Setting Assertion Consumer Service URLs (SAML) - PingFederate - 11.2

PingFederate Server

bundle
pingfederate-112
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.2
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-112
pingfederate
ContentType_ce
Guide
Guide > Administrator Guide
Product documentation

If your PingFederate configuration uses any version of SAML, you can configure assertion indexes, bindings, and endpoint URLs on the Assertion Consumer Service URL tab.

For prerequisites and initial steps to configure Browser SSO protocol settings, see Configuring protocol settings.

The assertion consumer service (ACS) endpoint is a location to which the single sign-on (SSO) tokens are sent, according to partner requirements. ACS is applicable to all SAML versions and both the identity provider (IdP)- and service provider (SP)-initiated SSO profiles.

Note:

The SP might request that the SAML assertion be sent to one of several URLs, using different bindings. PingFederate uses the defined URL entries on this page to validate the authentication request. However, per SAML specifications, if the request is signed, PingFederate can verify the signature instead. The ACS URL does not necessarily need to be listed here. This is useful for scenarios where an ACS URL might be dynamically generated.

Some federation use cases might require additional customizations in the assertions sent from the PingFederate IdP server to the SP, such as placing well-formed XML in the <AttributeValue> element or including the optional SessionNotOnOrAfter attribute in the <AuthnStatement> element. You can use OGNL expressions to fulfill these use cases.

  1. In the Assertion Consumer Service URL tab, configure one or more SAML ACS endpoints.
    1. Select a SAML binding from the Bindingdrop-down list.
    2. Enter the ACS endpoint URL to the Endpoint URL field.

      You can enter a relative path (begin with a forward slash) if you have provided a base URL on the General Info window.

    3. Optional: Select the Default box if you want this entry to be the default ACS endpoint.

      The administrative console always sets the first entry as the default ACS endpoint. You can reset the default endpoint when you add ACS endpoint.

    4. Optional: Enter an integer to the Index field for this ACS endpoint.

      The administrative console automatically assigns an index value for each ACS endpoint, starting from 0. If you want to define your own index values, you must make sure the index values are unique.

    5. Click Add.
    6. Optional: Repeat to add additional ACS endpoints.
  2. Optional: Customize messages using OGNL expressions.
    Note:

    OGNL expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see Attribute mapping expressions.

    1. Click Show Advanced Customizations.
    2. Select a message type from the list.
    3. Enter an OGNL expression to fulfill your use case.
      Note:

      For more information about Message Type, available variables, and sample OGNL expressions, see Customizing assertions and authentication requests.

    4. Click Add.
    5. Optional: Repeat to add another message customization.
  3. Click Next to proceed to the next tab. For SAML 1.x configurations, see Setting a default target URL (SAML 1.x). For SAML 2.0, see Specifying SLO service URLs (SAML 2.0).

If you are editing an existing connection, you can reconfigure any items, which could require additional configuration changes in subsequent tasks. You must always configure at least one ACS endpoint.