SSO is initiated by the IdP itself, rather than by PingOne for Enterprise. In this case, the IdP needs to reference the particular application for SSO. PingOne for Enterprise assigns a unique ID, the saasid, to the connection for each application a SP publishes through PingOne for Enterprise. The IdP uses the saasid to reference the application connection for SSO.

If you're using a custom sign-on page or portal instead of the PingOne for Enterprise dock:

  1. In PingOne for Enterprise, configure a new SAML application.
    Tip:

    After you save and publish the application, remain on the Review Setup page. You'll need the application configuration information to configure SSO settings.

    See Adding or updating a SAML application for instructions.

  2. Use the application's saasid value to configure SSO settings in your IdP in one of the following ways:
    • Add the saasid as a query parameter to the connection's ACS URL. For example https://sso.connect.pingidentity.com/sso/sp/ACS.saml2?saasid=<saasid>.
    • Configure your IdP to include a RelayState parameter along with the SAML request in the format RelayState=https://pingone.com/1.0/<saasid>.
  3. Get the full IdP-initiated SSO URL from the IdP and add it to your custom sign-on page or portal.

    If PingFederate is your IdP, the IdP-initiated settings used are the startSSO and TargetResource parameters.

    For more information, see IdP endpoints.

    Note:

    If you don't specify the saasid in your SSO URL, the URL will default to the PingOne for Enterprise dock.

    If your tenant doesn't include the dock (for example, if you're using PingOne SSO for SaaS Apps or an Invited SSO account), this will result in an error.