---
title: Test SAML 2.0 SSO using JSP flows
description: The topics in this section are for tenants created before January 12, 2023. Learn more in Application management migration FAQ.
component: pingoneaic
page_id: pingoneaic:realms:applications-saml2-jsp
canonical_url: https://docs.pingidentity.com/pingoneaic/realms/applications-saml2-jsp.html
keywords: ["Application Management", "Troubleshooting"]
page_aliases: ["pingoneaic::applications-saml2-jsp.adoc"]
section_ids:
  set-up-an-sp-and-an-idp: "Task 1: Set up an SP and an IDP"
  create-an-sp-circle-of-trust: "Task 2: Create an SP circle of trust"
  create-an-idp-circle-of-trust: "Task 3: Create an IDP circle of trust"
  test-saml-sso: "Task 4: Test SAML 2.0 SSO"
  more_information: More Information
---

# Test SAML 2.0 SSO using JSP flows

|   |                                                                                                                                                                                                                                  |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | The topics in this section are for tenants created before January 12, 2023. Learn more in [Application management migration FAQ](../product-information/migration-dependent-features/application-management-migration-faq.html). |

SAML 2.0 helps organizations to share(or *federate*) identities and services without having to manage the identities or credentials themselves.

These instructions describe how to launch an SP-initiated JSP flow to test SAML 2.0 SSO. PingOne Advanced Identity Cloud acts as the authentication service provider (SP) in a circle of trust (CoT). For this test, a self-managed AM instance acts as the identity provider (IDP).

## Task 1: Set up an SP and an IDP

1. Set up the Advanced Identity Cloud AM instance as a service provider:

   1. In the AM native admin console, go to\
      *Realm Name* > Applications > Federation > Entity Providers.

   2. Click + Add Entity Provider > Hosted, and add a hosted entity provider:

      * Entity ID: Enter a unique identifier. Example: Cloud-SP.

      * Service Provider Meta Alias: Provide an SP alias. Example: `cloud-sp`.

   3. Export the SP metadata to an XML file. Example export metadata URL:\
      `https://<tenant-FQDN>/am/saml2/jsp/exportmetadata.jsp?entityid=<SP-Entity-ID>&realm=/alpha`.

2. Set up the self-managed AM instance as an identity provider:

   1. In the AM self-managed admin console, go to\
      Top Level Realm > Applications > Federation > Entity Providers.

   2. Click + Add Entity Provider > Hosted, and add a hosted entity provider:

      * Entity ID: Enter a unique identifier. Example: AM-IDP.

      * Meta Alias: Provide an IDP alias. Example: `am-idp`.

   3. Export the IDP metadata to an XML file. Example export metadata URL:\
      `https://<IDP-host-FQDN>/am/saml2/jsp/exportmetadata.jsp?entityid=<IDP-Entity-ID>`.

3. In the Advanced Identity Cloud AM instance, add a remote entity provider by importing the IDP metadata:

   1. In the AM native admin console, go to\
      *Realm Name* > Authentication > Federation > Entity Providers.

   2. Click + Add Entity Provider > Remote.

   3. Import the IDP metadata.

4. In the self-managed AM instance, add a remote entity provider by importing the SP metadata:

   1. In the AM self-managed admin console, go to:\
      Top Level Realm > Authentication > Federation > Entity Providers.

   2. Click + Add Entity Provider > Remote.

   3. Import the SP metadata.

5. Create a user profile on the SP and IDP:

   1. **SP**: In the AM native admin console, go to Identities and add a user identity.

   2. **IDP**: In the AM self-managed admin console, go to Identities and add a user identity.

## Task 2: Create an SP circle of trust

1. In the Advanced Identity Cloud AM instance, create a circle of trust:

   1. In the AM native admin console, go to\
      *Realm Name* > Applications > Federation > Circles of Trust.

   2. Click + Add Circle of Trust.

   3. On the New Circle of Trust page, provide a name, then click Create.

   4. On the CoT page, provide CoT details.

      > **Collapse: CoT details:**
      >
      > * Description: Enter a unique identifier.
      >
      > * Entity Providers: Choose the entity IDs for the SP and IDP.\
      >   Examples: `Cloud-SP` `AM-IDP`

   5. Click Save Changes.

2. In the Advanced Identity Cloud AM instance, create a federation module:

   1. In the AM native admin console, go to\
      *Realm Name* > Authentication > Modules.

   2. On the Modules page, click Add Module. Enter module details:

      * Name: Must be named `Federation`.

      * Type: Must be type `Federation`.

   3. Click Save Changes.

3. In the Advanced Identity Cloud AM instance, configure the page the browser displays upon successful SSO:

   1. In the AM native admin console, go to\
      *Realm Name* > Applications > Federation > Entity Providers.

   2. In the `Cloud-SP` entity provider page, select the Advanced tab.

   3. In the Relay State URL List field, add the target URL for the SP end-user sign-in page.\
      Example: `https://<tenant-FDQN>/enduser/?realm=alpha#/dashboard`.

   4. Click Save Changes.

## Task 3: Create an IDP circle of trust

1. In the AM self-managed admin console, go to\
   Top Level Realm > Applications > Circles of Trust.

2. Click + Add Circle of Trust.

3. On the New Circle of Trust page, provide a name, then click Create.

4. On the CoT page, provide CoT details.

   > **Collapse: CoT details:**
   >
   > * Description: Enter a unique identifier.
   >
   > * Entity Providers: Choose the entity IDs for the SP and IDP.\
   >   Examples: `Cloud-SP` `AM-IDP`.

5. Click Save Changes.

## Task 4: Test SAML 2.0 SSO

1. In a browser, go the JSP URL to launch an SP-initiated JSP flow. Example:\
   `https://<tenant-FQDN>/am/saml2/jsp/spSSOInit.jsp?realm=/alpha/&metaAlias=/alpha/cloud-sp&idpEntityID=AM-IDP&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&NameIDformat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent&RelayState=https://<tenant-FQDN>/enduser/?realm=alpha#/dashboard`.

2. On the IDP sign-in page, enter the user's credentials:

   Keep this session open. The IDP authenticates the user, then the browser redirects the user back to the SP sign-in page.

3. On the SP sign-in page, enter the user's credentials:

   After this second successful authentication, the user's SP identity is linked to, or federated with, the user's IDP identity.

   The browser redirects to the SP end-user page.

4. Sign the user out of both the SP and IDP.

5. Go to the IDP end-user sign-in page, and enter the user's credentials.

   When the user is successfully authenticated, the browser redirects to the SP end-user page specified in Relay State URL List.

## More Information

For deep dives, learn more in:

* [Introduction to SAML 2.0](../am-saml2/saml2-introduction.html)

* [JSP pages for SSO and SLO](../am-saml2/saml2-standalone-mode.html#using-saml2-sso-slo)

* [Set up IdPs, SPs, and CoTs](../am-saml2/saml2-providers-and-cots.html)