Configuring target URL mapping
When you have more than one target session defined in an identity provider (IdP) connection, you must map the target URL to its target session.
About this task
When PingFederate receives a single sign-on (SSO) or single logout (SLO) request, it compares the target URL against the configured URLs until a match is found. If a match is not found, the SSO request fails.
For target URL mapping to work correctly, you must configure a target resource entry in the Security → System Integration → Redirect Validation settings. If you have not done this, follow the instructions in Configuring redirect validation. |
For example, this mapping configuration might be necessary in an IdP-initiated SSO scenario that connects to multiple applications at your site. For transactions initiated at your site, this mapping is required for default situations where the target resource and the adapter instance are not specified in the SSO or SLO request. When this information is provided with the service provider (SP) request, the mapping table is ignored. For more information, see SP services.
When bridging an identity provider to multiple service providers, for each service provider supporting the SAML IdP-initiated SSO profile, map the target URLs to the corresponding SP connection.
In this scenario, PingFederate is a federation hub for the identity provider and the service providers. For more information, see Federation hub use cases. |
Finally, if an IdP connection is associated with one or more SP adapters, authentication policy contracts, or both, you also need to map the target URLs to their respective target session.
You manage target URL mappings on the Applications → Integration → Target URL Mapping window. The configuration process involves entering a URL and select a target session for it. See the following table for more information.
The order of mapping is significant in that the first matching mapping, from top to bottom, determines which target session receives the request. For example, if two URLs are mapped in the following order.
URL | Session Target |
---|---|
|
OpenToken SP Adapter to an local training app |
|
SP connection to SP SaaS |
A target URL of http://www.example.com/acct101/ will be mapped to OpenToken SP Adapter to an local training app because the target matches the first mapping in the configuration.
If the order of the mappings is reversed, the same target will be mapped to SP connection to ACME SaaS because the first mapping in the new configuration, http://www.example.com/*
, matches the target URL.
Steps
-
Enter a URL.
The target URLs that align with your configured target sessions. The URLs instruct the PingFederate SP server to route session-creation processing through an SP adapter instance or an SP connection.
You can use a wildcard (
*
) to match multiple URLs to the same target session but you can use only one wildcard (*
) per URL.If the target URL in the incoming request is not matched by the first entry in this table, subsequent entries are tried until a match is found.
PingFederate tries the next entry if a target session is not allowed based on restrictions imposed. For more information, see Restricting a target session to certain virtual server IDs.
-
Select a target type from the list.
You can only select a target type from the list when the IdP role is activated with at least one protocol for browser-based SSO.
If the IdP role is not activated or is activated without any protocol for browser-based SSO, such as SAML or WS-Federation, the Target Type value defaults to SP Adapter.
-
Select a target session from the list.
The available values depends on the chosen the Target Type list.
-
Click Add Mapping.
-
Repeat these steps to add multiple mappings.