> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to configure PingFederate as a SAML identity provider for use with Auth0.

# Configure PingFederate as SAML Identity Provider

PingFederate is a federation server that provides identity management, <Tooltip tip="Single Sign-On (SSO): Service that, after a user logs into one applicaton, automatically logs that user in to other applications." cta="View Glossary" href="/docs/glossary?term=single+sign-on">single sign-on</Tooltip>, and API security for the enterprise. See the complete PingFederate instructions to [configure PingFederate as an identity provider](https://docs.pingidentity.com/r/en-us/pingfederate-120/pf_ident_provid_sso_config).

To configure Auth0 to use PingFederate as an <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=identity+provider">identity provider</Tooltip>, you will use primarily the default values and your Auth0 tenant metadata file to upload the required configuration parameter values for your Auth0 tenant. If the metadata upload fails for some reason, these are the most important configuration parameters:

* **EntityID:** `urn:auth0:{yourTenant}:{yourConnectionName}`
* **Assertion Consumer Service URL:** `https://{yourDomain}/login/callback`
* **Logout URL:** `https://{yourDomain}/logout`
* **HTTP-Redirect** binding for <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> Request
* **HTTP-POST** binding for SAML Response

1. Download your Auth0 metadata file from `https://YOUR_DOMAIN/samlp/metadata?connection=YOUR_CONNECTION_NAME`. Make sure that you use your custom domain if you have one configured. You will upload this file to import your Auth0 tenant information into the PingFederate configuration.
2. Sign on to your PingFederated account and select **Create New** from the **SP Connections** section.
3. Configure the **SP Connection**.

   * Select the **Browser SSO Profiles** as the **Connection Type**.
   * Select **Browser SSO** as the **Connection Options**.
4. Upload the metadata file that you downloaded in step 1. The **Entity ID**, **Connection Name**, and the **Base URL** will be automatically populated based on the information from the metadata file.
5. Configure **Browser SSO**.

   * Select **SP-Initiated SSO** and **SP-Initiated SLO** in **SAML Profiles**.
   * Go to the **Assertion Creation** section and click **Configure Assertion**. Accept all defaults for the next two screens.
6. Go to the **IdP Adapter Mapping** section. This is where users will be authenticated. Likely, you already have one configured in your PingFederate installation. Select one, or add a new one. Auth0 only requires the **NameIdentifier** claim. All other attributes will be passed further to the end application.
7. Configure **Protocol Settings**. Values for **Protocol Settings** are imported from the metadata file. Next, you will see the **Assertion Consumer Service URL** and the Sign-Out URLs. Click **Next** to the **Allowable SAML Bindings** section.
8. Leave **POST** and **Redirect** enabled. Make sure **SAML Assertion** is always signed.
9. Configure **Credentials**. On **Digital Signature Settings**, select your signing certificate and make sure you check the option to include it in the `<KeyInfo>` element.
10. Configure the certificate used to sign incoming requests. You can download the Auth0 certificate (use `https://{yourTenant}.auth0.com/pem`) and upload it here. Auth0 signs `SAMLRequests` by default; you can change that when you configure the connection.
11. Review your settings and set them as **Active** or **Inactive**.
12. Click **Save** at the bottom of the screen. You should see the new SP Connection on the **Main** screen.

## Identity provider-initiated SSO

To use IdP-Initiated SSO, make sure to include the `connection` parameter in the Assertion Consumer Service URL: `https://{yourDomain}/login/callback?connection={yourConnectionName}`.

To learn how to configure Auth0 to route the incoming SAML responses, read [Configure Identity Provider-Initiated Single Sign-On](/docs/authenticate/protocols/saml/saml-sso-integrations/identity-provider-initiated-single-sign-on).