PingOne for Enterprise

Adding or updating a SAML-enabled application

Create a SAML application for your customers to connect to.

About this task

When you’re adding or updating a SAML-enabled application, you’ll need to specify the proper SAML configuration to establish a connection for your application.

Steps

  1. Go to Applications → My Applications → SAML.

  2. Click Add New Application.

  3. On Basic information tab, select the category that applies to your application.

  4. Enter the application name and a description that will identify your application to users.

  5. Select whether your application is to be made publicly available (listed in the Application Catalog), or privately available (not listed in the Application Catalog, and available to organizations only at your invitation).

  6. Optional: Upload a logo and icon to use for your application. The logo is used for workstation users. The icon is displayed for mobile users.

    PNG is the only supported graphics format.

  7. Click Continue to Next Step and choose Yes, it is SAML-enabled.

  8. Optional: On the Create Connections page, select the SAML version supported by your application. If you’re uncertain, the default version (SAML 2.0) is generally correct.

  9. Upload Metadata. Click Select File to upload the application’s metadata file, or click Or use URL to enter the URL of the metadata file. The ACS URL and Entity ID will then be supplied for you. If you don’t upload the application metadata, you’ll need to enter this information manually with values provided by the application.

    The application’s Entity ID must be unique within your account. You can’t configure more than one application in PingOne SSO for SaaS Apps using the same SP entity ID.

  10. Optional: Choose whether or not to enable SAML multiplexing (the default).

    For more information about application multiplexing, see About multiplexing.

  11. Select the public signing certificate to use. PingOne SSO for SaaS Apps will use this certificate on your behalf to sign SAML assertions. You can choose either:

    Choose from:

    • Primary Certificate

      When you select the primary certificate, the PingOne SSO for SaaS Apps metadata for download contains both the primary and the renewal certificates.

    • Renewal Certificate

      When you select the renewal certificate, the PingOne SSO for SaaS Apps metadata for download contains only the renewal certificate. A renewal certificate is available only thirty days before the expiration of the primary certificate.

      If you are using multiplexing, the primary and renewal certificates are PingOne SSO for SaaS Apps universal certificates. In this case, when you’re notified to update the certificate, it’s imperative that you do so.

      1. You can also choose to download the certificates independently (not as part of the PingOne SSO for SaaS Apps metadata). To do this, scroll down to the certificate Download links and click the appropriate link.

        The Signing Certificate download link is for the certificate you selected in the Signing Certificate dropdown list. The other certificate is the certificate you didn’t select in the Signing Certificate dropdown list. Note the expiration dates for the certificates.

        If a certificate is identified as Expired, currently, we’ll still accept it. At some point, we may no longer accept the certificate, so we recommend you install a valid certificate soon. Note that your IdP or an application may not accept an expired certificate.

  12. You need to supply the PingOne SSO for SaaS Apps connection information to each customer connecting to your application. You can either:

    • Click Download to retrieve all of SAML metadata for the PingOne SSO for SaaS Apps connection.

    • Copy the displayed connection information (for SSO Service URL and Entity ID) and download the PingOne SSO for SaaS Apps signing certificate.

  13. Optional: Enter the URL for the SAML Single Logout Endpoint. We send the single logout (SLO) request to this URL using the binding type you select for Single Logout Binding Type.

    The attributes for Single Logout Endpoint, Single Logout Binding Type and Verification Certificate are interdependent. To support SLO, you’ll need to specify all of these attribute values, and optionally, Single Logout Response Endpoint. See PingOne for Enterprise and SLO for more information.

    If you choose not to support SLO for an application, when the user session ends the application will not be notified.
  14. Optional: Enter the URL for the SAML Single Logout Response Endpoint. If you don’t assign a value here, Single Logout Endpoint is also used as the response endpoint. You send the application SLO response to this URL.

  15. Optional: Select the binding type to use for SLO. This can be POST or Redirect (defaults to POST).

  16. Optional: Upload the signing certificate you’ll use to sign SLO requests. This can be the same certificate you use for SAML assertions.

  17. Click Signing Algorithm to choose the algorithm used to sign both SAML assertions and SLO requests.

    If you are setting up a new application, the signing algorithm defaults to the recommended SHA-256.

    If you have an existing application configuration, SHA-1 may be displayed as the default signing algorithm. We recommend you change it to SHA-256 at your convenience.

  18. Optional: Encrypt Assertion. If selected, the assertions sent from PingOne SSO for SaaS Apps for the application will be encrypted. Available for SAML 2.0 multiplexed applications only.

    Selecting this option will prompt you for the information necessary to encrypt the assertion:

    Encryption Certificate

    Upload the certificate to use to encrypt the assertions.

    Encryption Algorithm

    Choose the algorithm to use for encrypting the assertions. We recommend AES_256 (the default), but you can select AES_128 instead.

    Transport Algorithm

    The algorithm used for securely transporting the encryption key. Currently, RSA-OAEP is the only transport algorithm supported.

  19. Verify that all entries are correct, then click Continue to Next Step. The SSO Attribute Requirements page is displayed.

    On the SSO Attribute Requirements page, click Add Attribute to add any attributes necessary for SSO to your application.

  20. Optional: Click on the Name or Description of any existing attribute to edit the value. Press Enter to save your changes or Esc to cancel.

    Click the Required checkbox for any attributes that require a value for SSO to your application.

    Click Continue to Next Step.

    On the Create Instructions page, for Introduction Text, enter text introducing your application and supplying any necessary instructions to users.

    For SSO Configuration Path, enter user guidance for the location of any SSO settings for your application.

    For SSO Configuration Page URL, enter the URL for any SSO settings for your application.

    For Configuration Steps, click Add Step to add stepped instructions for configuring SSO for your application.

    For SSO Configuration Page Screenshot, click Select Image to upload a screenshot of the SSO configuration page for your application.

    On the Publish page, click Add Parameter to assign any connection parameters customers can use for your application. You can elect to make the parameters required.

    On the Publish page, verify that the information is correct, then click Save & Publish.If you have selected to publish your application publicly, it is submitted to us for registration. When we have processed the registration for your application, your application information is published in the Application Catalog.

    Your application is displayed in the listing on your My Applications page, where you can view or edit all of the your application settings as needed.

    If you have selected to publish your application privately, the application will not be listed in the Application Catalog. Instead, you will invite customers to connect to your application. See Customer connection methods for instructions.

Result

After you have published an application, you will not be able to change the SSO connection type(s). You will need to remove the application, then add it again in this case. However, you can change configuration settings for the SSO connections.

Next steps

To test your application before connecting to a customer, see Testing your application using the built-in IdP or Testing your application using PingOne for Enterprise.