PingOne for Enterprise

Enable IdP discovery

About this task

You can use IdP discovery to associate the partner account with an identity provider (IdP). When you’re initiating an SSO request (SP-initiated SSO), there’s then no need to specify the identifier for the identity provider (IdP). Instead, we will resolve the correct IdP by associating an email domain with the partner’s IdP. During a user’s initial SSO, we will prompt the user to enter a matching email domain. (The user is prompted for the email domain only during their initial SSO.)

Steps

  1. Select the Managed Accounts tab to display the list of managed customer accounts.

  2. Click the Details icon to display the account details, and click the edit icon.

  3. Optional: Edit the available account settings.

  4. In the IdP Discovery section, enter the Email Domain to use for IdP discovery. We’ll use the email domain you specify to discover the IdP and assign it to the partner account.

    1. Enable Set as default IdP if you want us to redirect users to the IdP for the specified email domain. We will redirect users to this IdP in the event that, during SP-initiated SSO, users enter an email address that we are unable to match to an IdP.

      The Set as default IdP setting will not be displayed if you have already enabled this setting for the partner account.

    When a user initially attempts to sign on (SSO) to the application, the user is prompted for their email address. If the domain of the email address matches one of the IdP discovery domains you’ve assigned, we will redirect the user to the corresponding IdP for authentication. If the domains do not match and you have not enabled Set as default IdP, an error is displayed and the user is prompted again for their email address. When Set as default IdP is enabled, the user is redirected to the default IdP to authenticate.