Editing an application - SAML
Use the Applications page to edit existing SAML applications.
Steps
-
Go to Applications > Applications and browse or search for the application that you want to edit.
-
Click the application entry to open the details panel.
-
On the Overview tab, click the Pencil icon and enter or edit the following:
Field Description Application Name
A unique identifier for the application.
Description (optional)
A brief description of the application.
Icon (optional)
A pictorial representation of the application.
Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.
Home Page URL
The default home page for the application.
Signon URL
The URL to which the application redirects the end user for sign-on.
If you created this application using the Application Catalog page, you can enable advanced configuration options. Click the Enable Advanced Configuration button to access all application settings on the Configuration tab.
-
On the Configuration tab, click the Pencil icon and enter or edit the following:
Field Description ACS URLs
The assertion consumer service URLs. You must specify at least one URL. The first URL in the list is used as the default.
If the service provider includes the optional
AssertionConsumerServiceURL
element in authentication requests, the incoming value must match one of the URLs defined here.Signing key
The certificate that confirms that requests, responses, and assertions actually came from the service provider (SP).
Select the appropriate certificate from the list of available RSA or EC certificates. Learn more about adding a certificate in Adding a certificate and key pair.
Select whether to sign assertions, responses, or both.
Select the algorithm to use for signing metadata. If you select an RSA signing certificate, the options are RSA_SHA256, RSA_SHA384, and RSA_SHA512. If you select an EC signing certificate, the options are SHA256_ECDSA, SHA384_ECDSA, and SHA512_ECDSA.
Encryption
If selected, the assertions PingOne sends to the SAML application are encrypted.
Available for SAML 2.0 applications only.
Select the algorithm for encrypting the assertions, either AES_128 or AES_256 (recommended).
Import a certificate or select an existing one from the list of available certificates. Learn more about adding a certificate in Adding a certificate and key pair.
Entity ID
The SP entity ID used to look up the application. This is a required property and is unique within the environment.
SLO endpoint
The URL of the single logout (SLO) service. PingOne redirects the browser to this location when it needs to send an SLO message to the service provider. Learn more in SAML 2.0 single logout.
SLO response endpoint (optional)
The URL of the SLO response service. You can use this option if you have a separate service for SLO responses. If this value is blank, PingOne sends responses to the SLO endpoint.
SLO window
Defines how long PingOne can exchange logout messages with the application, specifically a
LogoutRequest
from the application, after the initial request.PingOne can also send a
LogoutRequest
to the application when SLO is initiated by the user from other session participants, such as an application or identity provider (IdP). This setting is per application. This logout is separate from the user session logout that revokes all tokens. The minimum value is 1 hour and the maximum is 24 hours. You should start with a value of 2 hours and then fine tune as needed.SLO binding
The SAML binding used by the application. The default is HTTP POST. Select HTTP Redirect as needed.
Subject NameID format
A string that specifies the format of the subject
NameID
attribute in the SAML assertion. Options are:-
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
(default). The subjectNameID
is not specified. Use this format if you are not sure which format to use. -
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
. The subjectNameID
is in the form of an email address. -
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
. The subjectNameID
is an opaque unique identifier for a user that retains the same value over time. -
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
. The subjectNameID
is a randomly generated identifier. A different value is used for each single sign-on (SSO) for a given user.
Assertion validity duration
The maximum amount of time that an assertion is valid (in seconds).
AuthnStatement session validity duration
Update this value (in seconds) if the SAML application requires a different
SessionNotOnOrAfter
attribute value in theAuthnStatement
element than theNotOnOrAfter
value set by the Assertion validity duration setting.Target application URL
This option is required by some applications as the target URL. It’s used in IdP-initiated SSO for deep linking. The application URL is passed in the
RelayState
parameter by the IdP.Enforce Signed AuthnRequest
If selected, PingOne accepts only signed SAML requests and rejects unsigned SAML requests. Verifying the digital signature enables PingOne to validate the authenticity and integrity of the SAML request. This can help mitigate data tampering attacks on attributes, such as the
RequestedAuthnContext
element inAuthnRequest
. Learn more in RequestedAuthnContext.Verification certificate
A certificate that confirms that the SAML assertions actually came from the sender. Select or import the appropriate certificate. The list shows the certificates that are available. Learn more in Adding a certificate and key pair.
Select Policy based on RequestedAuthnContext
If selected, and if the
RequestedAuthnContext
value is an exact match to one of the configured policies, PingOne invokes the policy. Otherwise, it returns an error to the application. Learn more in RequestedAuthnContext.CORS Settings
Specifies the CORS options for the application. Learn more in Cross-origin resource sharing.
-
Allow any CORS-safe origin (default): Allows the application to access resources from a domain that is CORS-safelisted, according to the Fetch specification.
-
Allow specific origins: Allows the application to access resources from a specific domain.
-
Allowed origins: Specifies the allowed origin domains for CORS. You can specify a domain pattern or a valid IPv4 address. If you use a domain pattern, you can specify one wildcard to match incoming requests.
You cannot use the wildcard on the domain name.
For example, the following search patterns are valid:
-
https://*.test.com
-
https://www.app*.test.com
The following patterns are not valid:
-
https://test*.com
-
https://www.app.test*.com
-
-
-
Disallow all origins: Don’t allow the application to access resources from a cross-origin domain.
After you make changes to the CORS Settings, it can take several minutes for the new settings to take effect, due to time-to-live configuration on the resource.
-
-
On the Attribute mappings tab, click the Pencil icon, select a PingOne user attribute, and map it to an attribute in the application. Learn more in Mapping attributes.
-
Enter a SAML attribute and then select the corresponding PingOne attribute from the list.
-
Click the More Options (⋮) icon to configure
nameFormat
for the SAML attribute. To use a name format other thanSubject
, select an option from the list.If you don’t select an option, PingOne uses the
basic
format as default. The options are:-
uri: The attribute follows the convention for URI references. The interpretation of the URI content is application specific.
-
basic: The strings in the attribute must be drawn from the values belonging to the primitive type
xs:Name
. -
unspecified: The attribute can be any format. The interpretation of the content is application specific.
-
-
Click the Gear icon to use the expression builder to build an attribute mapping. Learn more in Using the expression builder.
-
Select Required to define the attribute as required for the application.
-
-
On the Policies tab, click the Pencil icon and select the authentication policies for the application.
If you have a DaVinci license, you can select PingOne policies or DaVinci flow policies, but not both. If you don’t have a DaVinci license, you’ll see PingOne policies only.
To add one or more PingOne authentication policies, click the PingOne Policies tab. If the application was previously configured with one or more DaVinci flow policies, click Deselect all other Policies to remove them from the application and select the PingOne authentication policies you want to apply to the application. PingOne authentication policies are applied in the order in which they appear in the list. Click the Selected PingOne Policies tab, reorder the policies as needed, and click Save.
To add one or more DaVinci flow policies, click the DaVinci Policies tab. If the application was previously configured with one or more PingOne authentication policies, click Deselect all other Policies to remove them from the application and and select the DaVinci flow policies you want to apply to the application. PingOne applies the first DaVinci flow policy in the list. Click the Selected DaVinci Policies tab, reorder the policies as needed, and click Save.
When invoking an IdP-initiated SSO request from PingOne, the Initiate Single Sign-On URL can optionally include the
flowPolicyId
HTTP request parameter to indicate the desired PingOne authentication policy by its name or the ID of the desired DaVinci flow policy that PingOne should use to authenticate the user. The specified policy must be added to the application. Learn more in Identity Provider Initiated SSO in the PingOne API documentation.When processing an SP-initiated SSO request PingOne receives from the application, the application can include the
RequestedAuthnContext
element in its authentication request to indicate the desired PingOne authentication policy by its name or the ID of the desired DaVinci flow policy that PingOne should use to authenticate the user. The application must have Select Policy based on RequestedAuthnContext enabled on the Configuration tab, and the specified policy must be added to the application.Learn more in Authentication policies for applications.
-
On the Access tab, click the Pencil icon and enter or edit the following:
Field Description Application portal display
Determines whether an application icon appears in the application portal even if the user is allowed to access the application in the application portal based on the group membership policy. Learn more in Application access control.
Admin only access
Specifies that a user with an administrator role is required to access the application. The user must have one of the following roles:
-
Organization Admin
-
Environment Admin
-
Identity Data Admin
-
Client Application Developer
Group membership policy
Select the group membership policy for the application. Learn more in Groups.
-
-
Click Save.