Reputation: 209
PIngFederate SSO Multiple IdPs
im am currently using a evaluation version of the PingFederate software and reading documentation all the time but still struggling to understand how i can create multiple IdPs for my SP.
I am hosting services, and setting up PingFederate as an SP. Currently in my tests i have one single IdP and all is working fine... I have set up the IIS Agent to intercept traffic and it redirects to my SP to start SP initiated SSO and that all works ok (coming in on the default startSSO url).
However, im struggling to see how i can configure the system for multiple IdP's and was wondering if someone could give a high level overview or point me at some documentation?
I understand that i have to configure the second IdP connection and i somehow need to use the PartnerIdpId URL parameter to distinguish which IdP the user is sent to.... but im not sure where i do that control/configuration for routing to different Idps? Do i need multiple agents on my IIS box that listen on different urls and can then forward the requests themselves to the right SP urls (/startSSO?partnerIdpId=XYZ) within the agent config file?
Thanks for any help, Craig
Upvotes: 0
Views: 2030
Answers (1)
Reputation: 4255
I think your question is more around how do you trigger SP-Init SSO for multiple IDPs when using the IIS Integration Kit.
As you've figured out, as the Service Provider, you can create multiple IDP Connections (each with its own unique EntityID). You trigger SP-Init SSO by calling the /sp/startSSO.ping Application Endpoint and pass in the appropriate PartnerIdpId value that matches the EntityID of the IDP you wish to issue the AuthnRequest. You can do this one of two ways -- either hard-code the URL into the IIS Kit pfisapi.conf file so that a single entity is called each time (not the best solution) or you can manually host the URL on a page that isn't protected by the IIS Kit. Unfortunately, a lot of this design decision comes down to how your IIS application is designed and the choice of integration kit.
I would suggest talking through this with your RSA as they can help show you the pros/cons of each integration kit to match up what works best for your application & customers.
HTH, Ian PS I work for Ping.
Upvotes: 1
Related Questions
- SAML SSO Using PingIdentity as an IDP
- PingFederate RelayState with IdP-initiated SSO
- PingFederate Single Log-Off: My IdP issues only one LogoutRequest
- Ping federate asp.net configuration saml sso
- PingFederate: Error Signature Required on SP Initiated Login
- PingFederate multiple Identity providers
- SAML can a non PingFederate SP be connected with a PingFederate IdP?
- PingFederate IdP-initiated Logout, redirect to TargetResource
- Ping Federate IDP-SP Implementation
- Integrating PingFederate with Salesforce