PingFederate Server

Choosing SAML 2.0 profiles

A SAML profile is the message-interchange scenario that you and your federation partner have agreed to use. SAML binding, by contrast, is the transport protocol of SAML messages.

About this task

On the SAML Profiles tab, select one or more SAML 2.0 profiles for your IdP Browser SSO configuration.

The SAML Profiles tab is not shown for SAML 1.x connections because identity provider (IdP) single sign-on (SSO) is assumed, single logout (SLO) profiles are not supported, and the server supports the "destination-first" (SP-initiated) profile SSO automatically. This window is also not presented for WS-Federation connections because profile selection is not required.

When configuring a local loopback connection, in which one PingFederate instance is both the identity provider and the service provider, disable the IdP-Initiated SLO and SP-Initiated SLO options on the Browser SSO window’s SAML Profiles tab. These options determine whether SAML logout requests should be sent to the partner during the SLO flow. Those requests aren’t necessary and can cause unexpected behavior when the partner connection exists locally. All local sessions for loopback connections are terminated during the SLO flow without the need to send SAML requests.

For SAML 2.0, PingFederate supports all IdP- and SP-initiated SSO and SLO profiles. For more information on typical SSO and SLO profile configurations, including illustrations, see SAML 2.0 profiles.

Steps

  1. Go to Applications → Integration → SP connections.

  2. Click on the SP connection you want to configure. For more information, see Accessing SP connections.

  3. On the Browser SSO tab, click Configure Browser SSO.

  4. Select either IdP-Initiatied SSO or SP-Initiated SSO or both, depending on your partner agreement.

    You must select at least one SSO profile.

  5. Select either IdP-Initiated SLO or SP-Initiated SLO or both, depending on your partner agreement.

    SLO profile options are only enabled after you choose an SSO profile.

    Screen capture of the Browser SSO configuration window with the SAML Profiles tab selected. There is a section for Single Sign-On (SSO) Profiles with IdP-Initatited SSO and SP-Initiated SSO check boxes. The IdP-Initiated SSO check box is selected. There is another section for Single Logout (SLO) Profiles with IdP-Initiated SLO and SP-Initiated SLO check boxes. The IdP-Initiated SLO check box is selected.

  6. Click Next to save your changes.