The identity provider (IdP) endpoints manage external IdP configurations. It is one of several related services that enable the social login, authoritative login, and inbound SAML login features in PingOne. An IdP configuration allows linked users to authenticate and gain access to PingOne resources using the login flow and credentials provided by the external IdP.

PingOne supports several external IdPs. IdP resources in PingOne configure the external IdP settings, which include the type of provider and the user attributes from the external IdP that are mapped to PingOne user attributes. These attributes might have one or many values assigned to them. As you might expect, mapping a single-value IdP attribute to a single-value PingOne attribute results in a PingOne attribute having the same value as the IdP attribute. Similarly, if the IdP attribute is also multi-value, the PingOne attribute value will be an array of the IdP attribute values. If the attributes are not the same format, then the following rules apply:

The mapping attribute placeholder value must be expressed using the following syntax in the request body:

${providerAttributes.<IdP attribute name>}

Base IdP data model

Property Description
description A string that specifies the description of the IdP.
enabled A string that specifies the current enabled state of the IdP. Options are ENABLED or DISABLED. A string that specifies the environment associated with the IdP resource. The ID for the IdP icon.
icon.href The HREF for the IdP icon.
id A string that specifies the resource ID. The image ID for the IdP login button icon. For Facebook, Google, and LinkedIn IdPs, updates to the login button are ignored to preserve the IdP branding rules.
loginButtonIcon.href The HREF for the IdP login button icon image file. For Facebook, Google, and LinkedIn IdPs, updates to the login button are ignored to preserve the IdP branding rules.
name A string that specifies the name of the IdP. This is a required property. The optional registration object designates an external IdP as authoritative. Setting this attribute gives management of linked users to the IdP and also triggers just-in-time provisioning of new users. These users are created in the population indicated with
type A string that specifies the IdP type. This is a required property. Options are FACEBOOK, GOOGLE, LINKEDIN, OPENID_CONNECT, APPLE, AMAZON, TWITTER, YAHOO,and SAML.

Mapping attributes data model

Property Description
mappingType A string that specifies the mapping type. Options are: CORE (This attribute is required by the schema and cannot be removed. The name and update properties cannot be changed.) or CUSTOM (All user-created attributes are of this type.)
name A string that specifies the user attribute, which is unique per provider. The attribute must not be defined as read only from the user schema or of type COMPLEX based on the user schema. Valid examples: username, and name.first. The following attributes may not be used: account, id, created, updated, lifecycle, mfaEnabled, and enabled.
value A string that specifies a placeholder referring to the attribute (or attributes) from the provider. Placeholders must be valid for the attributes returned by the IdP type and use the ${} syntax (for example, username="${email}"). For SAML, any placeholder is acceptable, and it is mapped against the attributes available in the SAML assertion after authentication. The ${samlAssertion.subject} placeholder is a special reserved placeholder used to refer to the subject name ID in the SAML assertion response.
update A string that specifies whether to update the user attribute in the directory with the non-empty mapped value from the IdP. Options are: EMPTY_ONLY (only update the user attribute if it has an empty value); ALWAYS (always update the user attribute value).

Attribute type mapping rules

User attribute type Provider JSON value type Result
String * Valid. The value is cast at runtime, as necessary.
Complex * Error
Boolean Boolean Valid
Boolean * Error
JSON Object Valid
JSON * Error
JSON (sub-attribute) * Valid

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.
500 An unexpected error occurred.