PingOne Advanced Identity Cloud

Enable transient federation

For more information on transient federation, refer to Choose persistent or transient federation.

Both integrated and standalone SAML 2.0 implementations let you link accounts temporarily (transiently).

Before you configure transient federation, ensure you:

  • Configure PingOne Advanced Identity Cloud for SAML 2.0.

  • Create the IdP.

    • If PingOne Advanced Identity Cloud is the IdP, utilize the Advanced Identity Cloud admin UI with application management.

  • Create SPs.

  • Configure a circle of trust (CoT).

  • Configure PingOne Advanced Identity Cloud to support SSO.

Integrated mode

To enable transient federation with integrated mode:

  1. Create a journey that contains the SAML2 Authentication node.

    If you have not created one yet, refer to SSO and SLO in Integrated Mode for an example.

  2. In the NameID Format field, specify the value urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

  3. Save your work.

  4. Initiate SSO by accessing a URL that calls a journey that includes the SAML 2.0 node:

    For example, https://<tenant-env-sp-fqdn>/am/XUI/#login/&realm=alpha&service=mySAMLTree.

Standalone mode

To enable transient federation with standalone mode:

  1. Initiate SSO with spSSOInit.jsp or idpSSOInit.jsp JSP page, including NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient as a query parameter.

    For example, to initiate SSO from the SP, access a URL similar to the following:

    https://<tenant-env-sp-fqdn>/am/saml2/jsp/spSSOInit.jsp
    ?idpEntityID=https%3A%2F%2Fwww.idp.com%3A8443%2Fopenam
    &metaAlias=/sp
    &NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient

    To initiate SSO from the IdP, access a URL similar to the following:

    https://<tenant-env-fqdn>/am/saml2/jsp/idpSSOInit.jsp
    ?spEntityID=https%3A%2F%2Fwww.sp.com%3A8443%2Fopenam
    &metaAlias=/idp
    &NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Test your work

  1. Authenticate to the IdP as the user you want to link temporarily.

    On success, you are redirected to the SP.

  2. Authenticate to the SP as the local user.

    The accounts are only linked for the duration of the session. Once the user logs out, the accounts are no longer linked.

    Nothing is written in the user’s profile on the IdP and the SP.

    Subsequent attempts to access the SP requires the user authenticates to the IdP AND the SP (assuming no existing session exists), as the identities are not linked.