--- title: Initiating SSO from PingOne description: Configure SSO initiated from PingOne to give users one-click access to the applications they need. component: pingone page_id: pingone:applications:p1_initiating_sso canonical_url: https://docs.pingidentity.com/pingone/applications/p1_initiating_sso.html revdate: May 3, 2024 page_aliases: ["integrations:p1_initiating_sso.adoc"] section_ids: steps: Steps next-steps: Next steps --- # Initiating SSO from PingOne Configure single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* initiated from PingOne to give users one-click access to the applications they need. With IdP-initiated SSO, where an IdP sends an unsolicited SAML assertion to an SP to sign a user on to an application, some SPs support or require the IdP to include the target, also known as `RelayState`, in SSO requests to enable deep linking. PingOne supports IdP-initiated SSO at the `/saml20/idp/startsso` endpoint. You can find the **Initiate Single Sign-On URL** on the **Overview** tab of the application. PingOne also supports sending `RelayState` to the application. **Target Application URL** is the default `RelayState` value. The default value can be overriden by the `applicationUrl` HTTP request query parameter if you append it to the **Initiate Single Sign-On URL**. If **Target Application URL** isn't configured and the **Initiate Single Sign-On URL** doesn't include the `applicationUrl` request parameter, PingOne doesn't send a `RelayState` value to the application. If the application supports a target, configure **Target Application URL** to reduce the possibility that the application rejects an IdP-initiated SSO request because the `RelayState` value is missing. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | `RelayState` isn't necessarily a URL. Consult with the application owner for the required values before you configure URLs for users to start IdP-initiated SSO requests. | ## Steps 1. In the PingOne admin console, go to **Applications > Applications** and browse or search for the appropriate application. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------- | | | You can configure a new SAML application or edit an existing one. Learn more in [Editing an application - SAML](p1_edit_application_saml.html). | 2. Click the application entry to open the details panel. 3. On the **Overview** tab, copy the **Initiate Single Sign-On URL**. 4. (Optional) Append the `applicationUrl` HTTP request query parameter to the **Initiate Single Sign-On URL**. **Example 1** If the **Initiate Single Sign-On URL** is https\://sso.example.com/saml20/idp/startsso?spEntityId=\ without the `applicationUrl` HTTP request query parameter: * If **Target Application URL** isn't configured, PingOne doesn't send a `RelayState` to the application. * If **Target Application URL** is configured, PingOne sends the configured value as the `RelayState` value to the application. **Example 2** If the **Initiate Single Sign-On URL** is https\://sso.example.com/saml20/idp/startsso?spEntityId=\\&applicationUrl=\ with the `applicationUrl` HTTP request query parameter, PingOne sends \ as the `RelayState` value to the application regardless of whether **Target Application URL** is configured. ## Next steps You can make the URL available to your users or embed it in an external application to launch the app and initiate SSO through PingOne.