Configure PingFederate as SAML Identity Provider

PingFederate is a federation server that provides identity management, single sign-on, and API security for the enterprise. See the complete PingFederate instructions to configure PingFederate as an identity provider.

To configure Auth0 to use PingFederate as an identity provider, you will use primarily the default values and your Auth0 tenant metadata file to upload the required configuration parameter values for your Auth0 tenant. If the metadata upload fails for some reason, these are the most important configuration parameters:

  • EntityID: urn:auth0:{yourTenant}:{yourConnectionName}

  • Assertion Consumer Service URL: https://{yourDomain}/login/callback

  • Logout URL: https://{yourDomain}/logout

  • HTTP-Redirect binding for SAML Request

  • HTTP-POST binding for SAML Response

  1. Download your Auth0 metadata file from https://YOUR_DOMAIN/samlp/metadata?connection=YOUR_CONNECTION_NAME. Make sure that you use your custom domain if you have one configured. You will upload this file to import your Auth0 tenant information into the PingFederate configuration.

  2. Sign on to your PingFederated account and select Create New from the SP Connections section.

  3. Configure the SP Connection.

    • Select the Browser SSO Profiles as the Connection Type.

    • Select Browser SSO as the Connection Options.

  4. Upload the metadata file that you downloaded in step 1. The Entity ID, Connection Name, and the Base URL will be automatically populated based on the information from the metadata file.

  5. Configure Browser SSO.

    • Select SP-Initiated SSO and SP-Initiated SLO in SAML Profiles.

    • Go to the Assertion Creation section and click Configure Assertion. Accept all defaults for the next two screens.

  6. Go to the IdP Adapter Mapping section. This is where users will be authenticated. Likely, you already have one configured in your PingFederate installation. Select one, or add a new one. Auth0 only requires the NameIdentifier claim. All other attributes will be passed further to the end application.

  7. Configure Protocol Settings. Values for Protocol Settings are imported from the metadata file. Next, you will see the Assertion Consumer Service URL and the Sign-Out URLs. Click Next to the Allowable SAML Bindings section.

  8. Leave POST and Redirect enabled. Make sure SAML Assertion is always signed.

  9. Configure Credentials. On Digital Signature Settings, select your signing certificate and make sure you check the option to include it in the <KeyInfo> element.

  10. Configure the certificate used to sign incoming requests. You can download the Auth0 certificate (use https://{yourTenant} and upload it here. Auth0 signs SAMLRequests by default; you can change that when you configure the connection.

  11. Review your settings and set them as Active or Inactive.

  12. Click Save at the bottom of the screen. You should see the new SP Connection on the Main screen.

Identity provider-initiated SSO

To use IdP-Initiated SSO, make sure to include the connection parameter in the Assertion Consumer Service URL: https://{yourDomain}/login/callback?connection={yourConnectionName}.

To learn how to configure Auth0 to route the incoming SAML responses, read Configure Identity Provider-Initiated Single Sign-On.