Adding or updating a SAML application
If you don’t have the service provider’s (SP) single sign-on (SSO) URL for the application (generally a SAML application that already exists in your organization), you will need to configure the necessary SAML settings to add the application.
About this task
If you are using the Google identity bridge, you cannot add Google applications using this method. See Add or update an application using its SSO URL to add these applications. |
Steps
-
Go to Applications → My Applications → SAML.
-
Click Add Application → New SAML Application.
-
On the Application Details tab, enter the application details. Application Name, Application Description and Category are required fields.
You can optionally assign an application icon. The icon file can be up to 5 Mb in size. The supported graphics formats are JPEG/JPG and PNG.
-
Click Continue to Next Step.
-
On the Application Configuration page, provide the SAML configuration details for the application.
-
Signing Certificate. In the list, select the signing certificate you want to use.
-
SAML Metadata. Click Download to retrieve the SAML metadata for PingOne for Enterprise. This supplies the PingOne for Enterprise connection information to the application.
-
Protocol Version. Select the SAML protocol version appropriate for your application.
-
Upload Metadata. Click Select File to upload the application’s metadata file, or click Or use URL to enter the URL of the metadata file. The ACS URL and Entity ID will then be supplied for you. If you don’t upload the application metadata, you’ll need to enter this information manually with values provided by the application.
The application’s Entity ID must be unique within your account. You can’t configure more than one application in PingOne for Enterprise using the same SP entity ID.
-
Application URL. This is required by some applications as the target URL. It’s used in identity provider (IdP)-initiated SSO for a deep-linking purpose. The application URL is passed in the
RelayState
parameter by the IdP. -
Single Logout Endpoint. The URL to which our service will send the SAML Single Logout (SLO) request using the Single Logout Binding Type that you select).
-
Single Logout Response Endpoint. The URL to which your service will send the SLO Response.
-
Single Logout Binding Type. Select the binding type (Redirect or POST) to use for SLO.
-
Primary Verification Certificate. Click Choose File to upload the primary public verification certificate to use for verifying the SP signatures on SLO requests and responses.
-
Secondary Verification Certificate. Click Choose File and upload the secondary verification certificate if available. The secondary verification certificate is used if the primary verification certificate fails to validate a signature.
-
Optional: Encrypt Assertion. If selected, the assertions PingOne sends to the SP for a multiplexed application will be encrypted. You can also use this option for your managed applications. Available for SAML 2.0 applications only.
If an encryption certificate is included in the metadata you upload, this option is automatically enabled. The entry for Encryption Certificate will show the name of the certificate and the entry for Encryption Algorithm will be set to AES_256.
Selecting this option displays the information needed to encrypt the assertion:
- Encryption Certificate
-
Upload the certificate to use to encrypt the assertions.
- Encryption Algorithm
-
Choose the algorithm to use for encrypting the assertions. We recommend AES_256 (the default), but you can select AES_128 instead.
- Transport Algorithm
-
The algorithm used for securely transporting the encryption key. Currently, RSA-OAEP is the only transport algorithm supported.
-
Signing. Select either to sign the SAML assertion or to sign the SAML response.
When you have selected Encrypt Assertion, we highly recommend that you choose to sign the response. This provides a significant increase in security.
-
Signing Algorithm. Select an algorithm from the list.
We strongly recommend using the default RSA_SHA256 algorithm or higher.
-
Force Re-authentication. If selected, users having a current, active SSO session will be re-authenticated by the identity bridge to establish a connection to this application.
-
Force MFA. If selected, users are required to use multi-factor authentication (MFA), as defined by the applied application policy, each time they access the application.
You’ll need to have an authentication policy in place to use this setting. See Create or update an authentication policy for more information.
-
Use Custom URL. Select and enter a custom URL in the text box to customize the URL to launch the application from the dock. This can be an SSO URL assigned by the SP or IdP. The default URL is generated by PingOne for Enterprise.
The remaining entries are optional, depending on your requirements. Click Continue to Next Step. The SSO Attribute Mapping page is displayed.
-
-
Modify or add any attribute mappings as necessary for the application.
In most cases, the default attribute mappings are sufficient. These mappings assign your identity repository attributes to the attributes provided by the SP for the application.
If you’re adding SAML subject as an attribute, make sure to use the value
SAML_SUBJECT
for the Application Attribute field. If not defined,SAML_SUBJECT
will be mapped to the subject sent by the IdP.For each application attribute, you can:
Choose from:
-
Click the Required check box to designate an attribute or attributes as required by the application.
-
Click in an entry box and select an identity repository attribute from a drop-down list.
-
Click in an entry box and enter an identity repository attribute.
-
Click the As Literal check box and in the entry box, enter a literal value to assign.
-
Click Advanced and enter Advanced Attribute Mapping mode. See Creating advanced attribute mappings for instructions.
-
Click Add new attribute to enter any additional attributes required by the application. You can then enter custom text in the Application Attribute text box, in addition to all of the choices above when configuring the new attribute.
-
-
When you have finished modifying or adding any additional attributes, click Continue to Next Step.
The Add Groups page is displayed.
-
Make the new application available to your users by assigning the groups authorized to use the application.
All members of the selected group or groups will be able to use the application. When the application supports user provisioning, user provisioning to this application is also enabled for members of the assigned groups.
-
Click Add for each group you want to authorize to use the application.
-
Click Continue to Next Step
Result:
The summary information for the application configuration is then displayed on a new page.
-
-
Review the application connection information.
Some of this information might be needed by the SP to complete the SSO configuration for the application. In particular, you can download the PingOne for Enterprise signing certificate or the PingOne for Enterprise SAML metadata, which has the certificate embedded. You can also copy the SAML Metadata URL and use it to keep your IdP configuration updated with PingOne for Enterprise metadata.
The SSO URL for the application is displayed as the value of Initiate Single Sign-On (SSO) URL. You can use this to test SSO directly to the application without going through the PingOne for Enterprise dock.
-
Click Edit to change any of the configuration settings, or Finish to complete the application setup.
Result
The new SAML application is added to your My Applications list.
You can go to Users → User Groups to see that the application you have added is now authorized for use by the selected group or groups.