Deployment considerations

Before you set up SAML 2.0 in Advanced Identity Cloud, you should:

Know which providers will participate in circles of trust.
Know how tenants act as IdPs or SPs.
Define how to map shared user attributes in identity information exchanged with other participants in a circle of trust. Advanced Identity Cloud user profile attribute names should map to user profile attribute names at other providers.

For example, if you exchange user identifiers with a partner, and your Advanced Identity Cloud attribute is uid, but the partner’s attribute is userid, you must map uid to the partner’s userid attribute.
Agree with other providers on a synchronized time service.
Determine whether your session state configuration limits your usage of certain SAML 2.0 profiles. For more information, refer to Session state considerations.

Session state considerations

SAML 2.0 functionality uses a combination of the backend token service and browser-based data to store the progress of SAML 2.0 single sign-on (SSO) operations.

SSO progress is stored in a JSON web token (JWT) in the browser’s local storage. The browser must support the localStorage API to handle SSO without the need for sticky load balancing of the Advanced Identity Cloud tenant.

You can enable local storage support in WebView components on Android by using the following property:

settings.setDomStorageEnabled(true)

You cannot use local storage when using multiple WebView components simultaneously. For more information, refer to WebSettings - setDomStorageEnabled in the Android Developers documentation.

The following table summarizes the high-level tasks required to configure SAML 2.0:

Task	Resources
Configure an SP, an IdP, and a CoT The first step is deciding if Advanced Identity Cloud is the SP, the IdP, or both, and/or what metadata you need to import from other providers. For example, if Advanced Identity Cloud is the IdP for another service in your environment, you will have to import the metadata of the remote SP. Ensure the SPs and IdPs that work together share the same CoT.	Configure IdPs, SPs, and CoTs
Make sure your providers are secure Configure signing and encryption secrets for your environment.	Sign and encrypt messages
Configure your environment for SSO and SLO Advanced Identity Cloud provides two options for implementing SSO and SLO: integrated mode and standalone mode. There are several considerations to make before deciding which mode is more appropriate for your environment.	Implement SSO and SLO
Decide how to federate identities Advanced Identity Cloud supports different ways to federate identities depending on the configuration, and whether they exist or not in the SP.	Federate identities

Task

Resources

Configure an SP, an IdP, and a CoT

The first step is deciding if Advanced Identity Cloud is the SP, the IdP, or both, and/or what metadata you need to import from other providers.

For example, if Advanced Identity Cloud is the IdP for another service in your environment, you will have to import the metadata of the remote SP.

Ensure the SPs and IdPs that work together share the same CoT.

Configure IdPs, SPs, and CoTs

Make sure your providers are secure

Configure signing and encryption secrets for your environment.

Sign and encrypt messages

Configure your environment for SSO and SLO

Advanced Identity Cloud provides two options for implementing SSO and SLO: integrated mode and standalone mode.

There are several considerations to make before deciding which mode is more appropriate for your environment.

Implement SSO and SLO

Decide how to federate identities

Advanced Identity Cloud supports different ways to federate identities depending on the configuration, and whether they exist or not in the SP.

Federate identities

PingOne Advanced Identity Cloud

Deployment considerations

Session state considerations