PingOne Platform APIs

Configure an External Identity Provider to Call a DaVinci Flow

This activity shows you how to create an OIDC external identity provider and configure the identity provider to authenticate a user through a DaVinci flow. You’ll create an application, the OIDC identity provider, a login sign-on policy, and initiate an authorization request. The authorization request will return a 302 Location response, and you will copy the URL in that Location header and use it to launch the flow.

The following operations are supported by the PingOne APIs:

  • Create an application

  • Create the OIDC external identity provider

  • Create a sign-on policy

  • Create a login sign-on policy action

  • Initiate an authorize request

DaVinci prerequisites

This workflow requires the following resources in DaVinci. You will use the IDs for these resources to configure the PingOne OIDC external identity provider endpoint:

  • A DaVinci application with its OIDC redirect_URI property set to https://auth.pingone.com/{{envID}}/rp/callback/openid_connect.

    • The application ID

    • The application secret

  • A DaVinci flow (enabled, that runs in the DaVinci flow preview).

    • The flow ID (required to create the DaVinci flow policy)

  • A DaVinci flow policy associated with the DaVinci flow and app.

    • The flow policy ID

PingOne prerequisites

Get an access token from the worker application that you created in Getting Started with the PingOne APIs. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, refer to Get a PingOne access token.

The request body to create the OIDC external identity provider includes a registration object that requires a population ID. This workflow does not include a request to create a new population. If you do not have a test population in your environment, refer to Create Populations in the PingOne API Reference to create one. Also, if you want to log in after accessing the DaVinci external identity provider sign-on flow, you’ll need a test user. This workflow does not include the steps to create a user and set the user’s password. For information about creating an updating users, refer to User operations in the PingOne API Reference.

Workflow order of operations

To configure and external identity provider that uses a DaVinci sign-on flow, you must complete the following tasks:

  1. Make a POST request to /environments/{{envID}}/applications to add a new application to the specified environment.

  2. Make a POST request to /environments/{{envID}}//identityProviders to create the OIDC identity provider configuration.

  3. Make a POST request to /environments/{{envID}}/signOnPolicies to create a new sign-on policy.

  4. Make a POST request to /environments/{{envID}}/signOnPolicies/{{policyID}}/actions to define the login action associated with this sign-on policy.

  5. Make a POST request to /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments to associate the sign-on policy with the application.

  6. Make a GET request to /{{envID}}/as/authorize to obtain the Location header that contains the URL to launch the sign-on flow in a browser window.

  7. After you copy the Location URL, you will open a browser window and paste the URL into the Address field. On the PingOne sign-on screen, click the Sign on with PingOne DaVinci button. This action launches your DaVinci sign-on flow as the external identity provider.

Click the Run in Postman button below to fork, or download and import, the Postman collection for this workflow to your workspace.

Run in Postman