Qodex.ai

SAML Sign-On

Number of APIs: 12

This activity shows you how to create a basic PingOne sign-on flow for a SAML application.

Note: This solution uses group access control properties set on the application. This is associated with a PingOne group to control access. The request descriptions for creating the SAML application and the user group provide more details on how to configure access control in this workflow. For general information about access control, see Control access to applications through roles and groups.

The following operations are supported by the PingOne APIs:

  • Create a group
  • Create a SAML application
  • Create a sign-on policy
  • Create a login sign-on policy action
  • Create a user
  • Initiate a SAML authorize request
  • Use flow APIs to complete the login

Workflow order of operations

To configure a basic PingOne sign-on flow for a SAML application, you must complete the following tasks:

  1. Make a POST request to /environments/{{envID}}/groups to create a new group resource.

  2. Make a POST request to /environments/{{envID}}/applications to add a new SAML application to the specified environment.

  3. Make a POST request to /environments/{{envID}}/signOnPolicies to create a new sign-on policy.

  4. Make a POST request to /environments/{{envID}}/signOnPolicies/{{signOnPolicyID}}/actions to define the login action associated with this sign-on policy.

  5. Make a POST request to /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments to associate the sign-on policy with the application.

  6. Make a POST request to /environments/{{envID}}/populations to create a new population resource.

  7. Make a POST request to /environments/{{envID}}/users to create a user to assign to the new population resource.

  8. Make a PUT request to /environments/{{envID}}/users/{{userID}}/password to set the new user's password.

  9. Make a POST request to /{{envID}}/saml20/idp/sso to obtain an authorization grant. This request starts the SAML authorization flow.

  10. Make a GET request to /{{envID}}/flows/{{flowID}} to initiate the sign-on flow.

  11. To complete the login action, make a POST request to /{{envID}}/flows/{{flowID}} and provide the user's login credentials.

  12. Make a GET request to /{{envID}}/saml20/resume?flowId={{flowID}} to call the SAML resume endpoint and return an encoded SAMLResponse.

We highly recommend that you use our Qodex collection for this workflow. The collection also contains the accompanying Qodex environment template, making it easy for you to use and save variable values. For more information about using Qodex environments, see The PingOne Qodex environment template.

  1. Step 1: Create a group POST {{apiPath}}/environments/{{envID}}/groups

  2. Step 3: Create the sign-on policy POST {{apiPath}}/environments/{{envID}}/signOnPolicies

  3. Step 4: Create the sign-on policy action POST {{apiPath}}/environments/{{envID}}/signOnPolicies/{{samlPolicyID}}/actions

  4. Step 5: Assign the sign-on policy to an application POST {{apiPath}}/environments/{{envID}}/applications/{{samlAppID}}/signOnPolicyAssignments

  5. Step 6: Create a population POST {{apiPath}}/environments/{{envID}}/populations

  6. Step 7: Create a user POST {{apiPath}}/environments/{{envID}}/users

  7. Step 8: Set user password PUT {{apiPath}}/environments/{{envID}}/users/{{samlUserID}}/password

  8. Step 9: Submit SAML sign-on request POST {{authPath}}/{{envID}}/saml20/idp/sso

  9. Step 12: Call the SAML resume endpoint GET {{authPath}}/{{envID}}/saml20/resume?flowId={{flowID}}

  10. Step 2: Create a SAML application POST {{apiPath}}/environments/{{envID}}/applications