Difference between PingFederate SSO Application Endpoint and SSO Service Location

Question

I have configured IDP initiated SSO in PingFederate and it shows SSO Application Endpoint as: https://myserver/idp/startSSO.ping?PartnerSpId=sp_id

But when I download the metadata for this SP connection, in metadata the SSO Service Location is shown as: https://myserver/idp/SSO.saml2

Why does the metadata file show a different SSO URL?

Answer 1

These endpoints serve two different purposes.

The SSO Application Endpoint is a PingFederate proprietary endpoint that allows IdP-init SSO to be started. These proprietary endpoints are all suffixed with ".ping". This is the endpoint you could redirect users to to start the SSO flow to a given SP partner. More details: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-92&topicId=adminGuide%2FidpEndpoints.html

The SSO Service Location is a SAML 2.0 standard protocol endpoint for handling SAML request messages. These standard protocol endpoints are suffixed with the protocol name (in this case ".saml2"). This is the endpoint that your SP partner would send SAML requests to - that's why you find it in the SAML metadata file that you will could exchange with your partner. More details: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-92&topicId=adminGuide%2FviewingProtocolEndpoints.html