PingFederate bridges single sign-on (SSO) and single log-out (SLO) transactions between an identity provider (IdP) and multiple service providers (SPs).
For example, your company wants to route federation requests from a recently acquired
subsidiary through its federation infrastructure. PingFederate multiplexes one IdP
connection to multiple SP connections to the desired SPs. The federation hub consumes
assertions from the subsidiary and creates new assertions to the respective SPs.
- For each SP, create a contract to the IdP. For more information, see Federation hub and authentication policy contracts. Because each SP likely requires a unique set of attributes, you will need to create multiple contracts.
- Create an IdP connection between the IdP and PingFederate, the federation hub as the SP.
- Add the applicable authentication policy contract(s) to the IdP connection on the Target Session Mapping window.
- For each SP, create an SP connection between PingFederate, the federation hub as the IdP, and the SP.
- Add the corresponding authentication policy contract to the SP connection on the Authentication Source Mapping window.
- For each SP supporting the SAML IdP-initiated SSO profile, map the expected target resources to the corresponding SP connections on the window.
- Work with the IdP to connect to PingFederate , the federation hub as the SP.
- Work with each SP to connect to PingFederate, the federation hub as the IdP.