--- title: Creating a manual SAML connection description: After integrating your application with PingOne SSO for SaaS Apps, you can use your customer's SAML connection information to manually configure the connection to your application. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_sso_for_saas_apps:p14saas_create_saml_connection canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_sso_for_saas_apps/p14saas_create_saml_connection.html revdate: December 30, 2022 section_ids: about-this-task: About this task steps: Steps choose-from: Choose from: --- # Creating a manual SAML connection After integrating your application with PingOne SSO for SaaS Apps, you can use your customer's SAML connection information to manually configure the connection to your application. ## About this task For direct connections, you manually configure and establish a SAML connection to your application for the customer. You must collect from the customer all necessary SAML information for the customer side of the connection using your own (out-of-band) methods. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For manual connections, your IdP partner must send attributes exactly as your application requires. If you need to transform or remap your attributes in PingOne SSO for SaaS Apps before sending them to your application, use an [invited connection](p14saas_creating_invited_sso_connection.html) or [managed account](p14saas_creating_administering_partner_account.html).Don't use a manual connection if your customer is using PingOne for Enterprise. Use an [invited connection](p14saas_creating_invited_sso_connection.html) instead. | ## Steps 1. Go to **Customer Connections > Adding Connections > Manual Connection**. 2. Select the checkboxes of the applications you want to make available to this customer connection. 3. Click **Yes** to make this a multiplexed connection, or **No** to make it non-multiplexed. For more information about connection multiplexing, see [About multiplexing](p14saas_about_multiplexing.html). 4. Enter the customer information for the **Customer Email** and **Customer ID**(`idpid`) fields. 5. For **Upload Metadata**: ### Choose from: * To upload your customer's connection metadata file, click **Choose File**. * To enter your customer's metadata URL, click **Or use URL**, and enter the metadata URL in the **URL of the file** field. The entries for **Entity ID** and **SSO Endpoint** are populated for you. \+ | | | | - | --------------------------------------------------------------------------------------------------------------------- | | | If you don't upload the customer's connection metadata, you must enter the **Entity ID** and **SSO Endpoint** values. | 6. For **Verification Certificate**, click **Choose File** to upload the customer's public certificate. PingOne SSO for SaaS Apps uses this certificate to sign SAML assertions. 7. **Optional:** In the **Single Logout Endpoint** field, enter the URL for the SAML single logout (SLO) endpoint. PingOne SSO for SaaS Apps sends SLO requests to this URL using the binding type you select for `Single Logout Binding Type`. The attributes for `Single Logout Endpoint`, `Single Logout Binding Type`, and `Verification Certificate` are interdependent. To support SLO, you will need to specify all of these attribute values, and optionally, `Single Logout Response Endpoint`. For more information, see [PingOne for Enterprise and SLO](../pingone_for_enterprise/p14e_slo.html). | | | | - | ---------------------------------------------------------------------------------------------------------------- | | | If you choose not to support SLO for an application, the application is not notified when the user session ends. | 8. **Optional:** In the **Single Logout Response Endpoint** field, enter the URL for the SAML SLO endpoint. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you don't assign a value here, **Single Logout Endpoint** is also used as the response endpoint. Your application sends the SLO response to this URL. | 9. **Optional:** Click either **POST** or **Redirect** for the SLO binding type. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If the IdP metadata you uploaded in Step 5 contains both Redirect and POST SSO bindings, PingOne SSO for SaaS Apps will use the Redirect binding to send AuthnRequests for this connection.If the metadata only contains a POST binding, PingOne SSO for SaaS Apps will use POST for this connection.If you configure the fields manually without importing metadata, PingOne SSO for SaaS Apps will use the Redirect binding. | 10. Select the **Sign the AuthnRequest** checkbox to make PingOne SSO for SaaS Apps sign AuthnRequests to the customer. 11. **Optional:** Upload the signing certificate you will use to sign SLO requests. This can be the same certificate you use for SAML assertions. In the **Signing Algorithm** list, select the algorithm used to sign both SAML assertions and SLO requests. If you are setting up a new application, the signing algorithm defaults to the recommended SHA-256. If you have an existing application configuration, SHA-1 might be displayed as the default signing algorithm. We recommend you change it to SHA-256 at your convenience. 1. Download the files and data from the **PingOne Connection Information** section to supply to your customer. If this connection is not multiplexed, and enabled through PingOne SSO for SaaS Apps rather than SAML or OIDC, you can select **Use Custom Entity ID** to use the application's custom entity ID rather than the default `saasid`. For more information about configuring a custom entity ID, see [Add or update other applications](p14saas_add_update_other_app.html). 2. Click **Save settings**.