PingOne for Enterprise

Creating a manual SAML connection

After integrating your application with PingOne SSO for SaaS Apps, you can use your customer’s SAML connection information to manually configure the connection to your application.

About this task

For direct connections, you manually configure and establish a SAML connection to your application for the customer. You must collect from the customer all necessary SAML information for the customer side of the connection using your own (out-of-band) methods.

For manual connections, your IdP partner must send attributes exactly as your application requires. If you need to transform or remap your attributes in PingOne SSO for SaaS Apps before sending them to your application, use an invited connection or managed account.

Don’t use a manual connection if your customer is using PingOne for Enterprise. Use an invited connection instead.

Steps

  1. Go to Customer Connections → Adding Connections → Manual Connection.

  2. Select the check boxes of the applications you want to make available to this customer connection.

  3. Click Yes to make this a multiplexed connection, or No to make it non-multiplexed.

    For more information about connection multiplexing, see About multiplexing.

  4. Enter the customer information for the Customer Email and Customer ID(idpid) fields.

  5. For Upload Metadata:

    Choose from:

    • To upload your customer’s connection metadata file, click Choose File.

    • To enter your customer’s metadata URL, click Or use URL, and enter the metadata URL in the URL of the file field.

      The entries for Entity ID and SSO Endpoint are populated for you.

      +

      If you don’t upload the customer’s connection metadata, you must enter the Entity ID and SSO Endpoint values.

  6. For Verification Certificate, click Choose File to upload the customer’s public certificate.

    PingOne SSO for SaaS Apps uses this certificate to sign SAML assertions.

  7. Optional: In the Single Logout Endpoint field, enter the URL for the SAML single logout (SLO) endpoint.

    PingOne SSO for SaaS Apps sends SLO requests to this URL using the binding type you select for Single Logout Binding Type.

    The attributes for Single Logout Endpoint, Single Logout Binding Type, and Verification Certificate are interdependent. To support SLO, you will need to specify all of these attribute values, and optionally, Single Logout Response Endpoint. For more information, see PingOne for Enterprise and SLO.

    If you choose not to support SLO for an application, the application is not notified when the user session ends.

  8. Optional: In the Single Logout Response Endpoint field, enter the URL for the SAML SLO endpoint.

    If you don’t assign a value here, Single Logout Endpoint is also used as the response endpoint. Your application sends the SLO response to this URL.

  9. Optional: Click either POST or Redirect for the SLO binding type.

    If the IdP metadata you uploaded in Step 5 contains both Redirect and POST SSO bindings, PingOne SSO for SaaS Apps will use the Redirect binding to send AuthnRequests for this connection.

    If the metadata only contains a POST binding, PingOne SSO for SaaS Apps will use POST for this connection.

    If you configure the fields manually without importing metadata, PingOne SSO for SaaS Apps will use the Redirect binding.

  10. Select the Sign the AuthnRequest check box to make PingOne SSO for SaaS Apps sign AuthnRequests to the customer.

  11. Optional: Upload the signing certificate you will use to sign SLO requests. This can be the same certificate you use for SAML assertions.

    In the Signing Algorithm list, select the algorithm used to sign both SAML assertions and SLO requests.

If you are setting up a new application, the signing algorithm defaults to the recommended SHA-256.

If you have an existing application configuration, SHA-1 might be displayed as the default signing algorithm. We recommend you change it to SHA-256 at your convenience.

  1. Download the files and data from the PingOne Connection Information section to supply to your customer.

    If this connection is not multiplexed, and enabled through PingOne SSO for SaaS Apps rather than SAML or OIDC, you can select Use Custom Entity ID to use the application’s custom entity ID rather than the default saasid.

    For more information about configuring a custom entity ID, see Add or update other applications.

  2. Click Save settings.