PingCentral

SAML SP application promotions

When application owners add an application to PingCentral, they can provide an .xml file that contains service provider metadata from a similar SAML application. This file might contain any or all of these items:

  • Entity ID: Uniquely identifies the application.

  • ACS URL(s): The application’s URL to which SAML assertions from the identity provider are sent after user authentication occurs.

  • SLO Service URL(s): the application’s URL utilized for single logout (SLO) functionality.

  • Attribute mapping information: The application attributes are mapped to the identity attributes required to fulfill the authentication policy contract in PingFederate.

  • SP public certificate: Used to prove ownership of a public key and obtained from the service provider.

  • Assertion encryption certificates: Used to prove that the SAML assertion is encrypted.

Alternatively, they can provide the Entity ID, ACS URL, and certificates during the promotion process.

If the Allow JSON editing for application promotions option is enabled for the environment, application owners are able to edit the underlying application JSON when they promote their SAML SP applications.

Application owners are also asked to provide a signing certificate during the promotion process. They can select an existing PingFederate signing certificate, or the environment default certificate, if one exists. The default certificate is the certificate added to the environment when it was created or last updated. If signing certificates are not available in the PingFederate environment and an environment default certificate is not available, or if an environment default certificate is available but expired, they can choose to automatically generate a certificate.

To learn more about this process, see Promoting SAML applications in the PingCentral for Application Owner’s guide.

During the promotion process, the application name and description remains the same. If PingCentral identifies an identical connection in PingFederate, the application JSON, along with the information that the application owner provides, overwrites the PingFederate connection within the target environment. If the connection does not already exist, PingCentral creates items defined in the application JSON, along with the information that the application owner provided.