Qodex.ai

Test a SAML Application Connection

Number of APIs: 10

To test the execution of a SAML identity provider (IdP) connection for an application configured in your PingOne environment, you must have a working SAML IdP for your environment to communicate with.

The easiest way to do this is by using two PingOne environments. You can then execute an authentication flow for an application existing in one PingOne environment by using external authentication as a user in a second PingOne environment acting as the SAML IdP.

Prerequisites

  • Get an access token from the worker application that you created in Getting Started with the PingOne APIs. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of the worker app that you selected to authenticate the request. For more information, see GET a Worker Application Access Token.

  • A destination PingOne environment to act as the service provider (SP) for the SAML application. Use this environment to configure the SAML IdP connection. You can configure authentication flows in this environment to allow external authentication.

  • A source PingOne environment to act as the SAML IdP. Users here can complete authentication flows in the destination environment.

  • Cross-environment admin permissions for the destination and source environments.

  • A PingOne access token for each environment.

This scenario illustrates the following operations supported by the PingOne APIs:

  • Get the certificate for the source environment.
  • Create a SAML application in the source environment.
  • Create a SAML IdP in the destination environment.
  • Create a sign-on policy in the destination environment.
  • Create a sign-on policy action to enable the sign-on policy for the SAML IdP connection.
  • Set the sign-on policy as the default for the destination environment.

Workflow order of operations

To test the SAML application connection:

  1. Make a GET request to /environments/{{sourceEnvID}}/keys to get the signing key for the source environment and download the PEM or PKCS7 file for the signing key.

  2. Make a GET request to /environments to get the environment IDs.

  3. Make a POST request to /environments/{{sourceEnvID}}/applications to create a SAML application.

  4. (Optional) Make a POST request to /environments/{{sourceEnvID}}/applications/{{appID}}/attributes to any attribute mappings needed for the source environment application.

  5. Make a POST request to /environments/{{destinationEnvID}}/certificates to create a certificate in the destination environment using the PEM or PKCS7 file that you downloaded in the initial step.

  6. Make a GET request to /environments/{{destinationEnvID}}/certificates to get a certificate for the destination environment to assign to the IdP that you'll create.

  7. Make a POST request to /environments/{{destinationEnvID}}/identityProviders to create the SAML IdP configuration in the destination environment.

  8. (Optional) Make a POST request to /environments/{{destinationEnvID}}/identityProviders/{{providerID}}/attributes to add any needed attribute mappings for the IdP in the destination environment.

  9. Make a POST request to /environments/{{destinationEnvID}}/signOnPolicies to create a sign-on policy for the new IdP in the destination environment.

  10. Make a POST request to /environments/{{destinationEnvID}}/signOnPolicies/{{policyID}}/actions to create a new IDENTIFIER_FIRST sign-on policy action associated with the new sign-on policy.

  11. Make a PUT request to /environments/{{destinationEnvID}}/applications/{{appID}}/signOnPolicyAssignments to associate this sign-on policy with the specified SAML application.

Execute the authentication flow

  1. Copy the Self-Service URL for the destination environment. You can find the Self-Service URL on the SettingsEnvironmentProperties page.

  2. Open a private browser window, and enter the Self-Service URL that you copied.

  3. Click the button that matches your SAML IdP connection.

  4. Authenticate as a user in the source environment. Depending on your configuration, you might need to perform account linking or user verification.

  1. Step 6: Create the new identity provider in the destination environment POST {{apiPath}}/environments/{{destinationEnvID}}/identityProviders

  2. Step 8: Create a sign-on policy for the new identity provider POST {{apiPath}}/environments/{{envID}}/signOnPolicies

  3. Step 9: Create a sign-on policy action POST {{apiPath}}/environments/{{envID}}/signOnPolicies/{{samlSignonPolicyID}}/actions

  4. Step 10: Set the sign-on policy as the default PUT {{apiPath}}/environments/{{envID}}/signOnPolicies/{{samlSignonPolicyID}}

  5. Step 7: (Optional) Create attribute mappings for the identity provider POST {{apiPath}}/environments/{{envID}}/identityProviders/{{providerID}}/attributes

  6. Step 1: Get the signing key for the source environment GET {{apiPath}}/environments/{{envID}}/keys

  7. Step 2: Get all environment IDs GET {{apiPath}}/environments

  8. Step 3: Create a SAML application in the source environment POST {{apiPath}}/environments/{{envID}}/applications

  9. Step 4: (Optional) Create attribute mappings for the application POST {{apiPath}}/environments/{{envID}}/applications/{{samlTestAppID}}/attributes

  10. Step 5: Create a certificate in the destination environment POST {{apiPath}}/environments/{{destinationEnvID}}/certificates