Enabling IdP-initiated SSO
In the external SAML identity provider, enable IdP-initiated SSO. The specifics of the configuration vary depending on the identity provider. See the identity provider documentation for more information.
Before you begin
Make sure your application in PingOne has an authentication policy assigned that contains the external IdP initiating SSO. For more information, see Applying authentication policies to an application.
Steps
-
In the IdP, configure the
RelayState
parameter to contain theapplicationId
when the IdP sends an SAML assertion to PingOne.This is the Client ID copied from the application in PingOne.
For some applications, the
applicationId
is also known as the Client ID.Example:
applicationId=bda4e692-84c2-4f90-8835-d28da695c748
-
Optionally, you can also include
applicationUrl
in theRelayState
.Example:
applicationId=bda4e692-84c2-4f90-8835-d28da695c748&applicationUrl=https://myapp.com/overview
If the target application is an OIDC application without a
target_link_uri
configured, include theapplicationUrl
in theRelayState
. TheapplicationUrl
is used only whentarget_link_uri
is not configured.The
RelayState
parameter should also be URL-encoded. The following are examples of the full parameter sent to PingOne:RelayState=applicationId%3Dbda4e692-84c2-4f90-8835-d28da695c748
RelayState=applicationId%3Dbda4e692-84c2-4f90-8835-d28da695c748%26applicationUrl%3Dhttps%3A%2F%2Fmyapp.com%2Foverview