PingOne

Virtual server IDs for SAML applications

Virtual server IDs (VSIDs) allow a PingOne environment to identify itself differently when connecting to a SAML application. Using VSIDs is necessary if:

  • The SAML application requires PingOne to use unique identifiers to connect to the application for different purposes, such as development, testing, and production.

  • The service provider (SP) doesn’t provide unique identifiers, also known as entity IDs, for different purposes.

You can provide your organization’s application team with sets of metadata for each VSID to complete integrations for different purposes.

When you need virtual server IDs

Use VSIDs when the SP doesn’t provide unique identifiers for different purposes and when each identity provider (IdP) needs to identify itself differently when connecting to the SP.

Example scenario

An SP called Widget always identifies itself as https://<idp>.widget.com and expects the IdP called Who’s at Work to use unique identifiers when connecting to it for different purposes, such as the following:

Development

  • Who’s at Work entity ID: urn:widget:us:whosatwork:sso:dev

  • Widget entity ID: https://whosatwork.widget.com

Testing

  • Who’s at Work entity ID: urn:widget:us:whosatwork:sso:test

  • Widget entity ID: https://whosatwork.widget.com

Production

  • Who’s at Work entity ID: https://sso.whosatwork.com

  • Widget entity ID: https://whosatwork.widget.com

In this scenario, you would create one SAML application with three respective VSIDs to use for each purpose. When processing a SAML request, PingOne determines the applicable VSID based on the request URL and configuration and populates the assertion Issuer element with the VSID.

When you don’t need virtual server IDs

If the IdP and SP are able to connect to each other with unique entity IDs for different purposes, such as in the following example, you don’t need to use VSIDs.

Example scenario

For example, using the examples from the previous scenario, Who’s at Work (the IdP) and Widget (the SP) connect to each other for different purposes, such as the following. Who’s at Work uses PingOne with a custom domain of sso.whosatwork.com.

Development

  • Who’s at Work entity ID: https://sso.whosatwork.com

  • Widget entity ID: https://whosatwork-dev.widget.com

Testing

  • Who’s at Work entity ID: https://sso.whosatwork.com

  • Widget entity ID: https://whosatwork-test.widget.com

Production

  • Who’s at Work entity ID: https://sso.whosatwork.com

  • Widget entity ID: https://whosatwork.widget.com

In this scenario, you would create three SAML applications, each with a different SP entity ID. When processing a SAML request, PingOne populates the assertion Issuer element using the default server ID.

SAML entity IDs

When you add a SAML application to PingOne, PingOne is the IdP, and the application is the SP. The IdP and SP identify each other with the entity ID. When an IdP creates a SAML assertion, the IdP populates the Issuer element with its own entity ID and the Audience element with the SP’s entity ID.

IdP metadata

When multiple VSIDs are defined for an application, the application team will need sets of metadata for each VSID to complete integrations for different purposes, such as development, testing, and production. Each VSID has a unique set of metadata:

  • The Entity ID value varies depending on the VSID.

  • The following URLs vary because the respective VSID is embedded in each URL:

    • IDP Metadata URL

    • Single Signon Service

    • Single Logout Service

Learn more about obtaining these metadata XML files and URLs in IdP metadata for SAML applications.

Request URL

When you define one or more VSIDs in a SAML application, the application sends requests to URLs embedded with VSID information. You can obtain VSID connection information using IdP metadata. Learn more in IdP metadata for SAML applications.

For example, the following IDP Metadata URL is intended to retrieve metadata when PingOne uses a VSID to identify itself:

https://…/saml20/metadata/<applicationID>/eyJ2c2lkIjoidXJuOndpZGdldDpjYTp3aG9zYXR3b3JrOnNzbzpkZXYifQ

where eyJ2c2lkIjoidXJuOndpZGdldDpjYTp3aG9zYXR3b3JrOnNzbzpkZXYifQ translates to {"vsid":"urn:widget:us:whosatwork:sso:dev"} using the Who’s at Work entity ID from the previous example in When you need virtual server IDs.

PingOne also supports using URLs to indicate the desired VSID with the vsid HTTP request query parameter instead of embedding the VSID information in the URL. For example, you can append the vsid HTTP request query parameter with a VSID to the IDP Metadata URL to indicate the desired VSID, such as the following example. The HTTP query parameter value must be URL encoded.

https://…/saml20/metadata/<applicationId>?vsid=?vsid=urn%3Awidget%3Aus%3Awhosatwork%3Asso%3Adev

This URL triggers PingOne to generate an IdP metadata request where PingOne identifies itself as urn:widget:us:whosatwork:sso:dev.

If the vsid HTTP request query parameter value is mismatched with the VSID embedded in the URL, the embedded VSID takes precedent.

Runtime processing

If VSIDs aren’t defined, PingOne uses the default server ID based on the domain in the request URL as its identifier. The domain in the request URL is either the PingOne domain or a custom domain, if configured.

Example scenario

In a scenario where the environment ID is 6991589d-87eb-47f4-9131-284cebe106b3, and the custom domain is sso.whosatwork.com:

  • If the request URL starts with https://auth.pingone.<region>/6991589d-87eb-47f4-9131-284cebe106b3/saml20/, PingOne populates the Issuer element in the assertion with https://auth.pingone.<region>/6991589d-87eb-47f4-9131-284cebe106b3.

  • If the request URL starts with https://sso.whosatwork.com/saml20/, PingOne populates the Issuer element in the assertion with https://sso.whosatwork.com.

If only one VSID is configured, PingOne always populates the Issuer element in the assertion with the default VSID as its identifier, whether the default VSID is embedded in the request URL.

When multiple VSIDs are configured, PingOne determines the Issuer element value in its assertions by evaluating the VSID information embedded in the request URL.

SP and IdP-initiated requests

VSIDs can be used in both SP and IdP-initiated requests. For example, if the application team completes integrations based on the metadata you provided, the application is expected to send each of its SAML 2.0 AuthnRequest messages using a URL in which the embedded VSID matches the intended purpose, such as development, testing, or production.

For IdP-initiated single sign-on (SSO) requests, you can obtain URLs for each configured VSID on the Overview tab of the SAML application.

Risks to consider

While VSIDs provide configuration flexibility, they can also present security risks, such as impersonation and misuse, that you can take measures to protect against, as described in the following sections.

Protection against impersonation

Following SAML specifications, PingOne always signs its SAML assertions, and the SP is expected to verify the digital signature. If the SP can verify the digital signature through a certificate or metadata using the public key you provided, the SP can determine that your PingOne environment is the sender and the legitimate IdP because only PingOne owns the private key being used to sign the assertion. The SP can then determine the connection purpose by evaluating the Issuer element in the assertion.

When one or more VSIDs are configured in the application, PingOne also always includes the p1.envId attribute in the SAML assertion, where the value is your PingOne environment ID. Including this attribute allows the SP to validate the value optionally, providing an additional layer of assurance. If the SP can’t handle validation of the p1.envId attribute, it can disregard the attribute and rely solely on the digital signature to determine if your PingOne environment is the issuer of the assertion.

Safeguarding from misuse

When multiple VSIDs are defined in a SAML application, the application has multiple versions of the Initiate Single Sign-On URL, one for each respective VSID. You can obtain the URLs on the Overview tab for the application by selecting the applicable VSID in the Display Virtual Server ID list. Learn more about defining VSIDs in Editing an application - SAML.

Example scenario

You can create a SAML application and define three VSIDs for Who’s at Work (the IdP) and Widget (the SP) for the following purposes:

Development

  • Who’s at Work entity ID: urn:widget:us:whosatwork:sso:dev (VSID #1)

  • Widget entity ID: https://whosatwork.widget.com

Testing

  • Who’s at Work entity ID: urn:widget:us:whosatwork:sso:test (VSID #2)

  • Widget entity ID: https://whosatwork.widget.com

Production

  • Who’s at Work entity ID: https://sso.whosatwork.com (VSID #3, default)

  • Widget entity ID: https://whosatwork.widget.com

When you select one of the VSIDs on the Overview tab for the application, the Initiate Single Sign-On URL changes because the selected VSID is embedded in the URL.

You can use an expression to prevent unauthorized access and ensure only users from a certain department, such as the Engineering department, can connect to Widget (the SP) for development and testing purposes while allowing users from all departments to connect for production use.

Learn more in Sample expression for VSIDs.