Edit a managed customer connection
Change the basic information, SAML details, and identity provider (IdP) discovery settings of your existing managed customer connections.
About this task
For information on editing existing invited customer connections, see Edit an invited customer connection.
Only certain settings are available for editing. These settings depend on whether your application is SAML-enabled, whether the application connection is manually configured, and whether or not the connection is multiplexed.
The following steps are optional. You only need to change the settings that apply to your customer connection. |
Steps
-
To display the list of customer connections for your applications, click the Customer Connections tab.
-
Optional: To display the customer connection filtering options, click Narrow by.
-
To filter the list of customer connections, select or clear the Enabled or Type boxes.
-
-
For the connection you want to edit, click the down arrow to display the drop-down list, and click Edit.
-
To indicate whether this connection is multiplexed, click Yes or No.
-
In the Contact Email field, enter the email address of the person assigned as the contact for this connection.
-
In the IdpId field, enter the idpid.
For more information, see Finding the
idpId
value. -
In the Entity ID field, enter a unique name for the identity bridge.
-
Upload metadata.
Choose from:
-
Click Select File to upload a local metadata file.
-
Click Or use URL to enter a metadata URL.
-
-
In the SSO Endpoint field, enter an identity bridge endpoint URL to which PingOne will send AuthNRequests.
-
To upload a verification certificate, click Browse…, and select a local signing certificate file to upload.
Result:
If you upload a verification certificate, the details for that certificate display in the Certificate File Name, Certificate Subject DN, and Expiration Date fields.
-
In the Single Logout Endpoint field, enter the endpoint URL to redirect users to when they sign out of an application.
-
In the Single Logout Response Endpoint field, enter a URL for applications to send logout responses to.
-
For Single Logout Binding Type, click either Redirect or Post to determine how SAML uses HTTP to transport messages.
-
To enable PingOne to sign outgoing connection requests, select the Sign the AuthNRequest box.
-
From the Signing Algorithm list, select the algorithm for PingOne to use when signing outgoing connection requests.
-
From the Connection Data section, you can download the Signing Certificate, PingOne Metadata, and Encryption Certificate. You can also copy and share the ACS URL with the customer’s IdP.
If this connection is not multiplexed, and enabled through PingOne rather than SAML or OIDC, you can select Use Custom Entity ID to use the application’s custom entity ID rather than the default
saasid
.For more information about configuring a custom entity ID, see Add or update other applications.
-
In the IdP Discovery section, enter the Email Domain to use for IdP discovery.
PingOne uses the email domain you specify to discover the IdP and assign it to the customer account.
-
Enable the Set as default IdP box to redirect users who enter an email address that cannot be matched to an IdP during service provider (SP)-initiated single sign-on (SSO).
The Set as default IdP setting will not be displayed if you have already enabled this setting for the customer account.
You can enable IdP discovery to associate each connection with an IdP. When you initiate an SSO request (SP-initiated SSO), there is no need to specify the identifier for the IdP. Instead, PingOne resolves the correct IdP by associating email domains with specific managed accounts and their IdP. Then, during a user’s initial SSO, the user enters a matching email domain. PingOne prompts the user for their email domain only during their initial SSO.
When a user initially attempts to SSO to the application, the user is prompted for their email address. If the domain of the email address matches one of the IdP discovery domains you assigned, PingOne redirects the user to the corresponding IdP for authentication. If the domains do not match and you have not enabled Set as default IdP, an error is displayed and the user is prompted again for their email address. When Set as default IdP is enabled, the user is redirected to the default IdP to authenticate.
-
When you are finished making changes, click Save changes.