> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# PingFederate (SAML)

The PingFederate (SAML) connector integrates the Maverics Orchestrator with Ping Identity's PingFederate server using the SAML 2.0 protocol -- providing an alternative to the OIDC-based PingFederate connector for environments that require SAML federation.

<Note>
  **Console terminology:** In the Maverics Console, this section is called
  **Identity Fabric**. The YAML configuration uses the `connectors` key to define
  identity provider integrations.
</Note>

## Overview

The PingFederate (SAML) connector supports SAML 2.0 SSO profiles including SP-initiated and IdP-initiated flows. For OpenID Connect-based integration, see the [PingFederate (OIDC) connector](/reference/orchestrator/identity-fabric/pingone). Use the SAML variant when your environment requires SAML-based federation or when integrating with applications that only support SAML assertions.

## Use Cases

* **Unify SSO across PingFederate and other IdPs** -- Orchestrate PingFederate SAML alongside other identity providers to deliver seamless access across hybrid cloud and on-prem environments
* **Legacy application modernization** -- Bridge PingFederate SAML assertions to header-based or cookie-based authentication for legacy applications, extending SSO without rewriting them
* **Rationalize Ping licensing costs** -- Consolidate authentication workloads by routing apps away from PingFederate to a target IdP, reducing the number of Ping connections and associated licensing fees
* **PingFederate failover with Continuity** -- Pair PingFederate SAML with a backup IdP to maintain authentication availability if the PingFederate server becomes unreachable

## Setup

<Tabs>
  <Tab title="Console UI">
    To create a Ping Federate (SAML) connector in the Maverics Console:

    1. Navigate to **Identity Fabric** in the Console sidebar.
    2. Click **Create** and select **Ping Federate (SAML)**.

    <Note>
      The Console also offers **Ping Federate (OIDC)** for OpenID Connect-based integration. See the [PingFederate (OIDC) page](/reference/orchestrator/identity-fabric/pingone) for details.
    </Note>

    3. Enter a **Name** -- the friendly name for your PingFederate SAML provider.
    4. Enter the **Metadata URL** -- the URL of the PingFederate SAML metadata document (e.g., `https://{your-pingfederate-host}/pf/federation_metadata.ping?PartnerSpId={sp-entity-id}`).
    5. Enter the **Consumer Service (ACS) URL** -- the Assertion Consumer Service URL where PingFederate sends SAML responses.
    6. Enter the **Entity ID** -- the unique identifier for the Orchestrator as the SAML Service Provider.
    7. Optionally enter a **Logout Callback URL** for Single Logout (SLO) callback.
    8. Optionally enter the **SP Certificate Path** and **SP Private Key Path** for signing SAML requests.
    9. Optionally enable **IdP Initiated Login** to allow authentication flows started by PingFederate.
    10. Click **Save**.
  </Tab>

  <Tab title="Configuration">
    ```yaml maverics.yaml theme={null}
    connectors:
      - name: pingfederate-saml
        type: saml
        samlMetadataURL: "https://{{ env.PING_HOST }}/pf/federation_metadata.ping?PartnerSpId={{ env.SP_ENTITY_ID }}"
        samlConsumerServiceURL: "https://orch.example.com/saml/callback"
        samlEntityID: "https://orch.example.com"
        tls: ping-tls
    ```

    ## Configuration Reference

    | Key                      | Type   | Required | Description                                                                                                                                            |
    | ------------------------ | ------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
    | `name`                   | string | Yes      | Unique connector identifier referenced by app policies and attribute providers                                                                         |
    | `type`                   | string | Yes      | Must be `saml`                                                                                                                                         |
    | `samlMetadataURL`        | string | Yes      | URL to the PingFederate SAML metadata XML                                                                                                              |
    | `samlConsumerServiceURL` | string | Yes      | Assertion Consumer Service (ACS) URL where PingFederate sends SAML responses                                                                           |
    | `samlEntityID`           | string | No       | Service Provider entity ID that identifies the Orchestrator to PingFederate                                                                            |
    | `samlLogoutCallbackURL`  | string | No       | Logout callback URL for SAML single logout                                                                                                             |
    | `samlSPCertPath`         | string | No       | Path to the SP certificate file for signing SAML requests                                                                                              |
    | `samlSPKeyPath`          | string | No       | Path to the SP private key file for signing SAML requests                                                                                              |
    | `samlIDPInitiatedLogin`  | object | No       | IdP-initiated login configuration                                                                                                                      |
    | `cache`                  | string | No       | Cache name reference for SAML request data storage                                                                                                     |
    | `tls`                    | string | No       | Named TLS profile for metadata retrieval and IdP communication                                                                                         |
    | `healthCheck`            | object | No       | Health check monitoring configuration (see [Identity Fabric Configuration Reference](/reference/orchestrator/identity-fabric#configuration-reference)) |

    For the complete connector field reference including health check details, see [Identity Fabric Configuration Reference](/reference/orchestrator/identity-fabric#configuration-reference).
  </Tab>
</Tabs>

## Troubleshooting

* **Verify the PingFederate metadata URL is accessible** -- The Orchestrator fetches the metadata XML at startup. Ensure the PingFederate hostname and port are correct and the metadata endpoint is enabled.
* **Ensure the entity ID matches PingFederate's SP connection** -- The `samlEntityID` value must match the Partner Entity ID configured in the PingFederate SP Connection settings.
* **Check the Assertion Consumer Service URL** -- The `samlConsumerServiceURL` must match the ACS URL configured in the PingFederate SP Connection. If behind a load balancer, use the external-facing URL.
* **SP signing certificate errors** -- If PingFederate requires signed authentication requests, ensure `samlSPCertPath` and `samlSPKeyPath` point to valid PEM files and the key matches the certificate.

## Related Pages

<CardGroup cols={2}>
  <Card title="PingFederate (OIDC)" icon="circle-dot" href="/reference/orchestrator/identity-fabric/pingone">
    OIDC-based PingFederate connector
  </Card>

  <Card title="Generic SAML" icon="file-shield" href="/reference/orchestrator/identity-fabric/custom-saml">
    Generic SAML 2.0 connector
  </Card>

  <Card title="Identity Fabric" icon="id-badge" href="/reference/orchestrator/identity-fabric">
    Overview of all identity providers
  </Card>

  <Card title="Continuity" icon="arrows-rotate" href="/reference/orchestrator/identity-fabric/continuity">
    IdP failover connector
  </Card>
</CardGroup>
