1. On the PingFederate administrator console, open your existing SP connection.
    • For PingFederate 10.1 or later: go to Applications > Integration > SP Connections. Select your connection.
    • For PingFederate 10.0 or earlier: go to Identity Provider > SP Connections. Select your connection.
  2. On the Connection Type tab select Browser SSO Profiles. Click Next.
  3. On the Browser SSO tab, configure your SSO settings.
    1. Go to Browser SSO > SAML Profiles and select only IdP-Initiated SSO and SP-Initiated SSO.
    2. Go to Browser SSO > Assertion Creation > Attribute Contract. For SAML_SUBJECT, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    3. On the Authentication Policy Mapping tab, select or create an authentication source that maps SAML_SUBJECT to an email attribute that matches the email addresses used in Workplace from Facebook.

    For configuration help, see Configuring IdP Browser SSO in the PingFederate documentation.

  4. On the Credentials tab, configure the connection credentials as shown in Configuring credentials in the PingFederate documentation.
    • On the Digital Signature Settings tab, from the Signing Certificate list, select the certificate that you want to use with Workplace from Facebook.
  5. On the Activation and Summary tab, above the Summary section, click the toggle to turn on the connection. Click Save.