Qodex.ai

Configure a SAML Identity Provider

Number of APIs: 6

An external identity provider configuration in PingOne to support a SAML identity provider allows users to authenticate and gain access to application resources using a SAML sign-on flow and credentials.

Note: To configure SAML as an external identity provider, you must provide the SAML identity provider's verification certificate ID, which is used to verify the signature on the signed assertion from the identity provider. You should also provide the service provider's signing key ID. If you do not provide the signing key, the default signing key for the environment is used.

The SAML identity provider's verification certificate and the signing key can be imported using the PingOne certificate management service. For information about importing certificates, see Certificate management.

This scenario illustrates the following operations supported by the PingOne APIs:

  • Create an identity provider configuration
  • Create a sign-on policy
  • Create a sign-on policy action
  • Assign the sign-on policy to an application

Prerequisites

Get an access token from the worker application that you created in Getting Started with the PingOne APIs. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, see GET a Worker Application Access Token.

Workflow order of operations

To create a sign-on policy that supports a SAML external identity provider, the following tasks must be completed successfully:

  1. Make a POST request to /environments/{{envID}}/certificates to upload the SAML external identity provider's verification certificate and (optionally) to /environments/{{envID}}/keys to upload the signing key.

  2. Make a POST request to /environments/{{envID}}/identityProviders to create the SAML identity provider configuration.

  3. Make a POST request to /environments/{{envID}}/populations to create a population for users who will use their SAML credentials to sign on.

  4. Make a POST request to /environments/{{envID}}/signOnPolicies to create a new sign-on policy.

  5. Make a POST request to /environments/{{envID}}/signOnPolicies/{{policyID}}/actions to create a new LOGIN sign-on policy action, which is associated with the new sign-on policy.

  1. Step 1b: Upload the SAML application's signing key (Optional) POST {{apiPath}}/environments/{{envID}}/keys

  2. Step 1a: Upload the SAML application's verification certificate POST {{apiPath}}/environments/{{envID}}/certificates

  3. Step 2: Create the new identity provider resource POST {{apiPath}}/environments/{{envID}}/identityProviders

  4. Step 3: Create a population for SAML users POST {{apiPath}}/environments/{{envID}}/populations

  5. Step 4: Create the new sign-on policy POST {{apiPath}}/environments/{{envID}}/signOnPolicies

  6. Step 5: Create the sign-on policy action POST {{apiPath}}/environments/{{envID}}/signOnPolicies/{{usecaseSamlPolicyID}}/actions