PingOne for Enterprise

Redirect users to PingOne SSO for SaaS Apps (SP-initiated SSO)

Redirect users from your application to PingOne SSO for SaaS Apps.

About this task

You will redirect your users to PingOne SSO for SaaS Apps using the PingOne SSO for SaaS Apps URL format and attributes.

Steps

  1. Format the PingOne SSO for SaaS Apps URL.

    The HTTP redirect has to go to this PingOne URL: https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=<parmname>&idpid=<idpid>&appurl=<url>&errorurl=<errorUrl>

  2. Assign the query parameters.

    The following parameters are supported:

    saasid

    Identifies the application your user wants to access. You will find a listing of your applications and the associated SaaS ID (in parentheses below the application name) on the My Applications tab.

    idpid

    Identifies the identity repository for user authentication. This ID must be unique. The idpid value is used during HTTP redirect and token exchange. We recommended that you use a domain name here, if possible. Note: IdP IDs containing the forward-slash character (/) aren’t allowed.For methods you can use to discover the idpid for a particular IdP, see Finding the idpId value.

    appurl

    A URL in your domain to which the user is redirected after authenticating. Use this to override the Default Application URL value set on the Create connections page. Unlike a Default Application URL value, for appurl you cannot use a non-SSL URL for a test or development environment. Instead, you can use only SSL. If you specify a value here, you must have a matching value for the Hostname or Domainname entry on the Create connections page.

    errorurl

    An error-handling URL for your domain to redirect to in case of an error. This is used to override the Error URL value set on the Create connections page.

    forceauthn

    If true, ensures the IdP forces the user to re-authenticate, even if the user possess a valid SSO session.

    For multiplexed SAML applications, multiple IdPs use a single connection to an application. In this case, PingOne needs to determine which IdP to use to authenticate a user. If we cannot determine this from the idpid parameter, we prompt the user for their email address and look up the IdP based on the email domain. However, when you’re doing SP-initiated SSO from a PingFederate SP server, you can specify the IdP using the SP Services query parameter AuthenticatingIdpId. Learn more in the AuthenticatingIdpId entry in SP services.

    Example:

    Here’s an example of a redirect to PingOne SSO for SaaS Apps: https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=mysaas.com&idpid=exampleIdp.com

    This URL is different for every IdP.

  3. Write the supporting code to implement the HTTP redirect. You can use these samples as a basis:

    Choose from:

  4. Next, you will need to process the PingOne token exchange.