PingOne Platform APIs

Configure a SAML Identity Provider

An external identity provider configuration in PingOne to support a SAML identity provider allows users to authenticate and gain access to application resources using a SAML sign-on flow and credentials.

To configure SAML as an external identity provider, you must provide the SAML identity provider’s verification certificate ID, which is used to verify the signature on the signed assertion from the identity provider. You should also provide the service provider’s signing key ID. If you do not provide the signing key, the default signing key for the environment is used.

The SAML identity provider’s verification certificate and the signing key can be imported using the PingOne certificate management service. For information about importing certificates, refer to Certificate management.

This scenario illustrates the following operations supported by the PingOne APIs:

  • Create an identity provider configuration

  • Create a sign-on policy

  • Create a sign-on policy action

  • Assign the sign-on policy to an application

Prerequisites

Get an access token from the worker application that you created in Create an admin Worker app connection. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, refer to Get a PingOne admin access token.

Workflow order of operations

To create a sign-on policy that supports a SAML external identity provider, the following tasks must be completed successfully:

  1. Make a POST request to /environments/{{envID}}/certificates to upload the SAML external identity provider’s verification certificate and (optionally) to /environments/{{envID}}/keys to upload the signing key.

  2. Make a POST request to /environments/{{envID}}/identityProviders to create the SAML identity provider configuration.

  3. Make a POST request to /environments/{{envID}}/populations to create a population for users who will use their SAML credentials to sign on.

  4. Make a POST request to /environments/{{envID}}/signOnPolicies to create a new sign-on policy.

  5. Make a POST request to /environments/{{envID}}/signOnPolicies/{{policyID}}/actions to create a new LOGIN sign-on policy action, which is associated with the new sign-on policy.

Click the Run in Postman button below to fork, or download and import, the Postman collection for this workflow to your workspace.

Run in Postman