---
title: Configure IdPs and SPs with journeys
description: After you've set up the entity providers, you can tailor the SAML 2.0 flow to your business needs by configuring the provider settings.
component: pingoneaic
page_id: pingoneaic:am-saml2:configure-providers
canonical_url: https://docs.pingidentity.com/pingoneaic/am-saml2/configure-providers.html
keywords: ["SAML 2.0", "Single Sign-on (SSO)", "Federation"]
page_aliases: ["release-notes:rapid-channel/saml-idp-init-flows.adoc"]
section_ids:
  config-redirect-journey: Redirect to a journey on the hosted SP
  samlapp-journey: Configure a SAML 2.0 application journey for a remote SP
---

# Configure IdPs and SPs with journeys

After you've set up the entity providers, you can tailor the SAML 2.0 flow to your business needs by configuring the provider settings.

## Redirect to a journey on the hosted SP

For [IdP-initiated SSO in integrated mode](saml2-integrated-mode.html#idpinit-sso-integrated-mode), you must configure the hosted SP to send the user to an authentication journey after validating the SAML 2.0 assertion from the IdP. This lets you perform SAML 2.0 authentication on the SP side.

You can also define additional actions the user must fulfill, such as performing multi-factor authentication (MFA) or checking organizational details before accessing the SAML 2.0 application.

|   |                                                                                                                                       |
| - | ------------------------------------------------------------------------------------------------------------------------------------- |
|   | Include a Scripted Decision node in the journey and query the `samlApplication` binding to access the assertion and response details. |

If a `local authentication URL` is configured, it takes precedence, but Advanced Identity Cloud doesn't validate that the specified journey exists on the hosted SP.

If you haven't configured a journey in either setting, an IdP-initiated SSO SAML flow results in an invalid request error.

For SP-initiated SSO, the flow continues in the originating journey, ignoring any redirect journey configured on the hosted SP.

To configure a redirect journey:

1. Under Native Consoles > Access Management, go to Applications > Federation > Entity Providers > *hosted SP*.

2. Under Assertion Processing > Redirect Tree, select the name of your authentication journey from the Redirect Tree Name list.

   Learn about the `Redirect Tree Name` property in the [hosted SP configuration](saml2-reference.html#config-redirect-tree).

3. Save your changes.

|   |                                                                                  |
| - | -------------------------------------------------------------------------------- |
|   | You can't delete a journey if it's set as the redirect journey in the hosted SP. |

## Configure a SAML 2.0 application journey for a remote SP

Configure the remote SP so that a specific authentication journey is always run for users authenticating with your SAML 2.0 app. The federation flow invokes the associated journey ignoring any existing sessions or authentication context requirements.

To configure a SAML 2.0 app journey, enable the option to Use a journey to authenticate users to this application when you [set up single sign-on](../app-management/register-a-custom-application.html#custom-saml-app-template-sso).

When you configure an app journey, the processing of the SAML 2.0 request depends on the authentication context requested by the SP. The following table shows the SAML response for each comparison type and the requested authentication context.

| Authentication context                     | Comparison type                  | Response                         |
| ------------------------------------------ | -------------------------------- | -------------------------------- |
| SP requested authn context                 | `Exact` / `None`                 | Requested authn context included |
| SP requested authn context                 | `Better` / `Maximum` / `Minimum` | `UNSPECIFIED`                    |
| SP doesn't request authn context           | -                                | `UNSPECIFIED`                    |
| IDP-initiated (no requested authn context) | -                                | `UNSPECIFIED`                    |

|   |                                                                                                                                                                                                                                                                                                                                                                                                             |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | * To prevent users from authenticating directly through this journey, either for security reasons or because the journey is insufficient as a complete authentication service, configure it as a [transactional authentication journey](../am-authentication/configure-authentication-trees.html#configure-transactional-auth-journey).

* You can't delete a journey if it's referenced by a SAML 2.0 app. |