SAML applications

Configure the single logout (SLO) endpoints for your SAML-enabled applications so that user sessions can be closed and cleaned up in a timely manner. If your application doesn't support SLO, PingOne SSO for SaaS Apps won't notify the application when a user session ends.

For instructions on configuring SLO endpoints, see PingOne for Enterprise and SLO.

Non-SAML applications

appurl parameter

Disable the appurl parameter or tighten its validation. The purpose of the appurl parameter is to provide a way to override the default application URL.

If your application has only one entry point, leave the Hostname or Domain field empty, which will disable the appurl parameter.

If you must use appurl, a hostname such as can provide stricter validation than

Binding type

When you create a new application, you must choose between Post or Redirect bindings for sending tokens to the application. Post is the default and more secure option because it doesn't expose the token as a query parameter in the URL.


Use HTTPS for the Default Application URL and Error URL. Although HTTP is permitted, HTTPS improves data security in transit.

For more information about configuring non-SAML applications, see Add or update other applications.

Application integration

Processing the PingOne token exchange is the key step in integrating your application with PingOne SSO for SaaS Apps. Based on the user attributes returned from the token exchange, applications need to perform two important validations before accepting a token:

  1. Does the value match the application's SaaS ID value?

    Matching the to the application's SaaS ID value prevents attackers from using tokens issued for other applications to access your application.

  2. Is the value used to qualify the pingone.subject parameter?

    Identifying a user with a combination of the and pingone.subject parameters prevents other identity providers (IdPs) from using identifiers that resemble credentials from your intended IdP.

For more information, see Process the PingOne SSO for SaaS Apps token exchange.