--- title: Adding or updating a SAML application description: If you don't have the service provider's (SP) single sign-on (SSO) URL for the application (generally a SAML application that already exists in your organization), you will need to configure the necessary SAML settings to add the application. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_add_update_saml_application canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_add_update_saml_application.html revdate: September 22, 2023 section_ids: about-this-task: About this task steps: Steps choose-from: Choose from: result: Result: result-2: Result --- # Adding or updating a SAML application If you don't have the service provider's (SP) single sign-on (SSO) URL for the application (generally a SAML application that already exists in your organization), you will need to configure the necessary SAML settings to add the application. ## About this task | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you are using the Google identity bridge, you cannot add Google applications using this method. See [Add or update an application using its SSO URL](p14e_add_update_application_sso_url.html) to add these applications. | ## Steps 1. Go to **Applications > My Applications > SAML**. 2. Click **Add Application > New SAML Application**. 3. On the **Application Details** tab, enter the application details. **Application Name**, **Application Description** and **Category** are required fields. You can optionally assign an application icon. The icon file can be up to 5 Mb in size. The supported graphics formats are JPEG/JPG and PNG. 4. Click **Continue to Next Step**. 5. On the **Application Configuration** page, provide the SAML configuration details for the application. 1. **Signing Certificate**. In the list, select the signing certificate you want to use. 2. **SAML Metadata**. Click **Download** to retrieve the SAML metadata for PingOne for Enterprise. This supplies the PingOne for Enterprise connection information to the application. 3. **Protocol Version**. Select the SAML protocol version appropriate for your application. 4. **Upload Metadata**. Click **Select File** to upload the application's metadata file, or click **Or use URL** to enter the URL of the metadata file. The **ACS URL** and **Entity ID** will then be supplied for you. If you don't upload the application metadata, you'll need to enter this information manually with values provided by the application. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The application's **Entity ID** must be unique within your account. You can't configure more than one application in PingOne for Enterprise using the same SP entity ID. | 5. **Application URL**. This is required by some applications as the target URL. It's used in identity provider (IdP)-initiated SSO for a deep-linking purpose. The application URL is passed in the `RelayState` parameter by the IdP. 6. **Single Logout Endpoint**. The URL to which our service will send the SAML Single Logout (SLO) request using the **Single Logout Binding Type** that you select). 7. **Single Logout Response Endpoint**. The URL to which your service will send the SLO Response. 8. **Single Logout Binding Type**. Select the binding type (**Redirect** or **POST**) to use for SLO. 9. **Primary Verification Certificate**. Click **Choose File** to upload the primary public verification certificate to use for verifying the SP signatures on SLO requests and responses. 10. **Secondary Verification Certificate**. Click **Choose File** and upload the secondary verification certificate if available. The secondary verification certificate is used if the primary verification certificate fails to validate a signature. 11. **Optional:** **Encrypt Assertion**. If selected, the assertions PingOne sends to the SP for a multiplexed application will be encrypted. You can also use this option for your managed applications. Available for SAML 2.0 applications only. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If an encryption certificate is included in the metadata you upload, this option is automatically enabled. The entry for **Encryption Certificate** will show the name of the certificate and the entry for **Encryption Algorithm** will be set to AES\_256. | Selecting this option displays the information needed to encrypt the assertion: * Encryption Certificate Upload the certificate to use to encrypt the assertions. * Encryption Algorithm Choose the algorithm to use for encrypting the assertions. We recommend **AES\_256** (the default), but you can select **AES\_128** instead. * Transport Algorithm The algorithm used for securely transporting the encryption key. Currently, **RSA-OAEP** is the only transport algorithm supported. 12. **Signing**. Select either to sign the SAML assertion or to sign the SAML response. When you have selected **Encrypt Assertion**, we highly recommend that you choose to sign the response. This provides a significant increase in security. 13. **Signing Algorithm**. Select an algorithm from the list. We strongly recommend using the default **RSA\_SHA256** algorithm or higher. 1. **Force Re-authentication**. If selected, users having a current, active SSO session will be re-authenticated by the identity bridge to establish a connection to this application. 2. **Force MFA**. If selected, users are required to use multi-factor authentication (MFA), as defined by the applied application policy, each time they access the application. You'll need to have an authentication policy in place to use this setting. See [Create or update an authentication policy](p14e_create_update_authentication_policy.html) for more information. 3. **Use Custom URL**. Select and enter a custom URL in the text box to customize the URL to launch the application from the dock. This can be an SSO URL assigned by the SP or IdP. The default URL is generated by PingOne for Enterprise. The remaining entries are optional, depending on your requirements. Click **Continue to Next Step**. The SSO Attribute Mapping page is displayed. 6. Modify or add any attribute mappings as necessary for the application. In most cases, the default attribute mappings are sufficient. These mappings assign your identity repository attributes to the attributes provided by the SP for the application. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you're adding SAML subject as an attribute, make sure to use the value `SAML_SUBJECT` for the **Application Attribute** field. If not defined, `SAML_SUBJECT` will be mapped to the subject sent by the IdP. | For each application attribute, you can: ### Choose from: * Click the **Required** checkbox to designate an attribute or attributes as required by the application. * Click in an entry box and select an identity repository attribute from a drop-down list. * Click in an entry box and enter an identity repository attribute. * Click the **As Literal** checkbox and in the entry box, enter a literal value to assign. * Click **Advanced** and enter Advanced Attribute Mapping mode. See [Creating advanced attribute mappings](p14e_creating_advaced_attribute_mappings.html) for instructions. * Click **Add new attribute** to enter any additional attributes required by the application. You can then enter custom text in the **Application Attribute** text box, in addition to all of the choices above when configuring the new attribute. 7. When you have finished modifying or adding any additional attributes, click **Continue to Next Step**. The **Add Groups** page is displayed. 8. Make the new application available to your users by assigning the groups authorized to use the application. All members of the selected group or groups will be able to use the application. When the application supports user provisioning, user provisioning to this application is also enabled for members of the assigned groups. 1. Click **Add** for each group you want to authorize to use the application. 2. Click **Continue to Next Step** ### Result: The summary information for the application configuration is then displayed on a new page. 9. Review the application connection information. Some of this information might be needed by the SP to complete the SSO configuration for the application. In particular, you can download the PingOne for Enterprise signing certificate or the PingOne for Enterprise **SAML metadata**, which has the certificate embedded. You can also copy the **SAML Metadata URL** and use it to keep your IdP configuration updated with PingOne for Enterprise metadata. The SSO URL for the application is displayed as the value of **Initiate Single Sign-On (SSO) URL**. You can use this to test SSO directly to the application without going through the PingOne for Enterprise dock. 10. Click **Edit** to change any of the configuration settings, or **Finish** to complete the application setup. ## Result The new SAML application is added to your My Applications list. You can go to **Users > User Groups** to see that the application you have added is now authorized for use by the selected group or groups.