Learn about the idpId parameter and how it's used in PingOne SSO for SaaS Apps.
The idpId parameter is a unique value that identifies a customer organization to your software as a service (SaaS) application.
The idpId represents a unique identity provider (IdP) configuration for a given customer. The same IdP configuration is applied across all connections that share an idpId within your PingOne SSO for SaaS Apps account.
Once set, the idpId value can't be changed. You can change the configuration that is used by the idpId, which will update all connections using that idpId.
If your IdP partner has separate environments for testing and production, create a different idpId configuration for each.
If your IdP partner has only one environment, but you want separate application connections for test and production, create test and production versions of your application, and use the same idpId configuration for both.
The idpId parameter is used in three application workflows:
- When you add a connection, you are required to provide an idpId.
For more information, see:
- When you redirect users from your application to PingOne for Enterprise to initiate single sign-on (SSO), you must tell
PingOne for Enterprise which idpId to
For more information, see Redirect users to PingOne SSO for SaaS Apps (SP-initiated SSO).
- When the user returns to your application with either a token or a SAML assertion, PingOne SSO for SaaS Apps includes
the idpId in the user data for you to use in creating a user
For more information, see Process the PingOne SSO for SaaS Apps token exchange.
Most applications should use the domain name as an idpId value because it's a common way of uniquely identifying a domain of users.
However, if your application doesn't include a domain name, can't guarantee the domain name's uniqueness, or if you already have a scheme for identifying an organization in your application (for example, by company name or UUID), you can assign any value. The idpId is ultimately for your application to consume.
idpId is used during single sign-on (SSO) to identify which IdP connection/configuration to use. If the idpId is not specified, the user will be prompted to perform IdP discovery based on their email domain. For more information on configuring email domains for idpId discovery, see Edit an invited customer connection and Edit a managed customer connection.
For more information about finding an existing idpId value, see Finding the idpId value.
The PingOne for Enterprise test identity provider will automatically be added to your application with a random GUID as the idpId. To find the test provider, go to Customer Connections, click Narrow by, and select Test IdP.