For example, your company wants to route federation requests from a recently acquired subsidiary through its federation infrastructure. PingFederate multiplexes one IdP connection to multiple SP connections to the desired SPs. The federation hub consumes assertions from the subsidiary and creates new assertions to the respective SPs.
diagram depicting the PingFederate Federation hub with an IdP bridged to multiple SPs.
  1. For each SP, create a contract to the IdP. For more information, see Federation hub and authentication policy contracts. Because each SP likely requires a unique set of attributes, you will need to create multiple contracts.
  2. Create an IdP connection between the IdP and PingFederate, the federation hub as the SP.
  3. Add the applicable authentication policy contract(s) to the IdP connection on the Target Session Mapping window.
  4. For each SP, create an SP connection between PingFederate, the federation hub as the IdP, and the SP.
  5. Add the corresponding authentication policy contract to the SP connection on the Authentication Source Mapping window.
  6. For each SP supporting the SAML IdP-initiated SSO profile, map the expected target resources to the corresponding SP connections on the Applications > Integration > Target URL Mapping window.
  7. Work with the IdP to connect to PingFederate , the federation hub as the SP.
  8. Work with each SP to connect to PingFederate, the federation hub as the IdP.