--- title: Promoting SAML applications description: You can promote the SAML applications assigned to you. component: pingcentral version: 2.2 page_id: pingcentral:pingcentral_for_application_owners:pingcentral_promoting_saml_apps canonical_url: https://docs.pingidentity.com/pingcentral/2.2/pingcentral_for_application_owners/pingcentral_promoting_saml_apps.html revdate: December 14, 2023 section_ids: before-you-begin: Before you begin steps: Steps result: Result: resultpingcentral-promotes-your-application-to-the-designated-environment-in-pingfederate-the-new-promotion-shows-in-thehistory-section-of-the-page-if-the-signature-verification-certificate-used-during-promotion-is-available-in-the-pingfederate-environment-that-certificate-is-used-if-not-a-new-certificate-is-created: Result:PingCentral promotes your application to the designated environment in PingFederate. The new promotion shows in theHistory section of the page. If the signature verification certificate used during promotion is available in the PingFederate environment, that certificate is used. If not, a new certificate is created. --- # Promoting SAML applications You can promote the SAML applications assigned to you. ## Before you begin Prepare to provide the following: * **Entity ID**: used to uniquely identify the application and obtained from the service provider ACS URL, the application's URL to which SAML assertions from the identity provider will be sent after user authentication occurs. * **ACS URL**(s): the application's URL to which SAML assertions from the identity provider will be sent after user authentication occurs. * **SLO Service URL**(s): the application's URL utilized for single logout (SLO) functionality. * **SP certificates**: if the template you select is based on a PingFederate connection that requires a certificate. * **An assertion encryption certificate**: required if encryption is enabled for the connection. ## Steps 1. To promote the application to an environment, click the **Expand** icon associated with the application, select the **Promote** tab, and click **Promote**. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If an environment is offline or if a PingCentral administrator has set the environment status to **Disabled**, you will be unable to promote the application to a disabled or offline environment. | 2. In the **Available Environments** list, select the environment to which you want to promote the application. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------ | | | If you have the Application Owner role, you cannot promote applications to protected environments, which have shield icons associated with them. | 3. If curly brackets display in the upper right corner of the window, you have the ability to edit the underlying application JSON yourself. Or, you can complete the fields on this window. If you choose to complete the fields on this window, refer to the following: 1. In the **Entity ID**, **ACS URL**, and **SLO Service URL** fields, enter the appropriate information. If you provided a metadata file when you added your application to PingCentral, the **Promote to Environment** window is prepopulated with the information from the other SAML application. You can modify this information as necessary. 2. In the **Signing Certificate** list, select the appropriate certificate: * If the PingFederate environment contains signing certificates, those certificates display in the list. * The signing certificate added to the environment when it was created or last updated displays as the **Environment Default** certificate. * If signing certificates are not available in the PingFederate environment and an environment default certificate isn't available, or if an environment default certificate is available but expired, the **Automatically generate certificate** option displays in the list. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you used signing certificates that were automatically generated to promote applications in PingCentral 1.7 or earlier, and you want to promote those applications to the same environments, you need to locate the signing certificates. Search for a signing certificate with a subject DN that matches the name of the application and select it as the signing certificate. | 3. Upload SP certificates, if required. SP certificates are required for PingFederate SP connections when: * Either of the single logout (SLO) options, **IdP-Initiated-SLO** or **SP-Initiated-SLO**, are selected as the SAML profile. * Digital signatures are required, and the Signature Policy is set to the **Require authn requests to be signed when received via the POST or redirect bindings** option. * Inbound backchannel authentication is configured. For more information, see the following topics in the *PingFederate Server Guide*: * [Configure digital signature settings](https://docs.pingidentity.com/access/sources/dita/topic?resourceid=help_SP_CredentialsTasklet_SigningCertState) * [Configuring signature verification settings (SAML 2.0)](https://docs.pingidentity.com/access/sources/dita/topic?resourceid=help_SP_CredentialsTasklet_SignatureVerificationSettingsState) 4. If encryption is enabled for the connection, click in the **Assertion Encryption Certificate** field. Select an assertion encryption certificate used for a previous promotion in the list or provide a new one. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------- | | | Only whole encryption is currently supported, so if a connection has attributes specified for encryption, the promotion will fail. | To edit the JSON yourself: 1. Click the curly brackets. ### Result: The application JSON displays in the window. 2. Update the JSON to meet your needs. Built-in JSON syntax validation occurs as you make updates to help prevent mistakes. 4. Verify that the information displayed in the **Promote to Environment** window is correct and click **Promote**. ### Result:PingCentral promotes your application to the designated environment in PingFederate. The new promotion shows in the**History** section of the page. If the signature verification certificate used during promotion is available in the PingFederate environment, that certificate is used. If not, a new certificate is created. 5. To configure a single sign-on (SSO) connection, provide the application Entity ID and the SSO endpoint URL to your service provider. To locate the SSO endpoint URL, click the **View Connections Detail** link associated with the promotion. The URL displays on the **Promotion Details** window. ![This example shows the Promotion Details page, which contains information regarding the promotion, such as the ACS URL, SSO endpoint URL, and certificates associated with the connection.](_images/kio1624578838404.png)