Note: You can follow these steps to create a new SP connection, or you can modify your provisioning connection.
  1. In the PingFederate administrator console, configure the data store that PingFederate will use as the source of user data. For instructions, see Datastores in the PingFederate documentation.
  2. On the Identity Provider tab, in the SP Connections area, open an existing connection or create a new one as follows:
    1. Click Create new.
    2. On the Connection Template tab, select Use a template for this connection.
    3. In the Connection Template list, select Zscaler ZPA Connector.
    4. Click Choose File, select the sp_metadata.xml file that you downloaded in Enabling provisioning and single sign-on in Zscaler, and then click Open. Click Next.
  3. On the Connection Type tab, select Browser SSO Profiles and clear any unwanted types. Click Next.
  4. On the General Info tab, the basic connection information is populated by the metadata XML file. Click Next.
  5. On the Browser SSO tab, configure browser SSO.

    For a complete guide, see Configuring IdP Browser SSO in the PingFederate documentation.

    1. On the Browser SSO > SAML Profiles tab, select only IdP-Initiated SSO and SP-Initiated SSO.
    2. On the Browser SSO > Protocol Settings > Allowable SAML Bindings tab, select only POST.
    3. On the Browser SSO > Protocol Settings > Signature Policy tab, select Always sign assertion.
  6. On the Credentials tab, configure the connection credentials. Click Next.

    For a complete guide, see Configuring credentials in the PingFederate documentation.

  7. On the Activation and Summary tab, above the Summary section, turn on the connection. Click Save.