Bridging an IdP to multiple SPs - PingFederate - 10.3

PingFederate Server

bundle
pingfederate-103
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.3
category
Product
pf-103
pingfederate
ContentType_ce

PingFederate bridges single sign-on (SSO) and single log-out (SLO) transactions between an identity provider (IdP) and multiple service providers (SPs).

For example, your company wants to route federation requests from a recently acquired subsidiary through its federation infrastructure. PingFederate multiplexes one IdP connection to multiple SP connections to the desired SPs. The federation hub consumes assertions from the subsidiary and creates new assertions to the respective SPs.
diagram depicting the PingFederate Federation hub with an IdP bridged to multiple SPs.
  1. For each SP, create a contract to the IdP. For more information, see Federation hub and authentication policy contracts. Because each SP likely requires a unique set of attributes, you will need to create multiple contracts.
  2. Create an IdP connection between the IdP and PingFederate, the federation hub as the SP.
  3. Add the applicable authentication policy contract(s) to the IdP connection on the Target Session Mapping window.
  4. For each SP, create an SP connection between PingFederate, the federation hub as the IdP, and the SP.
  5. Add the corresponding authentication policy contract to the SP connection on the Authentication Source Mapping window.
  6. For each SP supporting the SAML IdP-initiated SSO profile, map the expected target resources to the corresponding SP connections on the Applications > Integration > Target URL Mapping window.
  7. Work with the IdP to connect to PingFederate , the federation hub as the SP.
  8. Work with each SP to connect to PingFederate, the federation hub as the IdP.