PingOne for Enterprise

About multiplexing

PingOne SSO for SaaS Apps supports two kinds of multiplexing: application multiplexing and connection multiplexing.

Application multiplexing

A multiplexed application has a single connection to PingOne SSO for SaaS Apps. This allows you to share an application configuration across all identity providers (IdPs) connected to the application. For example, if you have one customer using PingFederate as an IdP, and another customer using Active Directory, they can both connect to a multiplexed application without any additional configuration.

PingOne SSO for SaaS Apps uses the entity ID value PingConnect to send SAML assertions to multiplexed applications. For non-multiplexed applications, PingOne uses the entity ID of the IdP.

With a non-multiplexed application, you configure a connection for each individual customer, often with different ACS URLS and entity IDs for each individual IdP.

Only SAML applications can be non-multiplexed. OIDC and REST applications are always multiplexed.

Application multiplexing simplifies administration by allowing you to apply an application configuration to all customers and IdPs instead of administering each instance of the application separately. For example, exchanging metadata or updating certificates applies the change to all IdPs connected to the multiplexed application.

Manual connections to non-multiplexed applications are not supported. You can only create connections to non-multiplexed applications through invited or managed PingOne for Enterprise accounts.

Connection multiplexing

A multiplexed connection is a single connection from an IdP to PingOne SSO for SaaS Apps. Multiplexing allows the IdP to access all of your customer’s applications using a shared attribute contract, the same certificates, and a single entity ID, PingConnect.

A non-multiplexed connection is application-specific. The IdP configures a connection for each application using different attribute contracts and application-specific entity ID values.

IdP connections through a PingOne for Enterprise account are always multiplexed.

Without multiplexing, PingOne SSO for SaaS Apps connections to your applications are separate, one-to-one connections to an IdP. Each application is assigned a separate entity ID value for its connection. If your account has an existing multiplexed connection for some IdPs, you can still create non-multiplexed connections for other IdPs.

Because the IdP only needs to maintain a single connection to PingOne SSO for SaaS Apps rather than maintaining a separate connection for each application, connection multiplexing simplifies administration.

Manual connections can be either multiplexed or non-multiplexed.

Combining application and connection multiplexing

Multiplexing combination support
Connection type Multiplexed application Non-multiplexed application

Multiplexed connection

Supported

Supported

Non-Multiplexed connection

Supported

Not supported

Because non-multiplexed connections must be established manually, and it’s not possible to create a manual connection to a non-multiplexed application, non-multiplexed connections to non-multiplexed applications are not supported.