The assertion consumer service (ACS) endpoint is a location to which the SSO tokens are sent, according to partner requirements. ACS is applicable to all SAML versions and both the IdP- and SP-initiated SSO profiles.

On the Assertion Consumer Service URL screen, select the applicable SAML binding and enter the corresponding ACS endpoint URL.

Note:

The SP may request that the SAML assertion be sent to one of several URLs, via different bindings. PingFederate uses the defined URL entries on this page to validate the authentication request. However, per SAML specifications, if the request is signed, PingFederate can verify the signature instead; the ACS URL does not necessarily need to be listed here. This is useful for scenarios where an ACS URL might be dynamically generated.

Some federation use cases may require additional customizations in the assertions sent from the PingFederate IdP server to the SP, such as placing well-formed XML in the <AttributeValue> element or including the optional SessionNotOnOrAfter attribute in the <AuthnStatement> element. You can use OGNL expressions to fulfill these use cases.

  1. Configure one or more SAML ACS endpoints.
    1. Select a SAML binding from the list; for example, POST.
    2. Enter the ACS endpoint URL to the Endpoint URL field.

      You may enter a relative path (begin with a forward slash) if you have provided a base URL on the General Info screen.

    3. Make the selection if you want this entry to be the default ACS endpoint.

      The administrative console always sets the first entry as the default ACS endpoint. You may reset the default selection when you add another ACS endpoint.

    4. Optional: Enter an integer to the Index field for this ACS endpoint.

      The administrative console automatically assigns an index value for each ACS endpoint, starting from 0. If you want to define your own index values, you must make sure the index values are unique.

    5. Click Add.
    6. Optional: Repeat to add additional ACS endpoints.
  2. Optional: Customize messages using OGNL expressions.

    Note that expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see Attribute mapping expressions.

    1. Click Show Advanced Customizations.
    2. Select a message type from the list.
    3. Enter an OGNL expression to fulfill your use case.
      Note:

      For more information about Message Type, available variables, and sample OGNL expressions, see Customizing assertions and authentication requests.

    4. Click Add.
    5. Optional: Repeat to add another message customization.

If you are editing an existing connection, you can reconfigure any items, which may require additional configuration changes in subsequent tasks. You must always configure at least one ACS endpoint.