I am trying to setup an SSO connection between Jenkins/SAML Plugin as SP and PingOne as our IDP. After setting up the IDP side and importing its meta data to Jenkins, we encountered a problem: The IDP suddenly requires a verification of the email address which is very unusual.

After some research I found this article:

https://ping.force.com/Support/Group-Detail/PingOne-Q&A/Feed-Detail/feedId_0D54000002exDErCAM

The article says that the "idpid" is not send to the IDP and therefore IDP is not able to map the request from SP to the specific application.

The meta data received from IDP indeed contains the "IDPID" as shown in following example:

<md:SingleSignOnService Location="https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=10854xxx-bxxx-4xxx-958b-2af773342f11" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>

But the request from SP to IDP during login process just ignores or misses to send the IDPID. The SP sends the following URL to IDP:

https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?SAMLRequest=jVJNb9swDL3vVxi6%2BzNO4wqxg2xFsQLZGiTpDrsMskw76mLKEaWg7a%2Bf6jRYdyl2JMj3%2BPge54un%2FhCcwJDSWLI0SlgAKHWjsCvZw%2B42LNii%2BjQn0R%2BygS%2Bd3eMGjg7IBksiMNbjvmgk14PZgjkpCQ%2BbVcn21g7E4%2FgR8LdCCqWKSDtsHCoLTSR1f2nFBNIZZZ83IA593CpUtF%2FpTiELbvwehcKO4i6URNrjEUHaaPA6VQNoPX4k9c1YNUO83d5Ho%2BiFr1RTpkkxzSdFEtZ1C2HeQB5eT4s6zEQ7m00medamKQtutZEwHlmyVhwIWHB3U7Jf2tHQv2iqB9Okqpso2fXCCn3s98Z1zfHJNfsXUftpWgsidYK%2FeCIHd0hWoC1ZlqRFmFyF2WyXTPm04Nk0Sq6uf7JgbbTVUh8%2BKzyb7wxyLUgRR9EDcSv5dvltxbMo4fV5iPjX3W4dru%2B3u5Hg5K0w3%2F10yQYh88fw1QEW%2FLjEm73G6wNH4udAP94yvEli1Tl%2FPt5i3jN8TCAuH8Kq%2F%2F%2BHefx%2BWfVW%2Fvt71R8%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=m26OTtHdK1sWCurrywHJS%2Bokptdg71B84JOItrj5xObc3SVEvcGjLGCEUgfccmz2Dbq5sA%2FBClc%2B8B4kt9q9%2FZFHZ%2B2%2FD%2Bnw%2BMvyolzQ6HejxCYsgwf0geb%2ByLjg8znQ6bGOg2sTGxxAkokuxwebJOR6idewdZ2C27zTG2MlGXIvLATkFfh75SNWmBeYBOlKj4E%2FZMd3uyguNNGMfyzb36438beLCK1Lwg8bIbAsssz%2B553lW0MZrFlCZ8pwhmZFmYt8L4rPkkxP4t7hFvM36x8pKj6UoZkyWF6HwGxKyGCega9j2pGibT2LMxfSkSzdeuVFQyqRvbRAK9CtNxNRNA%3D%3D

But the correct URL should look like this:

https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=10854xxx-bxxx-4xxx-958b-2af773342f11&SAMLRequest=jVJNb9swDL3vVxi6%2BzNO4wqxg2xFsQLZGiTpDrsMskw76mLKEaWg7a%2Bf6jRYdyl2JMj3%2BPge54un%2FhCcwJDSWLI0SlgAKHWjsCvZw%2B42LNii%2BjQn0R%2BygS%2Bd3eMGjg7IBksiMNbjvmgk14PZgjkpCQ%2BbVcn21g7E4%2FgR8LdCCqWKSDtsHCoLTSR1f2nFBNIZZZ83IA593CpUtF%2FpTiELbvwehcKO4i6URNrjEUHaaPA6VQNoPX4k9c1YNUO83d5Ho%2BiFr1RTpkkxzSdFEtZ1C2HeQB5eT4s6zEQ7m00medamKQtutZEwHlmyVhwIWHB3U7Jf2tHQv2iqB9Okqpso2fXCCn3s98Z1zfHJNfsXUftpWgsidYK%2FeCIHd0hWoC1ZlqRFmFyF2WyXTPm04Nk0Sq6uf7JgbbTVUh8%2BKzyb7wxyLUgRR9EDcSv5dvltxbMo4fV5iPjX3W4dru%2B3u5Hg5K0w3%2F10yQYh88fw1QEW%2FLjEm73G6wNH4udAP94yvEli1Tl%2FPt5i3jN8TCAuH8Kq%2F%2F%2BHefx%2BWfVW%2Fvt71R8%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=m26OTtHdK1sWCurrywHJS%2Bokptdg71B84JOItrj5xObc3SVEvcGjLGCEUgfccmz2Dbq5sA%2FBClc%2B8B4kt9q9%2FZFHZ%2B2%2FD%2Bnw%2BMvyolzQ6HejxCYsgwf0geb%2ByLjg8znQ6bGOg2sTGxxAkokuxwebJOR6idewdZ2C27zTG2MlGXIvLATkFfh75SNWmBeYBOlKj4E%2FZMd3uyguNNGMfyzb36438beLCK1Lwg8bIbAsssz%2B553lW0MZrFlCZ8pwhmZFmYt8L4rPkkxP4t7hFvM36x8pKj6UoZkyWF6HwGxKyGCega9j2pGibT2LMxfSkSzdeuVFQyqRvbRAK9CtNxNRNA%3D%3D

When putting the correct URL into the browser containing the IDPID, then the login succeeds. Second, login succeeds from the IDP side to SP side as well.