--- title: Adding or updating a SAML-enabled application description: Create a SAML application for your customers to connect to. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_sso_for_saas_apps:p14saas_add_update_saml_application canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_sso_for_saas_apps/p14saas_add_update_saml_application.html revdate: September 22, 2023 section_ids: about-this-task: About this task steps: Steps choose-from: Choose from: result: Result next-steps: Next steps --- # Adding or updating a SAML-enabled application Create a SAML application for your customers to connect to. ## About this task When you're adding or updating a SAML-enabled application, you'll need to specify the proper SAML configuration to establish a connection for your application. ## Steps 1. Go to **Applications > My Applications > SAML**. 2. Click **Add New Application**. 3. On **Basic information** tab, select the category that applies to your application. 4. Enter the application name and a description that will identify your application to users. 5. Select whether your application is to be made publicly available (listed in the Application Catalog), or privately available (not listed in the Application Catalog, and available to organizations only at your invitation). 6. **Optional:** Upload a logo and icon to use for your application. The logo is used for workstation users. The icon is displayed for mobile users. PNG is the only supported graphics format. 7. Click **Continue to Next Step** and choose **Yes, it is SAML-enabled**. 8. **Optional:** On the Create Connections page, select the SAML version supported by your application. If you're uncertain, the default version (SAML 2.0) is generally correct. 9. **Upload Metadata**. Click **Select File** to upload the application's metadata file, or click **Or use URL** to enter the URL of the metadata file. The **ACS URL** and **Entity ID** will then be supplied for you. If you don't upload the application metadata, you'll need to enter this information manually with values provided by the application. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The application's **Entity ID** must be unique within your account. You can't configure more than one application in PingOne SSO for SaaS Apps using the same SP entity ID. | 10. **Optional:** Choose whether or not to enable SAML multiplexing (the default). For more information about application multiplexing, see [About multiplexing](p14saas_about_multiplexing.html). 11. Select the public signing certificate to use. PingOne SSO for SaaS Apps will use this certificate on your behalf to sign SAML assertions. You can choose either: ### Choose from: * Primary Certificate When you select the primary certificate, the PingOne SSO for SaaS Apps metadata for download contains both the primary and the renewal certificates. * Renewal Certificate When you select the renewal certificate, the PingOne SSO for SaaS Apps metadata for download contains only the renewal certificate. A renewal certificate is available only thirty days before the expiration of the primary certificate. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you are using multiplexing, the primary and renewal certificates are PingOne SSO for SaaS Apps universal certificates. In this case, when you're notified to update the certificate, it's imperative that you do so. | 1. You can also choose to download the certificates independently (not as part of the PingOne SSO for SaaS Apps metadata). To do this, scroll down to the certificate **Download** links and click the appropriate link. The Signing Certificate download link is for the certificate you selected in the **Signing Certificate** dropdown list. The other certificate is the certificate you didn't select in the **Signing Certificate** dropdown list. Note the expiration dates for the certificates. If a certificate is identified as Expired, currently, we'll still accept it. At some point, we may no longer accept the certificate, so we recommend you install a valid certificate soon. Note that your IdP or an application may not accept an expired certificate. 12. You need to supply the PingOne SSO for SaaS Apps connection information to each customer connecting to your application. You can either: * Click **Download** to retrieve all of SAML metadata for the PingOne SSO for SaaS Apps connection. * Copy the displayed connection information (for **SSO Service URL** and **Entity ID**) and download the PingOne SSO for SaaS Apps signing certificate. 13. **Optional:** Enter the URL for the SAML **Single Logout Endpoint**. We send the single logout (SLO) request to this URL using the binding type you select for **Single Logout Binding Type**. The attributes for **Single Logout Endpoint**, **Single Logout Binding Type** and **Verification Certificate** are interdependent. To support SLO, you'll need to specify all of these attribute values, and optionally, **Single Logout Response Endpoint**. See [PingOne for Enterprise and SLO](../pingone_for_enterprise/p14e_slo.html) for more information. | | | | - | --------------------------------------------------------------------------------------------------------------------- | | | If you choose not to support SLO for an application, when the user session ends the application will not be notified. | 14. **Optional:** Enter the URL for the SAML **Single Logout Response Endpoint**. If you don't assign a value here, **Single Logout Endpoint** is also used as the response endpoint. You send the application SLO response to this URL. 15. **Optional:** Select the binding type to use for SLO. This can be **POST** or **Redirect** (defaults to **POST**). 16. **Optional:** Upload the signing certificate you'll use to sign SLO requests. This can be the same certificate you use for SAML assertions. 17. Click **Signing Algorithm** to choose the algorithm used to sign both SAML assertions and SLO requests. If you are setting up a new application, the signing algorithm defaults to the recommended SHA-256. If you have an existing application configuration, SHA-1 may be displayed as the default signing algorithm. We recommend you change it to SHA-256 at your convenience. 18. **Optional:** **Encrypt Assertion**. If selected, the assertions sent from PingOne SSO for SaaS Apps for the application will be encrypted. Available for SAML 2.0 multiplexed applications only. Selecting this option will prompt you for the information necessary to encrypt the assertion: * Encryption Certificate Upload the certificate to use to encrypt the assertions. * Encryption Algorithm Choose the algorithm to use for encrypting the assertions. We recommend **AES\_256** (the default), but you can select **AES\_128** instead. * Transport Algorithm The algorithm used for securely transporting the encryption key. Currently, **RSA-OAEP** is the only transport algorithm supported. 19. Verify that all entries are correct, then click **Continue to Next Step**. The SSO Attribute Requirements page is displayed. On the SSO Attribute Requirements page, click **Add Attribute** to add any attributes necessary for SSO to your application. 20. **Optional:** Click on the **Name** or **Description** of any existing attribute to edit the value. Press Enter to save your changes or Esc to cancel. Click the **Required** checkbox for any attributes that require a value for SSO to your application. Click **Continue to Next Step**. On the Create Instructions page, for **Introduction Text**, enter text introducing your application and supplying any necessary instructions to users. For **SSO Configuration Path**, enter user guidance for the location of any SSO settings for your application. For **SSO Configuration Page URL**, enter the URL for any SSO settings for your application. For **Configuration Steps**, click **Add Step** to add stepped instructions for configuring SSO for your application. For **SSO Configuration Page Screenshot**, click **Select Image** to upload a screenshot of the SSO configuration page for your application. On the Publish page, click **Add Parameter** to assign any connection parameters customers can use for your application. You can elect to make the parameters required. On the Publish page, verify that the information is correct, then click **Save & Publish**.If you have selected to publish your application publicly, it is submitted to us for registration. When we have processed the registration for your application, your application information is published in the Application Catalog. Your application is displayed in the listing on your My Applications page, where you can view or edit all of the your application settings as needed. If you have selected to publish your application privately, the application will not be listed in the Application Catalog. Instead, you will invite customers to connect to your application. See [Customer connection methods](p14saas_customer_connection_methodss.html) for instructions. ## Result After you have published an application, you will not be able to change the SSO connection type(s). You will need to remove the application, then add it again in this case. However, you can change configuration settings for the SSO connections. ## Next steps To test your application before connecting to a customer, see [Testing your application using the built-in IdP](p14saas_test_application_integration.html) or [Testing your application using PingOne for Enterprise](p14saas_testing_your_application_using_p14e.html).