--- title: Initiating SSO in PingOne for Enterprise description: PingOne for Enterprise supports three methods of initiating single sign-on (SSO). component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_init_sso canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_init_sso.html revdate: April 24, 2023 section_ids: why-use-pingone-for-enterprise-initiated-sso: Why use PingOne for Enterprise-initiated SSO? why-use-idp-initiated-sso: Why use IdP-initiated SSO? why-use-sp-initiated-sso: Why use SP-initiated SSO? configuring-pingone-for-enterprise-initiated-sso: Configuring PingOne for Enterprise-initiated SSO steps: Steps choose-from: Choose from: configuring-idp-initiated-sso: Configuring IdP-initiated SSO about-this-task: About this task steps-2: Steps choose-from-2: Choose from: configuring-sp-initiated-sso: Configuring SP-initiated SSO about-this-task-2: About this task steps-3: Steps choose-from-3: Choose from: --- # Initiating SSO in PingOne for Enterprise PingOne for Enterprise supports three methods of initiating single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)*. When a user opens a cloud application through PingOne for Enterprise, there are three participating entities involved in the SSO process: PingOne for Enterprise itself, the identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)* storing the user information for your organization, and the service provider (SP) *(tooltip: \
\

In SAML, an entity that receives and accepts an authentication assertion issued by an IdP, typically for the purpose of allowing access to a protected resource.\

\
)* who makes their application available. By default, when you add an application for SSO by your users, PingOne for Enterprise will initiate the SSO process. If your organization has a policy requiring that SSO is initiated by your IdP or the SP, you can configure either your IdP or the SP for the application as the entity that initiates the SSO process. The topics in this section will help guide you in selecting and configuring how you want SSO to be initiated for your users. ## Why use PingOne for Enterprise-initiated SSO? * It's easy and works well. * You don't want users to initiate SSO at the SP. * You want users to sign on to applications using either the PingOne for Enterprise dock or a custom sign-on page or portal, and you have no need to use IdP-initiated SSO. ## Why use IdP-initiated SSO? * You don't want users to initiate SSO at the SP. * You want users to sign on to applications using a custom sign-on page or portal, rather than the PingOne for Enterprise dock. You can configure a custom sign-on page or portal using either IdP-initiated SSO or [PingOne for Enterprise-Initiated SSO](p14e_p14e_init_sso.html). * Your organization uses PingFederate and you want to add an application to the PingOne for Enterprise dock using an IdP-initiated SSO URL used by PingFederate. * Your organization has a policy permitting only IdP-initiated SSO. ## Why use SP-initiated SSO? * You want users to initiate SSO at the SP. * Users need to sign on to applications that have integrations that aren't browser-based, such as applications that use email integration or applications that use desktop plugins. * The SP has a policy permitting only SP-initiated SSO. ## Configuring PingOne for Enterprise-initiated SSO SSO that's initiated by PingOne for Enterprise is the default SSO method used for all applications that you add to your account. ### Steps * Configure SSO in PingOne for Enterprise. #### Choose from: * Use PingOne for Enterprise-initiated SSO with the PingOne for Enterprise dock. 1. In PingOne for Enterprise, configure a new SAML application. For instructions, see [Adding or updating a SAML application](p14e_add_update_saml_application.html). 1. Make the application available to your users on the **Users > User Groups** page. The application is then automatically added to the PingOne for Enterprise dock. * Use PingOne for Enterprise-initiated SSO from a custom sign-on page or portal: 1. In PingOne for Enterprise, configure a new SAML application. See [Adding or updating a SAML application](p14e_add_update_saml_application.html) for instructions. 1. Add the resulting assigned SSO URL to your custom sign-on page or portal. ## Configuring IdP-initiated SSO ### About this task SSO is initiated by the IdP itself, rather than by PingOne for Enterprise. In this case, the IdP needs to reference the particular application for SSO. PingOne for Enterprise assigns a unique ID, the `saasid`, to the connection for each application a SP publishes through PingOne for Enterprise. The IdP uses the `saasid` to reference the application connection for SSO. If you're using a custom sign-on page or portal instead of the PingOne for Enterprise dock: ### Steps 1. In PingOne for Enterprise, configure a new SAML application. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | After you save and publish the application, remain on the **Review Setup** page. You'll need the application configuration information to configure SSO settings. | See [Adding or updating a SAML application](p14e_add_update_saml_application.html) for instructions. 2. Use the application's `saasid` value to configure SSO settings in your IdP in one of the following ways: #### Choose from: * Add the `saasid` as a query parameter to the connection's ACS URL. For example `https://sso.connect.pingidentity.com/sso/sp/ACS.saml2?saasid=`. * Configure your IdP to include a `RelayState` parameter along with the SAML request in the format `RelayState=https://pingone.com/1.0/`. 3. Get the full IdP-initiated SSO URL from the IdP and add it to your custom sign-on page or portal. If PingFederate is your IdP, the IdP-initiated settings used are the `startSSO` and `TargetResource` parameters. Learn more in [IdP endpoints](https://docs.pingidentity.com/pingfederate/12.3/developers_reference_guide/pf_idp_endpoints.html). | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you don't specify the `saasid` in your SSO URL, the URL will default to the PingOne for Enterprise dock.If your tenant doesn't include the dock (for example, if you're using PingOne SSO for SaaS Apps or an Invited SSO account), this will result in an error. | ## Configuring SP-initiated SSO ### About this task SSO is initiated at the SP itself, rather than through PingOne for Enterprise or the IdP. The SP uses the PingOne for Enterprise SSO URL assigned to the IdP to redirect user authentication requests. ### Steps * Configure the SP to initiate SSO. #### Choose from: * If you're using PingFederate as the SP: * Specify the `AuthenticatingIdpId` query parameter for the PingFederate `/sp/startSSO.ping` endpoint. For example: ``` /sp/startSSO.ping?AuthenticatingIdpId=customer001.com ``` For more information, see .pingidentity.com/pingfederate/pf83/index.shtml//\[SP services]. * If you're not using PingFederate as the SP: 1. Get the application SSO URL from the SP. 2. Add the application to the PingOne for Enterprise dock using this URL. For instructions, see [Add or update an application using its SSO URL](p14e_add_update_application_sso_url.html).