Page created: 16 Mar 2023 |
Page updated: 16 Mar 2023
You can use the generic SAML configuration to add an external identity provider (IdP) that follows the SAML standard.
- Go to .
- Click + Add Provider.
- Click SAML.
On the Create Profile page, enter the following:
- Name: A unique identifier for the identity provider.
- Description: (Optional). A brief characterization of the identity provider.
- Icon: (Optional). An image to represent the identity provider. Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.
- Login button: (Optional). An image to be used for the login button that the end user will see. Use a 300 X 42 pixel image.
- Click Continue.
On the Configure PingOne Connection page, enter the following:
- PingOne (SP) entity ID: The entity ID for the Service Provider, which is used as the Issuer when PingOne sends a request to the external identity provider. The identity provider can also use this value to ensure that requests from the service provider (SP) are valid. By default, this ID is based on the value you entered for Name.
- Signing certificate: Specifies the SP’s signing certificate.
- Signing algorithm: Select the algorithm to be used for signing metadata. The options are RSA_SHA256, RSA_SHA384, and RSA_SHA512.
- Sign AuthN request: Specifies whether the SAML authentication request will be signed when sending it to the identity provider. If the external identity provider is included in an authentication policy that will be used by applications that are accessed by a combination of default URLs and custom domains URLs, you should select this option.
- Click Continue.
On the Configure IDP Connection page, specify the details of
the connection between the identity provider and PingOne.
You can enter the values manually or import them from a file.
- Import metadata from an XML metadata file: Click
Choose and then select an XML metadata file on your file
system. Click Open.Note:
If the metadata file does not specify all the configuration values, you must enter the missing values manually.
- Import metadata from an IdP metadata URL: Enter the URL and then click
The URL must be a valid absolute URL.
- Manually enter the following metadata information:
- ACS endpoint: Shows the Assertion Consumer Service URL. The ACS endpoint is where the single sign-on (SSO) tokens are sent. Copy this value and enter it into the identify provider configuration.
- SSO endpoint: Specifies the SSO endpoint for the authentication request. Only authentication requests can be sent to the SSO endpoint.
- IDP entity ID: Specifies the identity provider’s entity ID.
- SSO binding: Specifies the binding to use for the authentication request. Select HTTP Post or HTTP Redirect.
- Import metadata from an XML metadata file: Click Choose and then select an XML metadata file on your file system. Click Open.
- Click Save and Continue.
On the Map Attributes page, define how the PingOne user attributes are mapped to
identity provider attributes. For more information, see Mapping attributes.
- Enter the PingOne user profile attribute and the external IdP attribute. For more information about attribute syntax, see Identity provider attributes.
- To add an attribute, click + Add attribute.
- To use the expression builder, click Build and test or Advanced Expression. See Using the expression builder.
- Select the update condition, which determines how PingOne updates its user
directory with the values from the identity provider. The options are:
- Empty only: Update the PingOne attribute only if the existing attribute is empty.
- Always: Always update the PingOne directory attribute.
- Click Save and Finish.
- Enable the external identity provider. See Enabling or disabling an identity provider.
- Add the identity provider to your authentication policy. See Editing an authentication policy.