Update pingfederate-saml.mdx (#22477)

kennyj42 · ranbel · web-flow · commit c8b5a53243f9 · 2025-05-15T20:34:35.000Z
* Update pingfederate-saml.mdx

Our account team found this issue in a customer POC. You need to ensure you're also sending a &lt;keyinfo&gt; certificate as part of the SAML response

* Apply suggestions from code review

* Update src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx

---------

Co-authored-by: ranbel &lt;101146722+ranbel@users.noreply.github.com&gt;
diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx
@@ -19,39 +19,43 @@ These can be any value. A prompt displays to select a signing certificate to use
 
 5. In the **SAML attribute configuration** dialog select **Email attribute** > **urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress**.
 
+6. Go to **SP Connections** > **SP Connection** > **Credentials**.
+
+7. Add the matching certificate that you upload into the Cloudflare SAML configuration for Ping. Select **Include the certificate in the signature `<KEYINFO>` element**.
+
 :::note
 There is an additional setting for PingFederate prior to 9.0.
 :::
 
-6. In the **Signature Policy** tab, disable the option to **Always Sign Assertion**.
+8. In the **Signature Policy** tab, disable the option to **Always Sign Assertion**.
 
-7. Leave the option enabled for **Sign Response As Required**.
+9. Leave the option enabled for **Sign Response As Required**.
 
 This ensures that SAML destination headers are sent during the integration.
 
 In versions 9.0 above, you can leave both of these options enabled.
 
-8. A prompt displays to download the SAML metadata from Ping.
+10. A prompt displays to download the SAML metadata from Ping.
 
 This file shares several fields with Cloudflare Access so you do not have to input this data.
 
-9. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
+11. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
 
-10. Under **Login methods**, select **Add new**.
+12. Under **Login methods**, select **Add new**.
 
-11. Select SAML.
+13. Select SAML.
 
-12. In the **IdP Entity ID** field, enter the following URL:
+14. In the **IdP Entity ID** field, enter the following URL:
 
 ```txt
 https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
 ```
 
 You can find your team name in Zero Trust under **Settings** > **Custom Pages**.
 
-13. Fill the other fields with values from your Ping dashboard.
+15. Fill the other fields with values from your Ping dashboard.
 
-14. Select **Save**.
+16. Select **Save**.
 
 To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test.
 
