When you have more than one target session defined in an IdP connection, you must map the target URL to its target session. When PingFederate receives an SSO or SLO request, it compares the target URL against the configured URLs until a match is found. If a match is not found, the SSO request fails.

For example, this mapping configuration may be necessary in an IdP-initiated SSO scenario that connects to multiple applications at your site. For transactions initiated at your site, this mapping is required for default situations where the target resource and the adapter instance are not specified in the SSO or SLO request. It is worth noting that when this information is provided with the SP request, the mapping table is ignored (see SP services).

Furthermore, when bridging an identity provider to multiple service providers, for each service provider supporting the SAML IdP-initiated SSO profile, map the target URLs to the corresponding SP connection.

Tip:

In this scenario, PingFederate is a federation hub for the identity provider and the service providers (see Federation hub use cases).

Finally, if an IdP connection is associated with one or more SP adapters, authentication policy contracts, or both, you also need to map the target URLs to their respective target session.

You manage target URL mappings on the Service Provider > Target URL Mapping screen. The configuration process involves entering an URL and select a target session for it. Refer to the following table for more information.

Field Description
URL The target URLs that align with your configured target sessions. The URLs instruct the PingFederate SP server to route session-creation processing through an SP adapter instance or an SP connection.

You may use a wildcard (*) to match multiple URLs to the same target session but you can use only one wildcard (*) per URL.

If the target URL in the incoming request is not matched by the first entry in this table, subsequent entries are tried until a match is found.

Note:

If a target session is not allowed based on restrictions imposed (see Restricting a target session to certain virtual server IDs), PingFederate tries the next entry.

Target Type The type of the Target Session. If the IdP role is not activated (or is activated without any protocol for browser-based SSO, such as SAML or WS-Federation), the Target Type value defaults to SP Adapter.
Target Session A selection of configured SP adapter instances or SP connections. The available values depends on the chosen the Target Type list.

The order of mapping is significant in that the first matching mapping, from top to bottom, determines which target session receives the request. For example, if two URLs are mapped in the following order:

URL Session Target
http://www.example.com/acct101/ OpenToken SP Adapter to an local training app
http://www.example.com/* SP connection to SP SaaS

A target URL of http://www.example.com/acct101/ will be mapped to OpenToken SP Adapter to an local training app because the target matches the first mapping in the configuration.

If the order of the mappings is reversed, the same target will be mapped to SP connection to ACME SaaS because the first mapping in the new configuration (http://www.example.com/*) matches the target URL.

  1. Enter a URL.
  2. Select a target type from the list.
    Applicable only when the IdP role is activated with at least one protocol for browser-based SSO.
  3. Select a target session from the list.
  4. Click Add Mapping.
  5. Repeat these steps to add multiple mappings.

Use the up and down arrows to re-arrange the order of the mappings. Use the Edit, UpdateCancel workflow to make or undo a change to a mapping. Use the , and Delete and Undelete workflow to remove a mapping or cancel the removal request.