PingFederate Server

Bridging an IdP to an SP

PingFederate bridges single sign-on (SSO) and single log-out (SLO) transactions between an identity provider (IdP) and a service provider (SP).

About this task

If you have a legacy IdP system only capable of sending SAML 1.1 assertions through POST and an SP that requires SAML 2.0 assertions through the artifact binding, configuring the federation hub allows PingFederate to consume inbound SAML 1.1 assertions by POST, translate them to SAML 2.0 assertions, and send them through the artifact binding the SP.

Diagram depicting the process of bridging an IdP to an SP.

Steps

  1. Create a contract to bridge the attributes between the IdP and the SP. For more information, see Federation hub and authentication policy contracts.

  2. Create an IdP connection between the IdP and PingFederate, the federation hub as the SP, and add the applicable authentication policy contracts to the IdP connection on the Target Session Mapping tab.

  3. Create an SP connection between PingFederate, the federation hub as the IdP, and the SP and add to the SP connection the corresponding authentication policy contract on the Authentication Source Mapping window.

  4. Work with the IdP to connect to PingFederate, the federation hub, as the SP.

  5. Work with the SP to connect to PingFederate, the federation hub, as the IdP.