PingOne for Enterprise

Initiating SSO in PingOne for Enterprise

PingOne for Enterprise supports three methods of initiating single sign-on (SSO).

When a user opens a cloud application through PingOne for Enterprise, there are three participating entities involved in the SSO process: PingOne for Enterprise itself, the identity provider (IdP) storing the user information for your organization, and the service provider (SP) who makes their application available.

By default, when you add an application for SSO by your users, PingOne for Enterprise will initiate the SSO process. If your organization has a policy requiring that SSO is initiated by your IdP or the SP, you can configure either your IdP or the SP for the application as the entity that initiates the SSO process.

The topics in this section will help guide you in selecting and configuring how you want SSO to be initiated for your users.

Why use PingOne for Enterprise-initiated SSO?

  • It’s easy and works well.

  • You don’t want users to initiate SSO at the SP.

  • You want users to sign on to applications using either the PingOne for Enterprise dock or a custom sign-on page or portal, and you have no need to use IdP-initiated SSO.

Why use IdP-initiated SSO?

  • You don’t want users to initiate SSO at the SP.

  • You want users to sign on to applications using a custom sign-on page or portal, rather than the PingOne for Enterprise dock. You can configure a custom sign-on page or portal using either IdP-initiated SSO or PingOne for Enterprise-Initiated SSO.

  • Your organization uses PingFederate and you want to add an application to the PingOne for Enterprise dock using an IdP-initiated SSO URL used by PingFederate.

  • Your organization has a policy permitting only IdP-initiated SSO.

Why use SP-initiated SSO?

  • You want users to initiate SSO at the SP.

  • Users need to sign on to applications that have integrations that aren’t browser-based, such as applications that use email integration or applications that use desktop plugins.

  • The SP has a policy permitting only SP-initiated SSO.

Configuring PingOne for Enterprise-initiated SSO

SSO that’s initiated by PingOne for Enterprise is the default SSO method used for all applications that you add to your account.

Steps

  • Configure SSO in PingOne for Enterprise.

    Choose from:

    • Use PingOne for Enterprise-initiated SSO with the PingOne for Enterprise dock.

      1. In PingOne for Enterprise, configure a new SAML application.

      For instructions, see Adding or updating a SAML application.

      1. Make the application available to your users on the Users → User Groups page. The application is then automatically added to the PingOne for Enterprise dock.

    • Use PingOne for Enterprise-initiated SSO from a custom sign-on page or portal:

      1. In PingOne for Enterprise, configure a new SAML application.

    1. Add the resulting assigned SSO URL to your custom sign-on page or portal.

Configuring IdP-initiated SSO

About this task

SSO is initiated by the IdP itself, rather than by PingOne for Enterprise. In this case, the IdP needs to reference the particular application for SSO. PingOne for Enterprise assigns a unique ID, the saasid, to the connection for each application a SP publishes through PingOne for Enterprise. The IdP uses the saasid to reference the application connection for SSO.

If you’re using a custom sign-on page or portal instead of the PingOne for Enterprise dock:

Steps

  1. In PingOne for Enterprise, configure a new SAML application.

    After you save and publish the application, remain on the Review Setup page. You’ll need the application configuration information to configure SSO settings.

  2. Use the application’s saasid value to configure SSO settings in your IdP in one of the following ways:

    Choose from:

  3. Get the full IdP-initiated SSO URL from the IdP and add it to your custom sign-on page or portal.

    If PingFederate is your IdP, the IdP-initiated settings used are the startSSO and TargetResource parameters.

    For more information, see IdP endpoints.

    If you don’t specify the saasid in your SSO URL, the URL will default to the PingOne for Enterprise dock.

    If your tenant doesn’t include the dock (for example, if you’re using PingOne SSO for SaaS Apps or an Invited SSO account), this will result in an error.

Configuring SP-initiated SSO

About this task

SSO is initiated at the SP itself, rather than through PingOne for Enterprise or the IdP. The SP uses the PingOne for Enterprise SSO URL assigned to the IdP to redirect user authentication requests.

Steps

  • Configure the SP to initiate SSO.

    Choose from:

    • If you’re using PingFederate as the SP:

    • Specify the AuthenticatingIdpId query parameter for the PingFederate /sp/startSSO.ping endpoint.

      For example:

      /sp/startSSO.ping?AuthenticatingIdpId=customer001.com

      For more information, see .pingidentity.com/pingfederate/pf83/index.shtml//[SP services].

    • If you’re not using PingFederate as the SP:

      1. Get the application SSO URL from the SP.

      2. Add the application to the PingOne for Enterprise dock using this URL.