Use the Applications page to edit existing SAML applications.
- Go to .
- Browse or search for the application that you want to edit.
- Click the application entry to open the details panel. Click the tab that you want to edit, and then click the pencil icon.
For Overview, enter or edit the following:
- Application Name: A unique identifier for the application.
- Description: A brief characterization of the application (optional).
- Icon (optional): A pictorial representation of the application. Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.
- Home page URL: The default home page for the application.
- Signon URL: The URL to which the application requests
that the end user be redirected to sign on. Note:
If you created this application using the Application Catalog page, you’ll have the option to enable advanced configuration options. Click the Enable Advanced Configuration button. This option gives you access to all application settings on the Configuration tab.
For Configuration, enter or edit the following.
The Assertion Consumer Service URLs. You must specify at least one URL, and the first URL in the list is used as the default.
If you are using a custom domain, you can toggle the view between the custom and original URLs. The original and custom URLs will continue to work.
The certificate that confirms that requests, responses, and assertions actually came from the service provider.
Select the appropriate certificate from the list of available RSA or EC certificates. To add a certificate, see Adding a certificate and key pair.
Select whether to sign assertions, responses, or assertions and responses.
Select the algorithm to be used for signing metadata. If you selected an RSA signing certificate, the options are RSA_SHA256, RSA_SHA384, and RSA_SHA512. If you selected an EC signing certificate, the options are SHA256_ECDSA, SHA384_ECDSA, and SHA512_ECDSA.
If selected, the assertions PingOne sends to the SAML application will be encrypted.Note:
Available for SAML 2.0 applications only.
Select the algorithm for encrypting the assertions, either AES_128 or AES_256 (recommended).
Import a certificate or select an existing one from the list of available. To add a certificate, see Adding a certificate and key pair.
The service provider entity ID used to look up the application. This is a required property and is unique within the environment.
The URL of the single logout service. PingOne redirects the browser to this location when it needs to send an SLO message to the service provider. For more information, see SAML 2.0 single logout.
SLO response endpoint (optional)
The URL of the single logout response service. You can use this option if you have a separate service for single logout responses. If this value is blank, PingOne sends responses to the SLO endpoint.
Defines how long PingOne can exchange logout messages with the application, specifically a LogoutRequest from the application, since the initial request.PingOne can also send a LogoutRequest to the application when a single logout is initiated by the user from other session participants, such as an application or identity provider. This setting is per application. The SLO logout is separate from the user session logout that revokes all tokens. The minimum value is 1 hour and the maximum is 24 hours. We recommend starting with a value of two hours and then fine-tuning as needed.
The SAML binding used by the application. The default is
HTTP POST. Select
HTTP Redirectas needed.
Subject NameID format
A string that specifies the format of the Subject NameID attribute in the SAML assertion. Options are:
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified (default). The subject NameID is not specified. Use this format if you are not sure which format to use.
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. The Subject NameID is in the form of an email address.
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. The Subject NameID is an opaque unique identifier for a user that retains the same value over time.
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient. The Subject NameID is a randomly generated identifier. A different value is used for each single sign-on (SSO) for a given user.
Assertion validity duration
The maximum amount of time that an assertion is valid (in seconds).
Target application URL
This option is required by some applications as the target URL. It's used in identity provider identity provider (IdP)initiated SSO for deep-linking. The application URL is passed in the RelayState parameter by the IdP.
Enforce Signed AuthnRequest
If selected, PingOne accepts only signed SAML requests and rejects unsigned SAML requests. Verifying the digital signature enables PingOne to validate the authenticity and integrity of the SAML request, which can help mitigate data tampering attacks on attributes, such as the RequestedAuthnContext element in AuthnRequest. For more information, see RequestedAuthnContext.
A certificate that confirms that the SAML assertions actually came from the sender. Select or import the appropriate certificate. The list shows the certificates that are available. To add a certificate, see Adding a certificate and key pair.
For Attribute mappings, select a PingOne user attribute and map it to
an attribute in the application. For more information, see Mapping attributes.
- Enter a SAML attribute and then select the corresponding PingOne attribute from the list.
Click the More Options (three vertical dots) icon, to
configure nameFormat for the SAML attribute. If you want
to use a name format other than Subject, select an option
from the list. If you don't select an option, PingOne will use the
basic format as default. The options are:
- uri: The attribute follows the convention for URI references. The interpretation of the URI content is application-specific.
- basic: The strings in the attribute must be drawn from the values belonging to the primitive type xs:Name.
- unspecified: The attribute can be any format. The interpretation of the content is application specific.
- Click the gear icon to use the expression builder to build an attribute mapping. See Using the expression builder.
- Select Required to define the attribute as required for the application.
For Policies, select the authentication policies for the
If you have a DaVinci license, you can select PingOne policies or DaVinci Flow policies, but not both. If you don’t have a DaVinci license, you’ll see PingOne policies only.
To use a PingOne policy, Click + Add policies and then select the policies that you want to apply to the application. Click Add. The policies are applied in the order in which they appear in the list. PingOne evaluates the first policy in the list first. If the requirements of the policy are not met, PingOne moves to the next policy in the list. For more information, see Authentication policies for applications.
To use a DaVinci Flow policy, you must clear all PingOne policies. Click the Deselect all PingOne policies button. In the confirmation message, click Continue. Click the DaVinci Policies tab, and then select the policies that you want to apply to the application. PingOne applies the first policy in the list.
For Access, enter or edit the following:
- Application portal display: Determines whether an application icon appears in the application portal even if the user is allowed to access the application in the application portal based on the group membership policy. For more information, see Application access control.
- Admin only access: Specifies that a user with an administrator role is required to access the application. The user must have one of the following roles: Organization Admin, Environment Admin, Identity Data Admin, or Client Application Developer.
- Group membership policy. Select the group membership policy for the application. For more information, see Groups.
- Click Save.