Configuring IdP-initiated SSO
About this task
SSO is initiated by the IdP itself, rather than by PingOne for Enterprise. In this case, the IdP needs to reference the particular application for SSO. PingOne for Enterprise assigns a unique ID, the saasid
, to the connection for each application a SP publishes through PingOne for Enterprise. The IdP uses the saasid
to reference the application connection for SSO.
If you’re using a custom sign-on page or portal instead of the PingOne for Enterprise dock:
Steps
-
In PingOne for Enterprise, configure a new SAML application.
After you save and publish the application, remain on the Review Setup page. You’ll need the application configuration information to configure SSO settings.
See Adding or updating a SAML application for instructions.
-
Use the application’s
saasid
value to configure SSO settings in your IdP in one of the following ways:Choose from:
-
Add the
saasid
as a query parameter to the connection’s ACS URL. For examplehttps://sso.connect.pingidentity.com/sso/sp/ACS.saml2?saasid=<saasid>
. -
Configure your IdP to include a
RelayState
parameter along with the SAML request in the formatRelayState=https://pingone.com/1.0/<saasid>
.
-
-
Get the full IdP-initiated SSO URL from the IdP and add it to your custom sign-on page or portal.
If PingFederate is your IdP, the IdP-initiated settings used are the
startSSO
andTargetResource
parameters.For more information, see IdP endpoints.
If you don’t specify the
saasid
in your SSO URL, the URL will default to the PingOne for Enterprise dock.If your tenant doesn’t include the dock (for example, if you’re using PingOne SSO for SaaS Apps or an Invited SSO account), this will result in an error.