When you have more than one target session defined in an identity provider (IdP) connection, you must map the target URL to its target session.
When PingFederate receives a single sign-on (SSO) or single logout (SLO) request, it compares the target URL against the configured URLs until a match is found. If a match is not found, the SSO request fails.
For target URL mapping to work correctly, you must configure a target resource entry in the Configuring redirect validation.
settings. If you have not done this, follow the instructions inFor example, this mapping configuration might be necessary in an IdP-initiated SSO scenario that connects to multiple applications at your site. For transactions initiated at your site, this mapping is required for default situations where the target resource and the adapter instance are not specified in the SSO or SLO request. When this information is provided with the service provider (SP) request, the mapping table is ignored. For more information, see SP services.
When bridging an identity provider to multiple service providers, for each service provider supporting the SAML IdP-initiated SSO profile, map the target URLs to the corresponding SP connection.
In this scenario, PingFederate is a federation hub for the identity provider and the service providers. For more information, see Federation hub use cases.
Finally, if an IdP connection is associated with one or more SP adapters, authentication policy contracts, or both, you also need to map the target URLs to their respective target session.
You manage target URL mappings on the
window. The configuration process involves entering a URL and select a target session for it. See the following table for more information.The order of mapping is significant in that the first matching mapping, from top to bottom, determines which target session receives the request. For example, if two URLs are mapped in the following order.
URL | Session Target |
---|---|
http://www.example.com/acct101/
|
OpenToken SP Adapter to an local training app |
http://www.example.com/*
|
SP connection to SP SaaS |
A target URL of http://www.example.com/acct101/ will be mapped to OpenToken SP Adapter to an local training app because the target matches the first mapping in the configuration.
If the order of the mappings is reversed, the same target will be mapped to
SP connection to ACME SaaS because the first mapping in the
new configuration, http://www.example.com/*
, matches the target
URL.
Use the up and down arrows to re-arrange the order of the mappings. Click Edit, UpdateCancel to make or undo a change to a mapping. Click Delete and Undelete to remove a mapping or cancel the removal request.