---
title: Configuring a SAML application
description: Configure a SAML application in PingFederate, PingOne, and PingOne for Enterprise.
component: solution-guides
page_id: solution-guides:workforce_use_cases:htg_config_saml_app
canonical_url: https://docs.pingidentity.com/solution-guides/workforce_use_cases/htg_config_saml_app.html
revdate: April 13, 2025
page_aliases: ["workforce_use_cases:htg_config_saml_app_pf.adoc", "workforce_use_cases:htg_config_saml_app_p1.adoc", "workforce_use_cases:htg_config_saml_app_p14e.adoc"]
section_ids:
  configuring-a-saml-application-in-pingfederate: Configuring a SAML application in PingFederate
  before-you-begin: Before you begin
  steps: Steps
  configuring-a-saml-application-in-pingone: Configuring a SAML application in PingOne
  about-this-task: About this task
  steps-2: Steps
  choose-from: Choose from:
  next-steps: Next steps
  configuring-a-saml-application-in-pingone-for-enterprise: Configuring a SAML application in PingOne for Enterprise
  before-you-begin-2: Before you begin
  steps-3: Steps
  result: Result
---

# Configuring a SAML application

Configure a SAML application in PingFederate, PingOne, and PingOne for Enterprise.

Read the following sections for instructions for each product.

## Configuring a SAML application in PingFederate

Configure a SAML application in PingFederate.

### Before you begin

**Component**

* PingFederate 10.1

Make sure you have the following:

* A datastore connection

* A configured password credential validator (PCV)

* A configured identity provider (IdP) adapter.

* An IdP digital signing certificate

### Steps

1. In the PingFederate administrative console, go to **Applications > Integration > SP Connections**.

2. Click **Create Connection**.

3. On the **Connection Template** tab, click **Do not use a template for this connection**. Click **Next**.

4. On the **Connection Type** tab, select the **Browser SSO Profiles** checkbox.

5. In the **Protocol** list, select **SAML 2.0**. Click **Next**.

6. On the **Connection Options** tab, leave the **Browser SSO** checkbox selected, and then click **Next**.

7. On the **Import Metadata** tab, import service provider (SP) metadata, pull from a URL, or enter the data manually. Click **Next**.

   In this example, we assume that SP metadata is provided.

8. On the **General Info** tab, provide a **Connection Name** if needed and review the information. Click **Next**.

   |   |                                                              |
   | - | ------------------------------------------------------------ |
   |   | **Entity ID** and **Base URL** should be provided by the SP. |

9. On the **Browser SSO** tab, click **Configure Browser SSO**.

10. On the **SAML Profiles** tab, select the **IdP-Intitiated SSO** and **SP-Initiated SSO** checkboxes. Click **Next**.

11. On the **Assertion Lifetime** tab, leave the default entries, and then click **Next**.

12. On the **Assertion Creation** tab, click **Configure Assertion Creation**.

13. On the **Identity Mapping** tab, click **Standard**. Click **Next**.

14. On the **Attribute Contract** tab, ensure that whatever attributes you need for the SP are defined here. Click **Next**.

15. On the **Authentication Source Mapping** tab, click **Map New Adapter Instance**.

16. On the **Adapter Instance** tab, from the **Adapter Instance** list, select your previously configured HTML form adapter. Click **Next**.

17. On the **Mapping Method** tab, leave the default selection, and then click **Next**.

18. On the **Attribute Contract Fulfillment** tab, from the **Source** list for **SAML\_SUBJECT**, select **Adapter**.

19. From the **Value** list, depending on what the SP is expecting, select **mail** or **uid**.

20. Define any other mappings as needed. Click **Next**.

    You can leverage hard-coded "Text" for sending values to the SP connection.

21. On the **Issuance Criteria** tab, click **Next**.

22. On the **Summary** tab, review your entries, and then click **Done**.

    ![Screen capture of the IdP Adapter Mapping Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.](_images/rde1600200768900.png)

23. On the **Authentication Source Mapping** tab, click **Next**.

24. On the **Summary** tab, review your entries, and then click **Done**.

25. On the **Assertion Creation** tab, click **Next**.

26. On the **Protocol Settings** tab, click **Configure Protocol Settings**.

27. On the **Assertion Consumer Service URL** tab, ensure you see an entry for your SP based on the metadata that you uploaded. Click **Next**.

28. On the **Allowable SAML Bindings** tab, **POST** should be selected. Click **Next**.

29. On the **Signature Policy** tab, click **Always Sign the SAML Assertion**. Click **Next**.

30. On the **Encryption Policy** tab, click **None**. Click **Next**.

31. On the **Summary** tab, review your entries, and then click **Done**.

    ![Screen capture of the Protocol Settings Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.](_images/kdm1600201023572.png)

32. On the **Protocol Settings** tab, click **Next**.

33. On the **Summary** tab, review your entries, and then click **Done**.

    ![Screen capture of the Browser SSO Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.](_images/xnt1600201249127.png)

34. On the **Browser SSO** tab, click **Next**.

35. On the **Credentials** tab, click **Configure Credentials**.

36. On the **Digital Signature Settings** tab, from the **Signing Certificate** list, select your organization's default signing certificate that you previously created.

37. Select the **Include the Certificate in the Signature \<KeyInfo> Element** check-box. Click **Next**.

38. On the **Summary** tab, review your entries, and then click **Done**.

    ![Screen capture of the Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.](_images/bax1600201729793.png)

39. On the **Credentials** tab, click **Next**.

40. On the **Activation & Summary** tab, click the toggle to enable the connection, and then scroll to the bottom and click **Save**.

    The connection status is enabled when the toggle is green. You must click **Save** or your work will be lost.

    ![Screen capture of the Activation and Summary window showing the connection status as enabled.](_images/ypw1601419641147.png)

\===Next steps

Click on the SP connection that you just created and copy the **SSO-URL** link. Start a private browsing session and test your connection using the **SSO-URL** link.

## Configuring a SAML application in PingOne

Configure a SAML application in PingOne.

### About this task

In the following configuration, values will vary depending on the identity provider (IdP) requirements.

|   |                                                                                                                                                                                                             |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Some application settings can only be configured after the application is created. Learn more in [Editing an application](https://docs.pingidentity.com/pingone/applications/p1_editing_applications.html). |

### Steps

1. Go to **Applications > Applications**.

2. Click the **[icon: plus, set=fa]**icon.

3. Create the application profile by entering the following:

   * **Application name**: A unique identifier for the application.

   * **Description** (optional): A brief characterization of the application.

   * **Icon** (optional): A graphic representation of the application. Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.

4. For **Application Type**, select **SAML Application**.

5. Click **Configure** and specify the details of the connection between the application and PingOne.

   You can enter the values manually, or import them from a file or URL.

   #### Choose from:

   * Import the configuration details from an XML metadata file. Select **Import Metadata**. Click **Select a File** and then select an XML metadata file on your file system. Click **Open**.

     The configuration values are populated based on the information in the metadata file.

     |   |                                                                                                                 |
     | - | --------------------------------------------------------------------------------------------------------------- |
     |   | If the metadata file does not specify all the configuration values, you must enter the missing values manually. |

   * Import the configuration details from a metadata URL. Select **Import from URL**. Enter the URL and then click **Import**.

     |   |                                       |
     | - | ------------------------------------- |
     |   | The URL must be a valid absolute URL. |

     The configuration values are populated based on the information from the URL.

   * Enter the configuration details manually. In the **ACS URLs** field, enter the Assertion Consumer Service (ACS) URLs. You must specify at least one URL, and the first URL in the list is used as the default.

     In the **Entity ID** field, enter the service provider entity ID used to look up the application. The Entity ID is a required property and is unique within the environment.

6. Click **Save**.

### Next steps

After the application is created, you can edit the application settings, configure application policies, and control application access. Learn more in [Editing an application - SAML](https://docs.pingidentity.com/pingone/applications/p1_edit_application_saml.html), [Applying authentication policies to an application](https://docs.pingidentity.com/pingone/applications/p1_apply_auth_policy_to_applications.html), and [Application access control](https://docs.pingidentity.com/pingone/applications/p1_application_access_control.html).

## Configuring a SAML application in PingOne for Enterprise

Configure a SAML application in PingOne for Enterprise.

### Before you begin

If you do not have the service provider's (SP) single sign-on (SSO) URL for the application, generally a SAML application that already exists in your organization, you must configure the necessary SAML settings for the application to add it to PingOne for Enterprise.

### Steps

1. In the PingOne for Enterprise dashboard, go to **Applications > My Applications > SAML**.

2. Click **Add Applications > New SAML Application**.

3. In the **Application Details** section, complete the following required fields:

   * **Application Name**

   * **Application Description**

   * **Category**

     ![Screen capture of the Application Details section and the corresponding fields. Required fields are defined by a small red asterisk to the right of the field. In addition to the required fields of Application Name, Application Description, and Category, there is a field for Graphics. The bottom of the screen capture includes text that the next step is Application Configuration along with the Cancel and Continue to Next Step buttons.](_images/bcs1600199959633.png)

4. Click **Continue to Next Step**.

5. In the **Application Configuration** section, provide the SAML configuration details for the application.

   1. From the **Signing Certificate** list, select the signing certification you want to use.

   2. In the **SAML Metadata**field, click **Download** to retrieve the SAML metadata for PingOne for Enterprise.

      This supplies the PingOne for Enterprise connection information to the application.

   3. In the **Protocol Version** field, select the SAML protocol version appropriate for your application.

   4. In the **Upload Metadata** section, click **Choose File** to upload the application's metadata file.

      |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
      | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | The **ACS URL** and **Entity ID** will then be supplied for you. If you don't upload the application metadata, you'll need to enter this information manually. When manually assigning an entity ID, the value must be unique unless you are assigning the entity ID value for a private managed application, an application that is supplied and configured by a PingOne for Enterprise administrator, rather than an SP.When applications are supplied by an SP, entity ID values are required to be unique to ensure against possible identifier conflicts with the IdP ID for the application. |

   5. In the **Application URL** field, enter an appropriate URL.

      This is required by some applications as the target URL. It is used in IdP-initiated SSO for a deep-linking purpose. The application URL is passed in the RelayState parameter by the IdP.

   6. In the **Single Logout Endpoint** field, enter the URL to which the service will send the SAML single logout (SLO) request using the **Single Logout Binding Type** that you select.

   7. In the **Single Logout Response Endpoint** field, enter the URL to which your service sends the SLO response.

   8. In the **Single Logout Binding Type** field, select the binding type, **Redirect** or **POST**, to use for SLO.

   9. In the **Primary Verification Certificate** field, click **Choose File** to upload the primary public verification certificate to use for verifying the SP signatures on SLO requests and responses.

   10. In the **Secondary Verification Certificate** field, click **Choose File** to upload the secondary verification certificate if available.

       The secondary verification certificate is used if the primary verification certificate fails to validate a signature.

   11. Select the **Encryption Assertion** checkbox.

       If selected, the assertions PingOne for Enterprise sent to the SP for a multiplexed application are encrypted. You can also use this option for your managed applications. Available for SAML 2.0 applications only.

       Selecting this option displays the information needed to encrypt the assertion:

       * **Encryption Certificate**: Upload the certificate to use to encrypt the assertions.

       * **Encryption Algorithm**: Choose the algorithm to use for encrypting the assertions. We recommend **AES\_256** (the default), but you can select **AES\_128** instead.

       * **Transport Algorithm**: The algorithm used for securely transporting the encryption key. Currently, **RSA-OAEP** is the only transport algorithm supported.

         |   |                                                                                                                                                                                                                                                           |
         | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
         |   |  If an encryption certificate is included in the metadata you upload, this option is automatically enabled. The entry for **Encryption Certificate** shows the name of the certificate and the entry for **Encryption Algorithm **is set to **AES\_256**. |

   12. In the **Signing** field, select either to sign the SAML assertion or to sign the SAML response.

       If the **Encryption Assertion** checkbox has been selected, choose to sign the response. This provides a significant increase in security.

   13. In the **Signing Algorithm** list, select the desired algorithm or use the default value.

   14. Select the **Force Re-authentication** checkbox.

       If selected, users having a current, active SSO session will be re-authenticated by the identity bridge to establish a connection to this application.

   15. Select the **Force MFA** checkbox.

       If selected, users are required to use multi-factor authentication (MFA) as defined by your authentication policy each policy each time they access the application. You'll need to have an authentication policy in place to use this setting. Learn more in [Create or update an authentication policy](https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_create_update_authentication_policy.html).

       ![Screen capture of the Application Configuration section and the corresponding fields.](_images/arx1600200202338.png)

6. Depending on your requirements, complete the remaining entry fields. Click **Continue to Next Step**.

   The remaining entry fields are optional, depending on your requirements.

7. In the **SSO Attribute Mapping** section, modify or add any attribute mappings as necessary for the application.

   In most cases, the default attribute mappings are sufficient. These mappings assign your identity repository attributes to the attributes provided by the SP for the application. For each application attribute, you can:

   * Click the **Required** checkbox to designate an attribute or attributes as required by the application.

   * In the **Application Attribute** field, enter an identity repository attribute.

   * In the **Identity Bridge Attribute or Literal Value** field, select an identity repository attribute from the list.

   * Select the **As Literal** checkbox, and then enter a literal value to assign.

   * Click **Advanced**, and then enter any additional attributes required by the application. You then have all of the choices above when configuring the attribute.

8. When finished modifying or adding any additional attributes, click **Continue to Next Step**.

9. In the **Group Access** section, make the new application available to your users by assigning the groups authorized to use the application.

   1. Click **Add** for each group you want to authorize to use the application.

      All members of the selected group or groups will be able to use the application. When the application supports user provisioning, user provisioning to this application is also enabled for members of the assigned groups.

10. Click **Continue to Next Step**.

11. In the **Review Setup** section, review the application connection information.

    Some of this information might be needed by the SP to complete the SSO configuration for the application. In particular, you can download the PingOne for Enterprise signing certificate or the PingOne for Enterprise SAML metadata, which has the certificate embedded.

12. **Optional:** To change any of the configuration settings, click **Edit**.

13. Click **Finish**.

### Result

The new SAML application is added to your **My Applications** list. Go to **Users → User Groups** to see the application you've added is now authorized for use by the selected group or groups.