Initiating SSO in PingOne for Enterprise
PingOne for Enterprise supports three methods of initiating single sign-on (SSO).
When a user opens a cloud application through PingOne for Enterprise, there are three participating entities involved in the SSO process: PingOne for Enterprise itself, the identity provider (IdP) storing the user information for your organization, and the service provider (SP) who makes their application available.
By default, when you add an application for SSO by your users, PingOne for Enterprise will initiate the SSO process. If your organization has a policy requiring that SSO is initiated by your IdP or the SP, you can configure either your IdP or the SP for the application as the entity that initiates the SSO process.
The topics in this section will help guide you in selecting and configuring how you want SSO to be initiated for your users.
Why use PingOne for Enterprise-initiated SSO?
-
It’s easy and works well.
-
You don’t want users to initiate SSO at the SP.
-
You want users to sign on to applications using either the PingOne for Enterprise dock or a custom sign-on page or portal, and you have no need to use IdP-initiated SSO.
Why use IdP-initiated SSO?
-
You don’t want users to initiate SSO at the SP.
-
You want users to sign on to applications using a custom sign-on page or portal, rather than the PingOne for Enterprise dock. You can configure a custom sign-on page or portal using either IdP-initiated SSO or PingOne for Enterprise-Initiated SSO.
-
Your organization uses PingFederate and you want to add an application to the PingOne for Enterprise dock using an IdP-initiated SSO URL used by PingFederate.
-
Your organization has a policy permitting only IdP-initiated SSO.
Why use SP-initiated SSO?
-
You want users to initiate SSO at the SP.
-
Users need to sign on to applications that have integrations that aren’t browser-based, such as applications that use email integration or applications that use desktop plugins.
-
The SP has a policy permitting only SP-initiated SSO.
Configuring PingOne for Enterprise-initiated SSO
SSO that’s initiated by PingOne for Enterprise is the default SSO method used for all applications that you add to your account.
Steps
-
Configure SSO in PingOne for Enterprise.
Choose from:
-
Use PingOne for Enterprise-initiated SSO with the PingOne for Enterprise dock.
-
In PingOne for Enterprise, configure a new SAML application.
For instructions, see Adding or updating a SAML application.
-
Make the application available to your users on the Users → User Groups page. The application is then automatically added to the PingOne for Enterprise dock.
-
-
Use PingOne for Enterprise-initiated SSO from a custom sign-on page or portal:
-
In PingOne for Enterprise, configure a new SAML application.
-
See Adding or updating a SAML application for instructions.
-
Add the resulting assigned SSO URL to your custom sign-on page or portal.
-
Configuring IdP-initiated SSO
About this task
SSO is initiated by the IdP itself, rather than by PingOne for Enterprise. In this case, the IdP needs to reference the particular application for SSO. PingOne for Enterprise assigns a unique ID, the saasid
, to the connection for each application a SP publishes through PingOne for Enterprise. The IdP uses the saasid
to reference the application connection for SSO.
If you’re using a custom sign-on page or portal instead of the PingOne for Enterprise dock:
Steps
-
In PingOne for Enterprise, configure a new SAML application.
After you save and publish the application, remain on the Review Setup page. You’ll need the application configuration information to configure SSO settings.
See Adding or updating a SAML application for instructions.
-
Use the application’s
saasid
value to configure SSO settings in your IdP in one of the following ways:Choose from:
-
Add the
saasid
as a query parameter to the connection’s ACS URL. For examplehttps://sso.connect.pingidentity.com/sso/sp/ACS.saml2?saasid=<saasid>
. -
Configure your IdP to include a
RelayState
parameter along with the SAML request in the formatRelayState=https://pingone.com/1.0/<saasid>
.
-
-
Get the full IdP-initiated SSO URL from the IdP and add it to your custom sign-on page or portal.
If PingFederate is your IdP, the IdP-initiated settings used are the
startSSO
andTargetResource
parameters.For more information, see IdP endpoints.
If you don’t specify the
saasid
in your SSO URL, the URL will default to the PingOne for Enterprise dock.If your tenant doesn’t include the dock (for example, if you’re using PingOne SSO for SaaS Apps or an Invited SSO account), this will result in an error.
Configuring SP-initiated SSO
About this task
SSO is initiated at the SP itself, rather than through PingOne for Enterprise or the IdP. The SP uses the PingOne for Enterprise SSO URL assigned to the IdP to redirect user authentication requests.
Steps
-
Configure the SP to initiate SSO.
Choose from:
-
If you’re using PingFederate as the SP:
-
Specify the
AuthenticatingIdpId
query parameter for the PingFederate/sp/startSSO.ping
endpoint.For example:
/sp/startSSO.ping?AuthenticatingIdpId=customer001.com
For more information, see .pingidentity.com/pingfederate/pf83/index.shtml//[SP services].
-
If you’re not using PingFederate as the SP:
-
Get the application SSO URL from the SP.
-
Add the application to the PingOne for Enterprise dock using this URL.
-
For instructions, see Add or update an application using its SSO URL.
-