Create a SAML application for your customers to connect to.
When you're adding or updating a SAML-enabled application, you'll need to specify the proper SAML configuration to establish a connection for your application.
- Go to .
- Click Add New Application.
- On Basic information tab, select the category that applies to your application.
- Enter the application name and a description that will identify your application to users.
- Select whether your application is to be made publicly available (listed in the Application Catalog), or privately available (not listed in the Application Catalog, and available to organizations only at your invitation).
Upload a logo and icon to use for your application. The logo is used for
workstation users. The icon is displayed for mobile users.
PNG is the only supported graphics format.
- Click Continue to Next Step and choose Yes, it is SAML-enabled.
- Optional: On the Create Connections page, select the SAML version supported by your application. If you're uncertain, the default version (SAML 2.0) is generally correct.
Upload Metadata. Click Select File
to upload the application’s metadata file, or click Or use
URL to enter the URL of the metadata file. The ACS
URL and Entity ID will then be supplied
for you. If you don’t upload the application metadata, you’ll need to enter this
information manually with values provided by the application.
The application's Entity ID must be unique within your account. You can't configure more than one application in PingOne SSO for SaaS Apps using the same SP entity ID.
Choose whether or not to enable SAML multiplexing (the default).
For more information about application multiplexing, see About multiplexing.
Select the public signing certificate to use. PingOne SSO for SaaS Apps will use this certificate on your
behalf to sign SAML assertions. You can choose either:
Note: If you are using multiplexing, the primary and renewal certificates are PingOne SSO for SaaS Apps universal certificates. In this case, when you're notified to update the certificate, it's imperative that you do so.
- Primary Certificate
When you select the primary certificate, the PingOne SSO for SaaS Apps metadata for download contains both the primary and the renewal certificates.
- Renewal Certificate
When you select the renewal certificate, the PingOne SSO for SaaS Apps metadata for download contains only the renewal certificate. A renewal certificate is available only thirty days before the expiration of the primary certificate.
You can also choose to download the certificates independently (not as
part of the PingOne SSO for SaaS Apps metadata). To
do this, scroll down to the certificate Download
links and click the appropriate link.
The Signing Certificate download link is for the certificate you selected in the Signing Certificate dropdown list. The other certificate is the certificate you didn't select in the Signing Certificate dropdown list. Note the expiration dates for the certificates.
If a certificate is identified as Expired, currently, we'll still accept it. At some point, we may no longer accept the certificate, so we recommend you install a valid certificate soon. Note that your IdP or an application may not accept an expired certificate.
- Primary Certificate
You need to supply the PingOne SSO for SaaS Apps
connection information to each customer connecting to your application. You can
- Click Download to retrieve all of SAML metadata for the PingOne SSO for SaaS Apps connection.
- Copy the displayed connection information (for SSO Service URL and Entity ID) and download the PingOne SSO for SaaS Apps signing certificate.
Enter the URL for the SAML Single Logout Endpoint. We
send the single logout (SLO) request to this URL using the binding type you
select for Single Logout Binding Type.
The attributes for Single Logout Endpoint, Single Logout Binding Type and Verification Certificate are interdependent. To support SLO, you'll need to specify all of these attribute values, and optionally, Single Logout Response Endpoint. See PingOne for Enterprise and SLO for more information.Note: If you choose not to support SLO for an application, when the user session ends the application will not be notified.
- Optional: Enter the URL for the SAML Single Logout Response Endpoint. If you don't assign a value here, Single Logout Endpoint is also used as the response endpoint. You send the application SLO response to this URL.
- Optional: Select the binding type to use for SLO. This can be POST or Redirect (defaults to POST).
- Optional: Upload the signing certificate you'll use to sign SLO requests. This can be the same certificate you use for SAML assertions.
Click Signing Algorithm to choose the algorithm used to
sign both SAML assertions and SLO requests.
If you are setting up a new application, the signing algorithm defaults to the recommended SHA-256.
If you have an existing application configuration, SHA-1 may be displayed as the default signing algorithm. We recommend you change it to SHA-256 at your convenience.
Encrypt Assertion. If selected, the assertions sent from
PingOne SSO for SaaS Apps for the application will be
encrypted. Available for SAML 2.0 multiplexed applications only.
Selecting this option will prompt you for the information necessary to encrypt the assertion:
- Encryption Certificate
- Upload the certificate to use to encrypt the assertions.
- Encryption Algorithm
- Choose the algorithm to use for encrypting the assertions. We recommend AES_256 (the default), but you can select AES_128 instead.
- Transport Algorithm
- The algorithm used for securely transporting the encryption key. Currently, RSA-OAEP is the only transport algorithm supported.
- Verify that all entries are correct, then click Continue to Next Step. The SSO Attribute Requirements page is displayed.
- On the SSO Attribute Requirements page, click Add Attribute to add any attributes necessary for SSO to your application.
- Optional: Click on the Name or Description of any existing attribute to edit the value. Press Enter to save your changes or Esc to cancel.
- Click the Required checkbox for any attributes that require a value for SSO to your application.
- Click Continue to Next Step.
- On the Create Instructions page, for Introduction Text, enter text introducing your application and supplying any necessary instructions to users.
- Optional: For SSO Configuration Path, enter user guidance for the location of any SSO settings for your application.
- Optional: For SSO Configuration Page URL, enter the URL for any SSO settings for your application.
- Optional: For Configuration Steps, click Add Step to add stepped instructions for configuring SSO for your application.
- Optional: For SSO Configuration Page Screenshot, click Select Image to upload a screenshot of the SSO configuration page for your application.
- Optional: On the Publish page, click Add Parameter to assign any connection parameters customers can use for your application. You can elect to make the parameters required.
On the Publish page, verify that the information is correct, then click
Save & Publish.
If you have selected to publish your application publicly, it is submitted to us for registration. When we have processed the registration for your application, your application information is published in the Application Catalog.
Your application is displayed in the listing on your My Applications page, where you can view or edit all of the your application settings as needed.
If you have selected to publish your application privately, the application will not be listed in the Application Catalog. Instead, you will invite customers to connect to your application. See Customer connection methods for instructions.