Skip to main content
The PingFederate (SAML) connector integrates the Maverics Orchestrator with Ping Identity’s PingFederate server using the SAML 2.0 protocol — providing an alternative to the OIDC-based PingFederate connector for environments that require SAML federation.
Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The PingFederate (SAML) connector supports SAML 2.0 SSO profiles including SP-initiated and IdP-initiated flows. For OpenID Connect-based integration, see the PingFederate (OIDC) connector. Use the SAML variant when your environment requires SAML-based federation or when integrating with applications that only support SAML assertions.

Use Cases

  • Unify SSO across PingFederate and other IdPs — Orchestrate PingFederate SAML alongside other identity providers to deliver seamless access across hybrid cloud and on-prem environments
  • Legacy application modernization — Bridge PingFederate SAML assertions to header-based or cookie-based authentication for legacy applications, extending SSO without rewriting them
  • Rationalize Ping licensing costs — Consolidate authentication workloads by routing apps away from PingFederate to a target IdP, reducing the number of Ping connections and associated licensing fees
  • PingFederate failover with Continuity — Pair PingFederate SAML with a backup IdP to maintain authentication availability if the PingFederate server becomes unreachable

Configuration

To create a Ping Federate (SAML) connector in the Maverics Console:
  1. Navigate to Identity Fabric in the Console sidebar.
  2. Click Create and select Ping Federate (SAML).
The Console also offers Ping Federate (OIDC) for OpenID Connect-based integration. See the PingFederate (OIDC) page for details.
  1. Enter a Name — the friendly name for your PingFederate SAML provider.
  2. Enter the Metadata URL — the URL of the PingFederate SAML metadata document (e.g., https://{your-pingfederate-host}/pf/federation_metadata.ping?PartnerSpId={sp-entity-id}).
  3. Enter the Consumer Service (ACS) URL — the Assertion Consumer Service URL where PingFederate sends SAML responses.
  4. Enter the Entity ID — the unique identifier for the Orchestrator as the SAML Service Provider.
  5. Optionally enter a Logout Callback URL for Single Logout (SLO) callback.
  6. Optionally enter the SP Certificate Path and SP Private Key Path for signing SAML requests.
  7. Optionally enable IdP Initiated Login to allow authentication flows started by PingFederate.
  8. Click Save.

Troubleshooting

  • Verify the PingFederate metadata URL is accessible — The Orchestrator fetches the metadata XML at startup. Ensure the PingFederate hostname and port are correct and the metadata endpoint is enabled.
  • Ensure the entity ID matches PingFederate’s SP connection — The samlEntityID value must match the Partner Entity ID configured in the PingFederate SP Connection settings.
  • Check the Assertion Consumer Service URL — The samlConsumerServiceURL must match the ACS URL configured in the PingFederate SP Connection. If behind a load balancer, use the external-facing URL.
  • SP signing certificate errors — If PingFederate requires signed authentication requests, ensure samlSPCertPath and samlSPKeyPath point to valid PEM files and the key matches the certificate.

PingFederate (OIDC)

OIDC-based PingFederate connector

Generic SAML

Generic SAML 2.0 connector

Identity Fabric

Overview of all identity providers

Continuity

IdP failover connector