PingOne Platform APIs

External Identity Provider - Sign On

This activity shows you how to test the external authentication flow to sign-on using an external identity provider (IdP).

The easiest way to do this is by using two PingOne environments. One environment will act as the service provider (SP) for an OIDC application, while the other environment is used to configure an OIDC identity provider (IdP) connection.

This activity requires completing an internal authentication flow within the external authentication flow, so it’s important to take note of which environment should be used to complete each step. On the first use of external authentication, you will need to link accounts. After the accounts are linked once, you will not need to link them again.

Prerequisites

  • Get an access token from the worker application that you created in Create an admin Worker app connection.

  • A destination PingOne environment to act as the service provider (SP) for the OIDC application. You’ll use this environment to configure the OIDC IdP connection. Authentication flows in this environment can be configured to allow external authentication.

  • A source PingOne environment that will act as the OIDC IdP. Users here will be able to complete authentication flows in the destination environment.

  • Cross-environment admin permissions for the destination and source environments.

This scenario illustrates the following operations supported by the PingOne APIs:

  • Create an OIDC application in the source environment.

  • Create an OIDC IdP in the destination environment referencing the source application.

  • Create a sign-on policy in the destination environment.

  • Create a sign-on policy action to enable the sign-on policy for the OIDC IdP connection.

  • Set the sign-on policy as the default for the destination environment.

  • Create an OIDC application in the destination environment.

  • Set the sign-on policy as the default for the destination environment.

  • Create a population in the source and destination environments.

  • Create users in the source and destination environments.

  • Initiate an authorization request.

  • Read an external authentication initialization.

  • Send an external authentication request.

  • Get the flow for an external identity provider.

  • Pass in external identity provider credentials for verification.

  • Retrieve an authorization code from the authorization server by calling the resume endpoint.

  • Call the external authentication callback to get the response from an external identity provider.

  • Get the flow and submit credentials for account linking.

  • Retrieve an authorization code from the authorization server by calling the resume endpoint.

  • Exchange an authorization code for an access token.

Click the Run in Postman button below to fork, or download and import, the Postman collection for this workflow to your workspace.

Run in Postman