Redirect users to PingOne SSO for SaaS Apps (SP-initiated SSO) - PingOne SSO for SaaS Apps - PingOne for Enterprise

PingOne for Enterprise

bundle
pingoneforenterprise
ft:publication_title
PingOne for Enterprise
Product_Version_ce
PingOne for Enterprise
category
Product
pingone
ContentType_ce

Redirect users from your application to PingOne SSO for SaaS Apps.

You will redirect your users to PingOne SSO for SaaS Apps using the PingOne SSO for SaaS Apps URL format and attributes.

  1. Format the PingOne SSO for SaaS Apps URL.
    The HTTP redirect has to go to this PingOne URL: https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=<parmname>&idpid=<idpid>&appurl=<url>&errorurl=<errorUrl>
  2. Assign the query parameters.

    The following parameters are supported:

    saasid
    Identifies the application your user wants to access. You will find a listing of your applications and the associated SaaS ID (in parentheses below the application name) on the My Applications tab.
    idpid
    Identifies the identity repository for user authentication. This ID must be unique. The idpid value is used during HTTP redirect and token exchange. We recommended that you use a domain name here, if possible.
    Note: IdP IDs containing the forward-slash character (/) aren't allowed.
    For methods you can use to discover the idpid for a particular IdP, see Finding the idpId value.
    appurl
    A URL in your domain to which the user is redirected after authenticating. Use this to override the Default Application URL value set on the Create connections page. Unlike a Default Application URL value, for appurl you cannot use a non-SSL URL for a test or development environment. Instead, you can use only SSL. If you specify a value here, you must have a matching value for the Hostname or Domainname entry on the Create connections page.
    errorurl
    An error-handling URL for your domain to redirect to in case of an error. This is used to override the Error URL value set on the Create connections page.
    forceauthn
    If true, ensures the IdP forces the user to re-authenticate, even if the user possess a valid SSO session.

    For multiplexed SAML applications, multiple IdPs use a single connection to an application. In this case, PingOne needs to determine which IdP to use to authenticate a user. If we cannot determine this from the idpid parameter, we prompt the user for their email address and look up the IdP based on the email domain. However, when you're doing SP-initiated SSO from a PingFederate SP server, you can specify the IdP using the SP Services query parameter AuthenticatingIdpId. See AuthenticatingIdpId in PingFederate's SP Services documentation for more information.

    Here's an example of a redirect to PingOne SSO for SaaS Apps: https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=mysaas.com&idpid=exampleIdp.com
    Note: This URL is different for every IdP.
  3. Write the supporting code to implement the HTTP redirect. You can use these samples as a basis:
  4. Next, you will need to process the PingOne token exchange.