--- title: Deployment considerations description: Before you set up SAML 2.0 in Advanced Identity Cloud, you should: component: pingoneaic page_id: pingoneaic:am-saml2:saml2-configuration canonical_url: https://docs.pingidentity.com/pingoneaic/am-saml2/saml2-configuration.html keywords: ["SAML 2.0", "Single Sign-on (SSO)", "Federation", "Setup & Configuration", "Planning"] page_aliases: ["saml2-guide:saml2-configuration.adoc"] section_ids: saml2-and-session-state: SSO and session storage configure_saml_v2_0: Configure SAML v2.0 --- # Deployment considerations Before you set up SAML 2.0 in Advanced Identity Cloud, you should: * Know which providers will participate in circles of trust (CoTs). * Know how tenants act as IdPs or SPs. * Define how to map shared user attributes in identity information exchanged with other participants in a CoT. Advanced Identity Cloud user profile attribute names should map to user profile attribute names at other providers. For example, if you exchange user identifiers with a partner, and your Advanced Identity Cloud attribute is `uid`, but the partner's attribute is `userid`, you must map `uid` to the partner's `userid` attribute. * Agree with other providers on a synchronized time service. ## SSO and session storage SAML 2.0 functionality uses a combination of the backend token service and browser-based data to store the progress of SAML 2.0 single sign-on (SSO) operations. SSO progress is stored in a JSON web token (JWT) in the browser's session storage. The JWT created in the browser's session storage doesn't expire. Instead, the time allowed to complete the SSO flow is determined by the configurable [maximum duration](../am-authentication/suspended-auth.html#maximum-duration) of the journey session. The browser must [support the sessionStorage API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API#window.sessionstorage) to handle SSO without the need for sticky load balancing of the Advanced Identity Cloud tenant. Session storage is similar to local storage but is more limited: * Session storage exists only within the current browser tab. * Another tab that displays the same page will have a different session storage. * Session storage is shared between frames in the same tab (assuming they come from the same origin). * Session storage data survives a page refresh, but not closing and opening the tab. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To enable session storage support in WebView components on Android, set the following property:``` settings.setDomStorageEnabled(true) ```You can't use session storage when using multiple WebView components simultaneously. Learn more in [WebSettings - setDomStorageEnabled](https://developer.android.com/reference/android/webkit/WebSettings#setDomStorageEnabled\(boolean\)) in the *Android Developers* documentation. | ## Configure SAML v2.0 The following table summarizes the high-level tasks required to configure SAML 2.0: | Task | Resources | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- | | **Configure an SP, an IdP, and a CoT**Decide if Advanced Identity Cloud will be an SP, an IdP, or both, and determine what metadata you need to import from other providers.For example, if Advanced Identity Cloud is the IdP for another service, you must import the metadata of the remote SP.Ensure that SPs and IdPs that work together share the same CoT. | [Set up IdPs, SPs, and CoTs](saml2-providers-and-cots.html) | | **Secure your providers**Configure signing and encryption secrets for your environment. | [Sign and encrypt messages](saml2-encryption.html) | | **Configure your environment for SSO and SLO**Advanced Identity Cloud provides integrated and standalone modes for implementing SSO and SLO.Choose the mode that's most appropriate for your environment. | [Implement SSO and SLO](saml2-sso-slo.html) | | **Decide how to federate identities**Advanced Identity Cloud supports different ways to federate identities, depending on the configuration and whether user profiles already exist in the SP. | [Federate identities](saml2-linking-accounts.html) |