--- title: PingGateway with PingOne as a SAML IdP description: Configure PingGateway to use PingOne as a SAML 2.0 identity provider with unsigned and unencrypted assertions component: pinggateway version: 2026 page_id: pinggateway:pingone:saml-ping-one canonical_url: https://docs.pingidentity.com/pinggateway/2026/pingone/saml-ping-one.html revdate: 2025-04-01T17:53:34Z keywords: ["Configuration", "SAML 2.0", "Federation"] page_aliases: ["gateway-guide:saml-ping-one.adoc"] section_ids: before_you_start: Before you start prepare_pingone: Prepare PingOne prepare_pinggateway: Prepare PingGateway validation: Validation --- # PingGateway with PingOne as a SAML IdP This example shows how to use PingOne as the identity provider with unsigned/unencrypted assertions. ## Before you start 1. Add the following basic PingGateway configuration if you have not already done so: 1. Set up PingGateway for HTTPS, as described in [Configure PingGateway for TLS (server-side)](../installation-guide/securing-connections.html#server-side-tls). 2. Add the following route to PingGateway to serve the sample application .css and other static resources: * Linux `$HOME/.openig/config/routes/00-static-resources.json` * Windows `%appdata%\OpenIG\config\routes\00-static-resources.json` ```json { "name" : "00-static-resources", "baseURI" : "https://app.example.com:8444", "condition": "${find(request.uri.path,'^/css') or matchesWithRegex(request.uri.path, '^/.*\\\\.ico$') or matchesWithRegex(request.uri.path, '^/.*\\\\.gif$')}", "handler": "ReverseProxyHandler" } ``` Source: [00-static-resources.json](../_attachments/config/routes/00-static-resources.json) 2. Set up the network: Add `sp.example.com` to your `/etc/hosts` file: ```none 127.0.0.1 localhost am.example.com ig.example.com app.example.com sp.example.com ``` Traffic to the application is proxied through PingGateway, using the host name `sp.example.com`. 3. Save the [sp.xml](../gateway-guide/federation-example-files.html#ping-saml-files) file as the SAML service provider configuration file `$HOME/.openig/SAML/sp.xml`. ## Prepare PingOne 1. [Prepare the PingOne environment and test user](preface.html). Make sure you match the test user's credentials to those known to the sample application. 2. In the PingOne environment, create a SAML web application with the following values: * Application Name: `saml_app` * Description: `SAML application` * Application Type: `SAML Application` 3. In the application, select the Import Metadata panel, add the SAML configuration file `sp.xml` and save the application. 4. On the Attribute Mappings panel, click [icon: edit, set=material, size=inline] (edit) and add the following mappings: | saml\_app | PingOne | | --------- | ----------- | | cn | Given Name | | sn | Family Name | 5. On the Configuration panel, click [icon: edit, set=material, size=inline] (edit) and set the SLO BINDING's SUBJECT NAMEID FORMAT to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. 6. On the Configuration panel, click Download Metadata and save the downloaded file as the identity provider configuration file `$HOME/.openig/SAML/idp.xml`. 7. On the Configuration panel, record the Initiate Single Sign-on URL. You need the value to set up PingGateway. 8. At the top-right of the page, click the slider to enable the application. Learn more from the PingOne documentation [Add a SAML application](https://docs.pingidentity.com/pingone/pingone_tutorials/p1_p1tutorial_add_a_saml_app.html). ## Prepare PingGateway 1. Copy the following [example SAML configuration files](../gateway-guide/federation-example-files.html#ping-saml-files) to `$HOME/.openig/SAML` and edit them to match your configuration: | File | Required changes | | ----------------------------- | -------------------------------------------------------------------------------- | | `FederationConfig.properties` | None | | `fedlet.cot` | Replace idp-entityID with the value of `EntityDescriptor entityID` in `idp.xml`. | | `idp-extended.xml` | Replace idp-entityID with the value of `EntityDescriptor entityID` in `idp.xml`. | | `sp-extended.xml` | None | 2. Make sure the PingGateway configuration at `$HOME/.openig/SAML` contains the following files: ```console $ ls -l $HOME/.openig/SAML ``` Output ``` FederationConfig.properties fedlet.cot idp-extended.xml idp.xml sp-extended.xml sp.xml ``` 3. Add the following route to PingGateway: * Linux `$HOME/.openig/config/routes/saml-filter.json` * Windows `%appdata%\OpenIG\config\routes\saml-filter.json` ```json { "name": "saml-filter", "baseURI": "https://app.example.com:8444", "condition": "${find(request.uri.path, '^/home')}", "handler": { "type": "Chain", "config": { "filters": [ { "name": "SamlFilter", "type": "SamlFederationFilter", "config": { "assertionMapping": { "name": "cn", "surname": "sn" }, "subjectMapping": "sp-subject-name", "redirectURI": "/home/saml-filter" } }, { "name": "SetSamlHeaders", "type": "HeaderFilter", "config": { "messageType": "REQUEST", "add": { "x-saml-cn": [ "${toString(session.name)}" ], "x-saml-sn": [ "${toString(session.surname)}" ] } } } ], "handler": "ReverseProxyHandler" } } } ``` Source: [saml-filter.json](../_attachments/config/routes/saml-filter.json) 4. Restart PingGateway. ## Validation Test IdP-initiated login: 1. In your browser's privacy or incognito mode, go to the URL given by the web application property Initiate Single Sign-on URL. PingOne displays the sign-on page. 2. Sign on to PingOne as the test user. PingGateway displays the sample application home page. Test SP-initiated login: 1. In your browser's privacy or incognito mode, go to . 2. Sign on as the test user. The request is redirected to the sample application. PingGateway displays the sample application home page. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------- | | | If a request returns an HTTP 414 URI Too Long error, read [URI Too Long error](../maintenance-guide/troubleshooting.html#troubleshoot-HTTP414). |