Prepare to provide the following:

  • Name of the application.
  • A brief, accurate description of your application.
  • Attribute mapping information, used to map your application attributes to the identity attributes required from the identity provider to verify users' identities.
  • Entity ID, used to uniquely identify the application and obtained from the service provider.
  • ACS URL, the application's URL to which SAML assertions from the IdP will be sent after user authentication occurs.
  • Certificates, if the template you select is based on a PingFederate connection that requires a certificate.

When you add an application to PingCentral, you can provide an .xml file that contains service provider metadata from a similar SAML application. This file could contain an Entity ID, ACS URL, certificates, attribute information, or all of this information.

Or, you can provide the Entity ID, ACS URL and certificates during the promotion process.

To create an .xml file from a similar application, see Downloading service provider metadata.

  1. After selecting a SAML template, the Select Metadata page displays. Complete one of the following tasks and click Next.
    • Click Choose file to provide a metadata file.
    • Click the Or Use URL link to provide a link to the metadata file.
    • Opt to skip this step and provide the Entity ID, ACS URL, and certificates during the promotion process.

      After providing a metadata file, the Entity ID, ACS URL, certificate, and attributes display on the screen, as shown in the following example.

  2. On the Map Attributes page, map the application attributes to the identity attributes required to fulfill the authentication policy contract in PingFederate. Select identity attributes from the Identity Attribute list or add static values in the Static Value field. Click Next.
  3. On the Describe Application page, enter the name of the application and a description in the appropriate fields.
    You are adding this application to PingCentral, so your name will automatically populate the Owners field.
  4. Optional: To add owners, click the box and select additional owners from the list. If the name you are looking for does not display in the list, contact your PingCentral administrator and request that the person be provisioned. Click Next.
  5. Click Save and Close.
    The application displays at the top of the list of applications on the Applications page.
  6. Promote the application to the appropriate environment. Click Promote.
  7. Select the environment to which you want to promote the application from the Available Environments list.
    Note: If you have the Application Owner role, you cannot promote applications to protected environments, which have shield icons associated with them.
  8. If you provided a metadata file when you added your application to PingCentral, you will see that the page is pre-populated with the information from the other SAML application. Modify this information, as necessary.

    If you did not upload a metadata file, enter the appropriate information in the Entity ID and ACS URL fields, and upload certificates, if required.

    Certificates are required for PingFederate SP connections when:

    • Either of the single logout (SLO) options, IdP-Initiated-SLO or SP-Initiated-SLO, are selected as the SAML profile.
    • Digital signatures are required, and the Signature Policy is set to Require authn requests to be signed when received via the POST or redirect bindings option.
    • Inbound backchannel authentication is configured.
      For more information, see the following topics in the PingFederate Server Guide:
  9. Verify that the information displayed in the Promote to Environment window is correct and click Promote.
    PingCentral promotes your application to the designated environment in PingFederate. You will see the new promotion in the History section of the page. If the signature verification certificate used during promotion is available in the PingFederate environment, that certificate is used. If not, a new certificate is created.
  10. To configure the SSO connection, provide the following information to your service provider:
    • The application Entity ID.
    • The SSO endpoint URL. Click View Connection Details to access the Promotion Details window, which displays the SSO endpoint URL.
    • Certificates, if applicable. On the Promotion Details window, click Identity Provider to download the certificate that the identity provider is using to sign the SAML assertion, as shown in the following example.