Initiating SSO from PingOne
Configure single sign-on (SSO) initiated from PingOne to give users one-click access to the applications they need.
With IdP-initiated SSO, where an IdP sends an unsolicited SAML assertion to an SP to sign a user on to an application, some SPs support or require the IdP to include the target, also known as RelayState
, in SSO requests to enable deep linking.
PingOne supports IdP-initiated SSO at the /saml20/idp/startsso
endpoint. You can find the Initiate Single Sign-On URL on the Overview tab of the application.
PingOne also supports sending RelayState
to the application. Target Application URL is the default RelayState
value. The default value can be overriden by the applicationUrl
HTTP request query parameter if you append it to the Initiate Single Sign-On URL.
If Target Application URL isn’t configured and the Initiate Single Sign-On URL doesn’t include the applicationUrl
request parameter, PingOne doesn’t send a RelayState
value to the application.
If the application supports a target, configure Target Application URL to reduce the possibility that the application rejects an IdP-initiated SSO request because the RelayState
value is missing.
|
Steps
-
In the PingOne admin console, go to Applications > Applications and browse or search for the appropriate application.
You can configure a new SAML application or edit an existing one. Learn more in Editing an application - SAML.
-
Click the application entry to open the details panel.
-
On the Overview tab, copy the Initiate Single Sign-On URL.
-
(Optional) Append the
applicationUrl
HTTP request query parameter to the Initiate Single Sign-On URL.Example 1
If the Initiate Single Sign-On URL is https://sso.example.com/saml20/idp/startsso?spEntityId=<exampleSP> without the
applicationUrl
HTTP request query parameter:-
If Target Application URL isn’t configured, PingOne doesn’t send a
RelayState
to the application. -
If Target Application URL is configured, PingOne sends the configured value as the
RelayState
value to the application.
Example 2
If the Initiate Single Sign-On URL is https://sso.example.com/saml20/idp/startsso?spEntityId=<exampleSP>&applicationUrl=<abc> with the
applicationUrl
HTTP request query parameter, PingOne sends <abc> as theRelayState
value to the application regardless of whether Target Application URL is configured. -
Next steps
You can make the URL available to your users or embed it in an external application to launch the app and initiate SSO through PingOne.