PingOne

Initiating SSO from PingOne

Configure single sign-on (SSO) initiated from PingOne to give users one-click access to the applications they need.

With IdP-initiated SSO, where an IdP sends an unsolicited SAML assertion to an SP to sign a user on to an application, some SPs support or require the IdP to include the target, also known as RelayState, in SSO requests to enable deep linking.

PingOne supports IdP-initiated SSO at the /saml20/idp/startsso endpoint. You can find the Initiate Single Sign-On URL on the Overview tab of the application.

PingOne also supports sending RelayState to the application. Target Application URL is the default RelayState value. The default value can be overriden by the applicationUrl HTTP request query parameter if you append it to the Initiate Single Sign-On URL.

If Target Application URL isn’t configured and the Initiate Single Sign-On URL doesn’t include the applicationUrl request parameter, PingOne doesn’t send a RelayState value to the application.

If the application supports a target, configure Target Application URL to reduce the possibility that the application rejects an IdP-initiated SSO request because the RelayState value is missing.

RelayState isn’t necessarily a URL. Consult with the application owner for the required values before you configure URLs for users to start IdP-initiated SSO requests.

Steps

  1. In the PingOne admin console, go to Applications > Applications and browse or search for the appropriate application.

    You can configure a new SAML application or edit an existing one. Learn more in Editing an application - SAML.

  2. Click the application entry to open the details panel.

  3. On the Overview tab, copy the Initiate Single Sign-On URL.

  4. (Optional) Append the applicationUrl HTTP request query parameter to the Initiate Single Sign-On URL.

    Example 1

    If the Initiate Single Sign-On URL is https://sso.example.com/saml20/idp/startsso?spEntityId=<exampleSP> without the applicationUrl HTTP request query parameter:

    • If Target Application URL isn’t configured, PingOne doesn’t send a RelayState to the application.

    • If Target Application URL is configured, PingOne sends the configured value as the RelayState value to the application.

    Example 2

    If the Initiate Single Sign-On URL is https://sso.example.com/saml20/idp/startsso?spEntityId=<exampleSP>&applicationUrl=<abc> with the applicationUrl HTTP request query parameter, PingOne sends <abc> as the RelayState value to the application regardless of whether Target Application URL is configured.

Next steps

You can make the URL available to your users or embed it in an external application to launch the app and initiate SSO through PingOne.