--- title: Setting up external IdP-initiated SSO description: PingOne supports SSO from an external SAML identity provider to an application. component: pingone page_id: pingone:integrations:p1_set_up_saml_initiated_sso_to_oidc_app canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_set_up_saml_initiated_sso_to_oidc_app.html revdate: May 2, 2025 section_ids: about-this-task: About this task configure_oidc: Configuring an OIDC application steps: Steps enable_idp_initiated_sso: Enabling IdP-initiated SSO before-you-begin: Before you begin steps-2: Steps example: Example: example-2: Example: --- # Setting up external IdP-initiated SSO PingOne supports single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* from an external SAML identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)* to an application. If a user is already signed on with the IdP, they can access an application without having to sign on. ## About this task You'll configure the application in PingOne, and then configure the IdP to reference the application for IdP-initiated SSO. For OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* applications, you must first complete the configuration steps in [Configuring an OIDC application](#configure_oidc). For SAML applications, skip to [Enabling IdP-initiated SSO](#enable_idp_initiated_sso). You'll need to configure the IdP to include the `RelayState` parameter with the target application ID when the IdP sends a SAML assertion to PingOne. The following diagram shows the flow for an OIDC application: ![A diagram of a SAML IdP-initiated SSO flow.](_images/vod1649187443757.png) ## Configuring an OIDC application Add an **Initiate Login URI** in your OIDC application configuration. Learn more in [Initiating Login from a Third Party](https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin). ## Steps 1. In the PingOne admin console, go to **Applications > Applications** and browse or search for the OIDC application you want to edit. 2. Click the application entry to open the details panel. 3. On the **Configuration** tab, click the **Pencil** icon. 4. Enter the following: * **Initiate Login URI**: The URI to use for SSO to the application. PingOne redirects application users to this URI to initiate SSO to PingOne using OIDC. The `Initiate Login URI` is required if you want the application to appear in the PingOne application portal. * **Target Link URI** (optional): The URI for the application itself. PingOne redirects application users to this URI after the user is authenticated. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If you don't specify a value for **Target Link URI**, you must include an `applicationUrl` in the `RelayState` during IdP-initiated SSO to this application (see step 2 in [Enabling IdP-initiated SSO](#enable_idp_initiated_sso)). | 5. Click **Save**. 6. Click the **Profile** tab. 7. Locate the **Client ID** and copy it to a secure location. 8. Click **Save**. ## Enabling IdP-initiated SSO In the external SAML IdP, enable IdP-initiated SSO. The specifics of the configuration vary depending on the IdP. Refer to the applicable IdP documentation for more information. ## Before you begin Make sure your application in PingOne has an authentication policy assigned that contains the external IdP initiating SSO. Learn more in [Applying authentication policies to an application](../applications/p1_apply_auth_policy_to_applications.html). ## Steps 1. In the IdP, configure the `RelayState` parameter to contain the `applicationId` when the IdP sends an SAML assertion to PingOne. This is the **Client ID** copied from the application in PingOne. | | | | - | ------------------------------------------------------------------------------ | | | For some applications, the `applicationId` is also known as the **Client ID**. | ### Example: ``` applicationId=bda4e692-84c2-4f90-8835-d28da695c748 ``` 2. (Optional) Include `applicationUrl` in the `RelayState`. ### Example: ``` applicationId=bda4e692-84c2-4f90-8835-d28da695c748&applicationUrl=https://myapp.com/overview ``` | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If the target application is an OIDC application without a `target_link_uri` configured, include the `applicationUrl` in the `RelayState`. The `applicationUrl` is used only when `target_link_uri` is not configured.The `RelayState` parameter should also be URL-encoded. The following are examples of the full parameter sent to PingOne:``` RelayState=applicationId%3Dbda4e692-84c2-4f90-8835-d28da695c748 `````` RelayState=applicationId%3Dbda4e692-84c2-4f90-8835-d28da695c748%26applicationUrl%3Dhttps%3A%2F%2Fmyapp.com%2Foverview ``` |