PingOne

Enabling IdP-initiated SSO

In the external SAML identity provider, enable IdP-initiated SSO. The specifics of the configuration vary depending on the identity provider. See the identity provider documentation for more information.

Before you begin

Make sure your application in PingOne has an authentication policy assigned that contains the external IdP initiating SSO. For more information, see Applying authentication policies to an application.

Steps

  1. In the IdP, configure the RelayState parameter to contain the applicationId when the IdP sends an SAML assertion to PingOne.

    This is the Client ID copied from the application in PingOne.

    For some applications, the applicationId is also known as the Client ID.

    Example:

    applicationId=bda4e692-84c2-4f90-8835-d28da695c748
  2. Optionally, you can also include applicationUrl in the RelayState.

    Example:

    applicationId=bda4e692-84c2-4f90-8835-d28da695c748&applicationUrl=https://myapp.com/overview

    If the target application is an OIDC application without a target_link_uri configured, include the applicationUrl in the RelayState. The applicationUrl is used only when target_link_uri is not configured.

    The RelayState parameter should also be URL-encoded. The following are examples of the full parameter sent to PingOne:

    RelayState=applicationId%3Dbda4e692-84c2-4f90-8835-d28da695c748
    RelayState=applicationId%3Dbda4e692-84c2-4f90-8835-d28da695c748%26applicationUrl%3Dhttps%3A%2F%2Fmyapp.com%2Foverview