PingOne

Setting up IdP-initiated SSO

PingOne supports single sign-on (SSO) from an external SAML identity provider (IdP) to an application. If a user is already signed in with the IdP, they can access an application without having to sign in.

About this task

You’ll configure the application in PingOne, and then configure the IdP to reference the application for IdP-initiated SSO. For OpenID Connect (OIDC) applications, you must first complete the configuration steps in Configuring an OIDC application. For SAML applications, skip to Enabling IdP-initiated SSO.

You’ll need to configure the IdP to include the RelayState parameter with the target application ID when the IdP sends a SAML assertion to PingOne.

The following diagram shows the flow for an OIDC application:

A diagram of a SAML IdP-initiated SSO flow.

Configuring an OIDC application

In PingOne, add an Initiate Login URI in your OIDC application configuration. For more information, see Initiating Login from a Third Party.

Steps

  1. In PingOne, go to Applications → Applications.

  2. Locate the OIDC application you want to edit. You can browse or search for applications.

  3. Click the application entry to open the details panel.

  4. Click the Configuration tab and then click the Pencil icon.

  5. Enter the following:

    • Initiate Login URI. The URI to use for SSO to the application. PingOne redirects application users to this URI to initiate SSO to PingOne using OIDC. The Initiate Login URI is required if you want the application to appear in the PingOne application portal.

    • Target Link URI (optional). The URI for the application itself. PingOne redirects application users to this URI after the user is authenticated.

      If you don’t specify a value for Target Link URI, you must include an applicationUrl in the RelayState during IdP-initiated SSO to this application (see step 2 in Enabling IdP-initiated SSO).

  6. Click the Profile tab.

  7. Locate the Client ID and copy it to a secure location.

  8. Click Save.

Enabling IdP-initiated SSO

In the external SAML identity provider, enable IdP-initiated SSO. The specifics of the configuration vary depending on the identity provider. See the identity provider documentation for more information.

Before you begin

Make sure your application in PingOne has an authentication policy assigned that contains the external IdP initiating SSO. For more information, see Applying authentication policies to an application.

Steps

  1. In the IdP, configure the RelayState parameter to contain the applicationId when the IdP sends an SAML assertion to PingOne.

    This is the Client ID copied from the application in PingOne.

    For some applications, the applicationId is also known as the Client ID.

    Example:

    applicationId=bda4e692-84c2-4f90-8835-d28da695c748

  2. Optionally, you can also include applicationUrl in the RelayState.

    Example:

    applicationId=bda4e692-84c2-4f90-8835-d28da695c748&applicationUrl=https://myapp.com/overview

    If the target application is an OIDC application without a target_link_uri configured, include the applicationUrl in the RelayState. The applicationUrl is used only when target_link_uri is not configured.

    The RelayState parameter should also be URL-encoded. The following are examples of the full parameter sent to PingOne:

    RelayState=applicationId%3Dbda4e692-84c2-4f90-8835-d28da695c748
    RelayState=applicationId%3Dbda4e692-84c2-4f90-8835-d28da695c748%26applicationUrl%3Dhttps%3A%2F%2Fmyapp.com%2Foverview