PingOne Platform APIs

SAML 2.0 APIs

The SAML endpoints are used by SAML applications to initiate sign-on and sign-off operations. The SAML service implements functions to initiate SAML 2.0 single sign-on and single logout authentication flows.

SAML single sign-on (SSO) authentication requests

A SAML SSO authentication request uses the following authentication flow:

  1. The client (browser) initiates a login action to access a protected resource.

  2. The identity provider issues an <AuthnRequest> message to be delivered by the user agent to the SAML service endpoint using either HTTP Redirect or HTTP POST.

  3. The SAML service validates the request and creates an authentication flow with the flow orchestration service.

  4. The SAML service indicates user interaction is required to perform the authentication flow.

  5. The browser is redirected to the PingOne hosted authentication UI or the per application configured URL of a custom UI, passing in the environmentId and flowSessionId query parameters. The authentication UI uses flow orchestration and action services endpoints to complete the authentication flow. The authentication API checks on every call to ensure that the session token cookie contains the current token for the session associated with the flow. On successful completion of the flow, a new session token is generated for the session and set in the cookie.

  6. The browser is redirected to the resume endpoint of the SAML service.

  7. The SAML service retrieves and deletes the authentication flow from the flow orchestration service.

  8. The SAML service generates the appropriate tokens and issues a <Response> message delivered by the user agent to the identity provider using HTTP POST.

SAML single logout (SLO) requests

A SAML single logout (SLO) operation uses the following flow:

  1. The user initiates logout.

  2. The session participant initiates single logout by sending a <LogoutRequest> message to the identity provider that sent the corresponding <AuthnRequest> authentication assertion.

  3. The SAML service validates the request. It then calls the end session endpoint of the flow orchestration service and passes through the cookie header. The flow orchestration service deletes the session identified by the session cookie and includes a Set-Cookie in the response to immediately expire the session cookie.

  4. The identity provider uses the contents of the <LogoutRequest> message to determine the session(s) being terminated.

  5. The identity provider issues a <LogoutResponse> message to the original requesting session participant.

For detailed information about the SAML 2.0 endpoints from the PingOne API Reference, refer to SAML 2.0.