SAML SSO Using POST
POST {{authPath}}/{{envID}}/saml20/idp/sso
You can also initiate the authentication session the SAML single sign-on action through a POST request. The following sample shows the POST /{{envID}}/saml20/idp/sso operation to start the sign-on flow:
The request URL includes the SAMLRequest parameter to pass in the encoded SAML authentication request information. Here is a sample SAML <AuthnRequest> in plain text:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:59">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
</samlp:AuthnRequest>
For SAML assertions, PingOne supports the following Subject NameID formats:
| Format | Description |
|---|---|
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified | The Subject's NameID format is not specified. |
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress | The Subject's NameID format is in the form of an email address. |
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent | The Subject's NameID format is an opaque unique identifier for a user that retains the same value over time. |
urn:oasis:names:tc:SAML:2.0:nameid-format:transient | The Subject's NameID format is a randomly generated identifier. A different value is used for each SSO for a given user. |
Note: For POST requests, the <AuthnRequest> request encoding is Base64 encoded.
| Property | Type | Required? |
|---|---|---|
RelayState | String | Required |
SAMLRequest | String | Required |
Request Body
[{"name"=>"SAMLRequest", "value"=>"{{SAMLRequest}}", "datatype"=>"string"}, {"name"=>"RelayState", "value"=>"token", "datatype"=>"string"}]