function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

SAML and Oauth SSO - Outlook plugin and Ping Federate

I'm trying to get SSO working with mobile and the Outlook plugin. We're using Ping Federate for our idp. The wiki documentation states that all Salesforce needs is to be passed the RelayState parameter. Does anyone know what's involved to get this working? For whatever reason, RelayState is not coming back as a parameter with the SAML assertion.  I have our idp URL set in the "IDP Login URL" field in the Salesforce SSO settings, and I can tell during the redirect that RelayState is getting passed from Salesforce.


Has anyone gotten this working with Ping?


Hi BBeaird,  


I work in the Tech Support group at Ping Identity and I have seen the problem you describe many times. I cannot guarantee the cause in your case without more information, but I can make an educated guess and you can check it yourself: 


I think that in the Salesforce field "IDP Login URL" you have entered "https://<pingfederate server>/idp/". This is the correct endpoint for IdP-initiated SSO, so it is a natural mistake. 

What Salesforce uses this URL for is the destination for the SAML AuthnRequest in the SP-initiated flow. The proper PingFederate endpoint for that message is the protocol endpoint, "https://<pingfederate server>/idp/SSO.saml2". (You will find this endpoint described in the Viewing Protocol Endpoints sub-section in the IdP Configuration section of your PF manual.) 


Since the /idp/ endpoint is not expecting the AuthnRequest, it throws it away and starts up a new IdP-initiated SSO instead. That loses all connection with your original SSO in progress at the Salesforce end, leaving the Outlook plugin connected to the wrong URL at


Feel free to present questions like this to Ping Identity Support via 


Hi, duggla - thanks for the response!


I forwarded your suggestion on to our group who manages the federated server. They told me that we use the same endpoint for IDP and SP-initiated SSO. There does not seem to be a separate SSO.saml2 endpoint.


I seem to have found a workaround, though. The team told me that their setup would work if I sent the Relaystate value as the "TargetResource" parameter instead. I tested this, and it's true. If I essentially rename the parameter, I end up getting RelayState sent back to Salesforce in the SAML response. Going off that, I created a custom controller and Visualforce page which grabs the value for RelayState and sends it along to our Ping URL as the TargetResource query string parameter. I then changed the Salesforce SSO "identify provider login" setting to point to my custom page. It's not exactly ideal, but it works.





Hi ,


We are  implementing SSO for salesforce outlook using ping identity provider .


1.) In below link from sales force documentation it is mentioned that for sales force for outlook SSO is not supported in case of online identity management server :


What is the meaning on this ? cann't we use ping identity provider ?


2.) In below document we have two use cases , secondary use case include outlook case. But in the configuration set up which includes outlook case they provided only delegated authentication only (below is the document from ping identity): Page No : 6-8


So does ping support federated authentiation is case of outlook ?


I am new to this . It would be great if any one of you can help me understanding Outlook plugin and Ping Federate