of the currently logged-in user. If you want to define a different backup login, add more users first on the Users page of the in Parallels My Account. The new user must log into the business account at least once before they can be designated as a backup login.
