---
title: Configuring IdP-initiated SSO
description: SSO is initiated by the IdP itself, rather than by PingOne for Enterprise. In this case, the IdP needs to reference the particular application for SSO. PingOne for Enterprise assigns a unique ID, the saasid, to the connection for each application a SP publishes through PingOne for Enterprise. The IdP uses the saasid to reference the application connection for SSO.
component: pingoneforenterprise
page_id: pingoneforenterprise:pingone_for_enterprise:p14e_idp_sso
canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_idp_sso.html
revdate: April 24, 2023
section_ids:
  about-this-task: About this task
  steps: Steps
  choose-from: Choose from:
---

# Configuring IdP-initiated SSO

## About this task

SSO is initiated by the IdP itself, rather than by PingOne for Enterprise. In this case, the IdP needs to reference the particular application for SSO. PingOne for Enterprise assigns a unique ID, the `saasid`, to the connection for each application a SP publishes through PingOne for Enterprise. The IdP uses the `saasid` to reference the application connection for SSO.

If you're using a custom sign-on page or portal instead of the PingOne for Enterprise dock:

## Steps

1. In PingOne for Enterprise, configure a new SAML application.

   |   |                                                                                                                                                                   |
   | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | After you save and publish the application, remain on the **Review Setup** page. You'll need the application configuration information to configure SSO settings. |

   See [Adding or updating a SAML application](p14e_add_update_saml_application.html) for instructions.

2. Use the application's `saasid` value to configure SSO settings in your IdP in one of the following ways:

   ### Choose from:

   * Add the `saasid` as a query parameter to the connection's ACS URL. For example `https://sso.connect.pingidentity.com/sso/sp/ACS.saml2?saasid=<saasid>`.

   * Configure your IdP to include a `RelayState` parameter along with the SAML request in the format `RelayState=https://pingone.com/1.0/<saasid>`.

3. Get the full IdP-initiated SSO URL from the IdP and add it to your custom sign-on page or portal.

   If PingFederate is your IdP, the IdP-initiated settings used are the `startSSO` and `TargetResource` parameters.

   Learn more in [IdP endpoints](https://docs.pingidentity.com/pingfederate/12.3/developers_reference_guide/pf_idp_endpoints.html).

   |   |                                                                                                                                                                                                                                                                      |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | If you don't specify the `saasid` in your SSO URL, the URL will default to the PingOne for Enterprise dock.If your tenant doesn't include the dock (for example, if you're using PingOne SSO for SaaS Apps or an Invited SSO account), this will result in an error. |