When a user opens a cloud application through PingOne for Enterprise, there are three participating entities involved in the SSO process: PingOne for Enterprise itself, the identity provider (IdP) storing the user information for your organization, and the service provider (SP) who makes their application available.

By default, when you add an application for SSO by your users, PingOne for Enterprise will initiate the SSO process. If your organization has a policy requiring that SSO is initiated by your IdP or the SP, you can configure either your IdP or the SP for the application as the entity that initiates the SSO process.

The topics in this section will help guide you in selecting and configuring how you want SSO to be initiated for your users.

Why use PingOne for Enterprise-initiated SSO?

  • It's easy and works well.
  • You don't want users to initiate SSO at the SP.
  • You want users to sign on to applications using either the PingOne for Enterprise dock or a custom sign-on page or portal, and you have no need to use IdP-initiated SSO.

Why use IdP-initiated SSO?

  • You don't want users to initiate SSO at the SP.
  • You want users to sign on to applications using a custom sign-on page or portal, rather than the PingOne for Enterprise dock. You can configure a custom sign-on page or portal using either IdP-initiated SSO or PingOne for Enterprise-Initiated SSO.
  • Your organization uses PingFederate and you want to add an application to the PingOne for Enterprise dock using an IdP-initiated SSO URL used by PingFederate.
  • Your organization has a policy permitting only IdP-initiated SSO.

Why use SP-initiated SSO?

  • You want users to initiate SSO at the SP.
  • Users need to sign on to applications that have integrations that aren't browser-based, such as applications that use email integration or applications that use desktop plugins.
  • The SP has a policy permitting only SP-initiated SSO.