In this use case, PingFederate is bridging SSO and SLO transactions between an identity provider and multiple service providers. For example, your company wants to route federation requests from a recently acquired subsidiary through its federation infrastructure. With PingFederate, you can multiplex one IdP connection to multiple SP connections to the desired service providers. The federation hub consumes assertions from the subsidiary and creates new assertions to the respective service providers.
  1. Enable both the IdP and the SP roles with the applicable protocols on the System > Protocol Settings Settings > Roles & Protocols screen.
  2. For each service provider, create a contract to the identity provider (see Federation hub and authentication policy contracts). Multiple contracts are likely required, because each service provider may require a unique set of attributes.
  3. Create an IdP connection between the identity provider and PingFederate (the federation hub as the SP) and add to the IdP connection the applicable authentication policy contract(s) on the Target Session Mapping screen.
  4. For each service provider, create an SP connection between PingFederate (the federation hub as the IdP) and the service provider and add to the SP connection the corresponding authentication policy contract on the Authentication Source Mapping screen.
  5. For each service provider supporting the SAML IdP-initiated SSO profile, map the expected target resources to the corresponding SP connections on the Service Provider > Target URL Mapping screen.
  6. Work with the identity provider to connect to PingFederate (the federation hub as the SP).
  7. Work with each service provider to connect to PingFederate (the federation hub as the IdP).