Pendo SAML metadata, certificates, and configuration details

Last updated:

This article provides details about our public SAML certificates and Pendo metadata file, as well as our Service Provider (SP) configuration details for setting up your Identity Provider (IdP) for SAML authentication.

Public certificates and the Pendo metadata file 

SAML signing and encryption uses public keys (certificates) to verify data sent between the Identity Provider (IdP) and Pendo as the Service Provider (SP). You must acquire SAML certificates for your applications and update them before they expire.

Pendo's SAML signing certificate expired on April 28, 2022. A new certificate is available that expires on April 19, 2027. We proactively update the certificate on our platform to ensure successful Pendo sign-ins for customers and users of SAML as their single sign-on (SSO) method. However, you might receive alerts or notifications from your IdP, depending on your configuration, to update the certification manually in your setup.

Follow the links to access the public certificates and the Pendo metadata file:

  • Pendo metadata. This is a Pendo SAML metadata file containing information necessary for interaction with SAML-enabled IdPs. The document contains the URLs of endpoints, information about supported bindings, identifiers, and public keys.
  • Signing certificate. This is a digital certificate used for signing authentication requests (AuthnRequests) sent by the SP to the IdP. The signing certificate is only needed if your IdP is configured to require that the AuthnRequest is signed to ensure its authenticity and that it came from a trusted source.
  • Encryption certificate. This is a digital certificate used for encrypting the assertion of a SAML response. The encryption certificate is only needed if your IdP is configured to encrypt the assertion, which adds a layer of protection by ensuring that even if the message is intercepted, its contents remain unreadable without the appropriate decryption key. This is typically not needed because SAML is sent over HTTPS.

If you need assistance, contact Pendo Support with SAML Cert Update as the subject.

Service Provider configuration details

Use the following settings to configure your IdP for SAML authentication. These settings are used to establish a connection between your IdP and SP.

Service Provider identifier (Entity ID)

Every SAML system entity, including your SP, has a globally unique identifier, which might be called the Entity ID. Your IdP might ask you to provide the identifier to complete the SAML configuration. Our default identifier is PingConnect, but if this is already used in your IdP, use one of the following depending on your region:

  • US: PendoConnectUS
  • US1 (restricted access): PendoConnectUS1
  • EU: PendoConnectEU
  • JP: PendoConnectJP

Assertion Consumer Service (ACS) URL

The ACS URL is an endpoint on your SP's system that tells the IdP where to send authenticated users after they sign in. Your IdP might ask you to provide the ACS URL to complete the SAML configuration. Our default ACS URL is: https://sso.connect.pingidentity.com/sso/sp/ACS.saml2.

Some IdPs require an additional parameter to complete the URL, such as ?saasid=<saasid>. The saasid value depends on your subscription region:

  • US: c1dc3d4d-f04b-4c71-902f-af4895a57c21
  • US1 (restricted access): d65656ad-caef-4a4d-99d7-e998b6f0d97f
  • EU: 2e51bcef-d8c5-4e12-b145-9d94e09d7bb5
  • JP: 5d4212e1-4feb-4d30-b933-6bfda633d532

For example, if your subscription is in the US, use the following ACS URL: https://sso.connect.pingidentity.com/sso/sp/ACS.saml2?saasid=c1dc3d4d-f04b-4c71-902f-af4895a57c21.

Default relay state

The default relay state is used to specify the default location that users should be redirected to after successful authentication. This is typically optional but is required for SP-initiated sign-in. The replay state value depends on your subscription region.

  • US: https://pingone.com/1.0/c1dc3d4d-f04b-4c71-902f-af4895a57c21
  • US1 (restricted access): https://pingone.com/1.0/d65656ad-caef-4a4d-99d7-e998b6f0d97f
  • EU: https://pingone.com/1.0/2e51bcef-d8c5-4e12-b145-9d94e09d7bb5
  • JP: https://pingone.com/1.0/5d4212e1-4feb-4d30-b933-6bfda633d532

Service Provider attributes

Pendo SAML requires that the name sent as the subject for the assertion matches the email address registered to your Pendo account. Some IdPs, such as Azure, might send the userPrincialName (UPN) as the name. The UPN can be used if it exactly matches the your Pendo username. If the UPN doesn't match your Pendo username, you must configure the IdP to map the email address field (such as user.email) to the name attribute.

 

Was this article helpful?
1 out of 2 found this helpful