Using an external IdP allows linked users to authenticate using the credentials provided by the external IdP. An external IdP includes mapping PingOne user attributes to attributes from the IdP.

Approaches for external identity providers

There are several important differences in the way that identity providers can be used in PingOne authentication policies:

Add an external IdP as part of a login step. At the sign-on prompt, the end user can enter a username and password or choose an external IdP to authenticate with, such as Google or Facebook. See Adding a login authentication step.
Identifier First
Add an identifier-first step to an authentication policy. The end user is prompted for an identifier, such as a user name. The policy can then send the end user to a particular IdP based on rules evaluation of the identifier. See Identifier first authentication.
External Identity Provider
Add an external IdP step to an authentication policy. The end user is forwarded to an external IdP based on policy and without any interaction from the user. See Adding an external identity provider sign-on step.


A SAML IdP can use one of your PingOne encryption certificates to encrypt SAML assertions for you.

If you want the IdP to use a specific encryption certificate, you can download it in the X509 PEM (.crt) format and send it to the IdP. See Downloading a certificate.

If you want the IdP to use the default encryption certificate, your metadata already contains it. See Downloading metadata for SAML IdPs.

When PingOne receives an encrypted assertion (a SAML response with an EncryptedAssertion element), it attempts to decrypt it with each encryption certificate in your environment starting with the default, followed by the rest of the encryption certificates.

When your encryption certificate nears expiration, you can add a new one and allow both the old and new certificate to be used. This allows all your IdPs to change to the new certificate at any time without downtime. When your default encryption certificate expires, you must change the default encryption certificate for your environment. Otherwise the SAML metadata you provide to your IdPs contains the expired certificate and is not valid for most IdPs. You can change the default encryption certificate in the PingOne admin console. For more information, see Designating default keys.

PingOne supports the following standards:

  • Encrypted assertion
  • Multiple block encryption algorithms:
    • AES-128-CBC
    • AES-256-CBC
    • AES-128-GCM
    • AES-192-GCM
    • AES-256-GCM
    • Triple DES
  • RSA-OAEP key transport algorithm