--- title: External Authentication description: The external authentication API provides endpoints for performing end user authentication with PingOne supported external identity providers. End users are redirected immediately to the authentication initialization endpoint at the external authentication service. After users authenticate at the provider, they are redirected back to the external authentication service's authentication callback endpoint, where the external authentication API validates the token or assertion returned from the external identity provider. component: pingone-api page_id: pingone-api:auth:external-authentication canonical_url: https://developer.pingidentity.com/pingone-api/auth/external-authentication.html section_ids: external-authentication-data-model: External authentication data model external-authentication-events-generated: External authentication events generated response-codes: Response codes --- # External Authentication The external authentication API provides endpoints for performing end user authentication with PingOne supported external identity providers. End users are redirected immediately to the authentication initialization endpoint at the external authentication service. After users authenticate at the provider, they are redirected back to the external authentication service's authentication callback endpoint, where the external authentication API validates the token or assertion returned from the external identity provider. ## External authentication data model | Property | Type | Required? | Mutable? | Description | | ------------------------ | ------ | --------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `attributes` | Object | N/A | Read-only | The mapped user attributes and their values from the external identity provider. | | `` | Object | N/A | Read-only | The name of the mapped user attribute from the external identity provider. | | `.value` | String | N/A | Read-only | The value for the mapped user attribute from the external identity provider. | | `.update` | String | N/A | Read-only | An enumeration that specifies the update behavior for this attribute based on identity provider configuration. Options are `EMPTY_ONLY` and `ALWAYS`. | | `externalId` | String | N/A | Read-only | The identifier returned by the identity provider for the external user. | | `flow` | Object | Required | Immutable | A reference to the PingOne flow associated with this external authentication. | | `flow.id` | String | Required | Mutable | The flow UUID associated with this external authentication. | | `identityProvider` | Object | Required | Immutable | A reference to the external identity provider that is used to authenticate the user. | | `identityProvider.id` | String | Required | Mutable | The UUID of the external identity provider to which the user is redirected for sign-on. | | `status` | String | N/A | Read-only | The status of the external authentication. Options are:- `PROVIDER_RESPONSE_REQUIRED`: Awaiting callback from provider with authentication results. - `COMPLETED`: External authentication request completed successfully. - `FAILED`: The identity provider returned an error. | | `error` | Object | N/A | Read-only | When the `status` is `FAILED`, returns an error detail from the identity provider to the PingOne flow associated with this external authentication. | | `error.code` | String | N/A | Read-only | The PingOne code for the error. | | `error.message` | String | N/A | Read-only | The description of the error. | ## External authentication events generated Refer to [Audit Reporting Events](../platform/reference/audit-reporting-events.html) for the events generated. ### Response codes | Code | Message | | ---- | --------------------------------------------------------------------- | | 302 | Found. | | 400 | The request could not be completed. | | 401 | You weren't authenticated to perform this operation. | | 403 | You do not have permissions or are not licensed to make this request. |