Identity providers


Identity provider management

The identity provider endpoints manage external identity provider configurations. It is one of several related services that enable the social login and inbound SAML login features in PingOne for Customers. An identity provider configuration allows linked users to authenticate and gain access to PingOne resources using the login flow and credentials provided by the external identity provider.

PingOne supports Facebook, Google, LinkedIn, and SAML as external identity providers. Identity provider resources in PingOne configure the external identity provider settings, which include the type of provider and the user attributes from the external identity provider that are mapped to PingOne user attributes.

The mapping attribute placeholder value must be expressed using the following syntax in the request body:

${providerAttributes.<IdP attribute name>}

Facebook

If Facebook is specified as the the external identity provider, a subset of Facebook provider attributes can be used as the mapping attribute placeholder value.

The placeholder value must use the following syntax:

${providerAttributes.<Facebook attribute name>}

When you create a new Facebook identity provider entity, the POST request automatically maps the PingOne username attribute to the Facebook email attribute. The username attribute is the core mapping attribute; the default Facebook attribute value is email. It is also recommended that you map the PingOne email attribute to the Facebook email attribute. For more information about supported Facebook attributes, see Facebook provider attributes.

The request body for the email-to-email mapping looks like this, with the value attribute showing the Facebook email attribute expressed using the placeholder syntax:

{
    "name": "email",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.email}"
}

Google

If Google is specified as the the external identity provider, a subset of Google provider attributes can be used as the mapping attribute placeholder value.

The placeholder value must use the following syntax:

${providerAttributes.<Google attribute name>}

When you create a new Google identity provider entity, the POST request automatically maps the PingOne username attribute to the Google emailAddress.value attribute. The username attribute is the core mapping attribute; the default Google attribute value is emailAddress.value. It is also recommended that you map the PingOne email attribute to the Google emailAddress.value attribute. For more information about supported Google attributes, see Google provider attributes.

The request body for the email-to-email mapping looks like this, with the value attribute showing the Google emailAddress.value attribute expressed using the placeholder syntax:

{
    "name": "username",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.emailAddress.value}"
}

LinkedIn

If LinkedIn is specified as the the external identity provider, a subset of LinkedIn provider attributes can be used as the mapping attribute placeholder value.

The placeholder value must use the following syntax:

${providerAttributes.<LinkedIn attribute name>}

When you create a new LinkedIn identity provider entity, the POST request automatically maps the PingOne username attribute to the LinkedIn emailAddress attribute. The username attribute is the core mapping attribute; the default LinkedIn attribute value is emailAddress. It is also recommended that you map the PingOne email attribute to the LinkedIn emailAddress attribute. For more information about supported LinkedIn attributes, see LinkedIn provider attributes.

The request body for the email-to-email mapping looks like this, with the value attribute showing the LinkedIn emailAddress attribute expressed using the placeholder syntax:

{
    "name": "email",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.emailAddress}"
}

SAML

If SAML is specified as the the external identity provider, any SAML attribute defined in the assertion can be used as the mapping attribute placeholder value.

The placeholder value must use the following syntax:

${providerAttributes.<SAML attribute name>}

When you create a new SAML identity provider entity, the POST request automatically maps the PingOne username attribute to the SAML samlAssertion.subject attribute. The username attribute is the core mapping attribute; the default SAML attribute value is ${samlAssertion.subject}, which is a special reserved placeholder to refer to the subject name ID in the SAML assertion response.

SAML attributes can be mapped to any searchable PingOne user attribute, such as username, name.family, name.given, email, phone, externalId, or population.id.

The following sample shows the request body to map the PingOne externalId attribute to an externalId attribute defined in the SAML assertion.

{
	"name": "externalId",
	"value": "${providerAttributes.samlAssertion.externalId}",
	"update": "EMPTY_ONLY"
}

Identity provider API operations

The identity provider endpoints support the following operations:

For hands-on experience with the identity provider management API endpoints, click the Run in Postman button below to download a Postman collection that you can import and open in your local Postman application.

Base identity provider data model

Property Description
authority.condition An object that specifies the condition in which this identity provider should be used to authenticate a user. At this time, the authority.condition attribute only supports the contains operator in value comparison rules against the ${username} or ${user.email} attributes nested in an or rule. For more information about policy condition syntax, see Sign-on policy action conditions.
description A string that specifies the description of the identity provider.
enabled A string that specifies the current enabled state of the identity provider. Options are ENABLED or DISABLED.
environment.id A string that specifies the environment associated with the identity provider resource.
icon.id The ID for the identity provider icon.
icon.href The HREF for the identity provider icon.
id A string that specifies the resource ID.
loginButtonIcon.id The image ID for the identity provider login button icon.
loginButtonIcon.href The HREF for the identity provider login button icon image file.
name A string that specifies the name of the identity provider. This is a required property.
provisioning.population.id A string that specifies the UUID of the population that is associated with identities during a registration flow.
type A string that specifies the identity provider type. This is a required property. Options are FACEBOOK, GOOGLE, LINKEDIN, and SAML.

Mapping attributes data model

Property Description
mappingType A string that specifies the mapping type. Options are: CORE (This attribute is required by the schema and cannot be removed. The name and update properties cannot be changed.) or CUSTOM (All user-created attributes are of this type.)
name A string that specifies the user attribute, which is unique per provider. The attribute must not be defined as read only from the user schema or of type COMPLEX based on the user schema. Valid examples: username, and name.first. The following attributes may not be used: account, id, created, updated, lifecycle, mfaEnabled, and enabled.
value A string that specifies a placeholder referring to the attribute (or attributes) from the provider. Placeholders must be valid for the attributes returned by the identity provider type and use the ${} syntax (for example, username="${email}"). For Facebook, see Facebook provider attributes. For Google, see Google provider attributes. For LinkedIn, see LinkedIn provider attributes. For SAML, any placeholder is acceptable, and it is mapped against the attributes available in the SAML assertion after authentication. The ${samlAssertion.subject} placeholder is a special reserved placeholder used to refer to the subject name ID in the SAML assertion response.
update A string that specifies whether to update the user attribute in the directory with the non-empty mapped value from the identity provider. Options are: EMPTY_ONLY (only update the user attribute if it has an empty value); ALWAYS (always update the user attribute value).

Facebook identity provider settings data model

Property Description
appId A string that specifies the application ID from Facebook. This is a required property.
appSecret A string that specifies the application secret from Facebook. This is a required property.

Facebook core attributes

Property Description
username A string that specifies the core Facebook attribute. The default value is ${providerAttributes.email} and the default update value is EMPTY_ONLY.

Facebook provider attributes

Permission Provider attributes
<default> Options are: id, first_name, last_name, middle_name, name, name_format, and email.
USER_AGE_RANGE Options are: age_range.
USER_BIRTHDAY Options are: birthday.
USER_GENDER Options are: gender.

Google identity provider settings data model

Property Description
clientId A string that specifies the application ID from Google. This is a required property.
clientSecret A string that specifies the application secret from Google. This is a required property.

Google core attributes

Property Description
username A string that specifies the core Google attribute. The default value is ${providerAttributes.emailAddress.value} and the default update value is EMPTY_ONLY.

Google provider attributes

Permission Provider attributes
profile, email Options are: resourceName, etag, emailAddress.value, name.displayName, name.familyName, name.givenName, name.middleName, nickname.value, nickname.type, gender.value, and gender.formattedValue.
https://www.googleapis.com/auth/profile.agerange.read Options are: ageRange.ageRange.
https://www.googleapis.com/auth/profile.language.read Options are: locale.value.
https://www.googleapis.com/auth/user.birthday.read Options are: birthday.date.month, birthday.date.day, birthday.date.year, and birthday.text.
https://www.googleapis.com/auth/user.phonenumbers.read Options are: phoneNumber.value.

LinkedIn identity provider settings data model

Property Description
clientId A string that specifies the application ID from LinkedIn. This is a required property.
clientSecret A string that specifies the application secret from LinkedIn. This is a required property.

LinkedIn core attributes

Property Description
username A string that specifies the core LinkedIn attribute. The default value is ${providerAttributes.emailAddress} and the default update value is EMPTY_ONLY.

LinkedIn provider attributes

Permission Provider attributes
r_liteprofile Options are: id, firstName, lastName.
r_emailaddress Options are: emailAddress.

SAML service provider settings data model

Property Description
authnRequestSigned A boolean that specifies whether the SAML authentication request will be signed when sending to the identity provider.
idpEntityId A string that specifies the entity ID URI that is checked against the issuerId tag in the incoming response.
idpVerification.​certificates[].​id A array that specifies the identity provider’s certificate IDs used to verify the signature on the signed assertion from the identity provider. Signing is done with a private key and verified with a public key.
spEntityId A string that specifies the service provider’s entity ID, used to look up the application.
spSigning.key.id A string that specifies the service provider’s signing key ID. If this property value is omitted, the default signing key for the environment is used.
ssoBinding A string that specifies the binding for the authentication request. Options are HTTP_POST and HTTP_REDIRECT.
ssoEndpoint A string that specifies the SSO endpoint for the authentication request.

SAML core attributes

Property Description
username A string that specifies the core SAML attribute. The default value is ${samlAssertion.subject} and the default update value is EMPTY_ONLY.

Attribute type mapping rules

User attribute type Provider JSON value type Result
String * Valid. The value is cast at runtime, as necessary.
Complex * Error
Boolean Boolean Valid
Boolean * Error
JSON Object Valid
JSON * Error
JSON (sub-attribute) * Valid

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.
500 An unexpected error occurred.

Endpoint examples

Get identity providers

The GET /environments/{environmentId}/identityProviders endpoint returns a list of all identity provider resources for the specified environment resource.

curl -X "GET" "https://api.pingone.com/v1/environments/{environmentId}/identityProviders" \
-H 'Authorization: Bearer jwtToken'

The response data looks like this:

{
  "_links": {
    "self": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders"
    }
  },
  "_embedded": {
    "identityProviders": [
      {
        "_links": {
          "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/09470346-7851-4d35-9cdf-4a2dfe39ac2d"
          },
          "environment": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
          },
          "attributes": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/09470346-7851-4d35-9cdf-4a2dfe39ac2d/attributes"
          }
        },
        "id": "09470346-7851-4d35-9cdf-4a2dfe39ac2d",
        "type": "FACEBOOK",
        "name": "FacebookIdP4",
        "description": "Custom Facebook ID Provider",
        "enabled": true,
        "environment": {
          "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
        },
        "createdAt": "2019-05-31T19:52:55.020Z",
        "updatedAt": "2019-05-31T19:52:55.020Z",
        "appId": "FBID",
        "appSecret": "FBSecret"
      },
      {
        "_links": {
          "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/172fc816-66ed-4d69-9bf9-98a11f96ff2a"
          },
          "environment": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
          },
          "attributes": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/172fc816-66ed-4d69-9bf9-98a11f96ff2a/attributes"
          }
        },
        "id": "172fc816-66ed-4d69-9bf9-98a11f96ff2a",
        "type": "LINKEDIN",
        "name": "LinkedInIdP",
        "description": "Custom LinkedIn ID Provider",
        "enabled": true,
        "environment": {
          "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
        },
        "createdAt": "2019-12-06T23:08:09.136Z",
        "updatedAt": "2019-12-06T23:08:09.136Z",
        "clientId": "LINKEDIN_ID",
        "clientSecret": "LINKEDIN_SECRET"
      },
      {
          "_links": {
              "self": {
                  "href": "https://api-staging.pingone.com/v1/environments/c9900572-0d85-40b6-a228-f51ac7b67bc7/identityProviders/a9e4e181-f520-4e6e-af30-d3559781ad1b"
              },
              "environment": {
                  "href": "https://api-staging.pingone.com/v1/environments/c9900572-0d85-40b6-a228-f51ac7b67bc7"
              },
              "attributes": {
                  "href": "https://api-staging.pingone.com/v1/environments/c9900572-0d85-40b6-a228-f51ac7b67bc7/identityProviders/a9e4e181-f520-4e6e-af30-d3559781ad1b/attributes"
              }
          },
          "id": "a9e4e181-f520-4e6e-af30-d3559781ad1b",
          "type": "SAML",
          "name": "SAMLIdP",
          "description": "this is SAML IdP test",
          "enabled": false,
          "environment": {
              "id": "c9900572-0d85-40b6-a228-f51ac7b67bc7"
          },
          "createdAt": "2019-06-17T17:20:12.294Z",
          "updatedAt": "2019-06-17T17:20:12.294Z",
          "_embedded": {
              "attributes": [
                  {
                      "name": "username",
                      "value": "${samlAssertion.subject}",
                      "update": "EMPTY_ONLY",
                      "id": "51a036c6-41ed-44f7-bd1d-eacaa2a1feab",
                      "mappingType": "CORE",
                      "environment": {
                          "id": "c9900572-0d85-40b6-a228-f51ac7b67bc7"
                      },
                      "identityProvider": {
                          "id": "a9e4e181-f520-4e6e-af30-d3559781ad1b"
                      },
                      "createdAt": "2019-06-17T17:20:12.294Z",
                      "updatedAt": "2019-06-17T17:20:12.294Z"
                  }
              ]
          },
          "authnRequestSigned": false,
          "ssoEndpoint": "https://idp.com/sso",
          "ssoBinding": "HTTP_POST",
          "idpVerification": {
            "certificates": [
              {
                "id": "123f67f8-c56c-4903-9c9b-c4b162e22789"
              }
            ]
          },
          "spEntityId": "sp-1560792011",
          "spSigning": {
              "key": {
                  "id": "a65318d7-eaa2-4070-bb73-ffe21a6fca06"
              }
          },
          "idpEntityId": "idp-1560792011"
      },
      {
          "_links": {
              "self": {
                  "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/65fb47be-c71e-45b6-9c4c-e3deed8df116"
              },
              "environment": {
                  "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
              },
              "attributes": {
                  "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/65fb47be-c71e-45b6-9c4c-e3deed8df116/attributes"
              }
          },
          "id": "65fb47be-c71e-45b6-9c4c-e3deed8df116",
          "type": "GOOGLE",
          "name": "GoogleIdP",
          "description": "Google identity provider.",
          "enabled": false,
          "environment": {
              "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
          },
          "createdAt": "2019-06-17T18:03:45.785Z",
          "updatedAt": "2019-06-17T18:03:45.785Z",
          "clientSecret": "GoogleClientSecret",
          "clientId": "GoogleClientId"
    },
  "size": 4

Get one identity provider

To get data for a single identity provider resource, the GET /environments/{environmentId}/identityProviders/{providerId} operation returns data only for the identity provider resource with the specified ID.

curl -X GET "https://api.pingone.com/v1/environments/{environmentId}/identityProviders/{providerId}" \
-H "Authorization: Bearer jwtToken"

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a"
        },
        "environment": {
            "href": "https://api.pingone.com/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
        },
        "attributes": {
            "href": "https://api.pingone.com/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a/attributes"
        }
    },
    "id": "ad6e99f3-1053-4ce0-9623-09bab0a1c74a",
    "type": "FACEBOOK",
    "name": "FacebookIdP2",
    "description": "Custom Facebook ID Provider",
    "enabled": true,
    "environment": {
        "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "icon": {
        "id": "9765e2ec-f958-4a20-a178-3ba5f54d6477",
        "href": "https://upload.wikimedia.org/wikipedia/commons/thumb/9/96/Oxygen-user-identity-female.svg/128px-Oxygen-user-identity-female.svg.png"
    },
    "createdAt": 1558567181201,
    "updatedAt": 1558567181201,
    "appId": "FBID",
    "appSecret": "FBSecret"
}

Add identity providers

The POST /environments/{environmentId}/identityProviders operation adds a new identity provider resource to the specified environment.

Facebook

When the type property value is set to FACEBOOK, Facebook’s appId and appSecret property values are required in the request body.

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/identityProviders" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d '{
  "name": "FacebookIdP6",
  "description": "Facebook social media identity provider.",
  "enabled": false,
  "type": "FACEBOOK",
  "appId" : "appId",
  "appSecret": "appSecret"
}'

The response data for a FACEBOOK identity provider type looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/65fb47be-c71e-45b6-9c4c-e3deed8df116"
        },
        "environment": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
        },
        "attributes": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/65fb47be-c71e-45b6-9c4c-e3deed8df116/attributes"
        }
    },
    "id": "65fb47be-c71e-45b6-9c4c-e3deed8df116",
    "type": "FACEBOOK",
    "name": "FacebookIdP6",
    "description": "Facebook social media identity provider.",
    "enabled": false,
    "environment": {
        "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "createdAt": "2019-06-17T18:03:45.785Z",
    "updatedAt": "2019-06-17T18:03:45.785Z",
    "appSecret": "FBSecret",
    "appId": "FBID"
}

Google

When the type property value is set to GOOGLE, Google’s clientId and clientSecret property values are required in the request body.

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/identityProviders" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d '{
  "name": "GoogleIdP",
  "description": "Google identity provider.",
  "enabled": false,
  "type": "GOOGLE",
  "clientId" : "GoogleClientId",
  "clientSecret": "GoogleClientSecret"
}'

The response data for a GOOGLE identity provider type looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/65fb47be-c71e-45b6-9c4c-e3deed8df116"
        },
        "environment": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
        },
        "attributes": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/65fb47be-c71e-45b6-9c4c-e3deed8df116/attributes"
        }
    },
    "id": "65fb47be-c71e-45b6-9c4c-e3deed8df116",
    "type": "GOOGLE",
    "name": "GoogleIdP",
    "description": "Google identity provider.",
    "enabled": false,
    "environment": {
        "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "createdAt": "2019-06-17T18:03:45.785Z",
    "updatedAt": "2019-06-17T18:03:45.785Z",
    "clientSecret": "GoogleClientSecret",
    "clientId": "GoogleClientId"
}

LinkedIn

When the type property value is set to LINKEDIN, LinkedIn’s clientId and clientSecret property values are required in the request body.

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/identityProviders" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d '{
    "description": "Custom LinkedIn ID Provider",
    "enabled": true,
    "name": "LinkedInIdP",
    "type": "LINKEDIN",
    "clientId": "LINKEDIN_ID",
    "clientSecret": "LINKEDIN_SECRET"
}'

The response data for a LINKEDIN identity provider type looks like this:

{
  "_links": {
    "self": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/172fc816-66ed-4d69-9bf9-98a11f96ff2a"
    },
    "environment": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "attributes": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/172fc816-66ed-4d69-9bf9-98a11f96ff2a/attributes"
    }
  },
  "id": "172fc816-66ed-4d69-9bf9-98a11f96ff2a",
  "type": "LINKEDIN",
  "name": "LinkedInIdP",
  "description": "Custom LinkedIn ID Provider",
  "enabled": true,
  "environment": {
    "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
  },
  "createdAt": "2019-12-06T23:08:09.136Z",
  "updatedAt": "2019-12-06T23:08:09.136Z",
  "clientSecret": "LINKEDIN_SECRET",
  "clientId": "LINKEDIN_ID"
}

SAML

The following sample shows the request with the type property set to SAML. In addition, this sample uses an expand filter in the request URL to show SAML attribute details.

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/identityProviders?expand=attributes" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d '{
  "name": "SAMLIdP",
  "description": "this is SAML IdP test",  
  "type": "SAML",
  "enabled": false,
  "spEntityId": "sp-{$timestamp}",
  "idpEntityId": "idp-{$timestamp}",
  "ssoBinding": "HTTP_POST",
  "ssoEndpoint": "https://idp.com/sso",
  "authnRequestSigned": "false",
  "idpVerification": {
    "certificates": [
      {
        "id": "{certId}"
      }
    ]
  },
  "spSigning": {
  	"key": {
  		"id": "{spSigningId}"
  	}
  }
}'

The response data for a SAML identity provider type looks like this:

{
    "_links": {
        "self": {
            "href": "https://api-staging.pingone.com/v1/environments/c9900572-0d85-40b6-a228-f51ac7b67bc7/identityProviders/a9e4e181-f520-4e6e-af30-d3559781ad1b"
        },
        "environment": {
            "href": "https://api-staging.pingone.com/v1/environments/c9900572-0d85-40b6-a228-f51ac7b67bc7"
        },
        "attributes": {
            "href": "https://api-staging.pingone.com/v1/environments/c9900572-0d85-40b6-a228-f51ac7b67bc7/identityProviders/a9e4e181-f520-4e6e-af30-d3559781ad1b/attributes"
        }
    },
    "id": "a9e4e181-f520-4e6e-af30-d3559781ad1b",
    "type": "SAML",
    "name": "SAMLIdP",
    "description": "this is SAML IdP test",
    "enabled": false,
    "environment": {
        "id": "c9900572-0d85-40b6-a228-f51ac7b67bc7"
    },
    "createdAt": "2019-06-17T17:20:12.294Z",
    "updatedAt": "2019-06-17T17:20:12.294Z",
    "_embedded": {
        "attributes": [
            {
                "name": "username",
                "value": "${samlAssertion.subject}",
                "update": "EMPTY_ONLY",
                "id": "51a036c6-41ed-44f7-bd1d-eacaa2a1feab",
                "mappingType": "CORE",
                "environment": {
                    "id": "c9900572-0d85-40b6-a228-f51ac7b67bc7"
                },
                "identityProvider": {
                    "id": "a9e4e181-f520-4e6e-af30-d3559781ad1b"
                },
                "createdAt": "2019-06-17T17:20:12.294Z",
                "updatedAt": "2019-06-17T17:20:12.294Z"
            }
        ]
    },
    "authnRequestSigned": false,
    "ssoEndpoint": "https://idp.com/sso",
    "ssoBinding": "HTTP_POST",
    "idpVerification": {
      "certificates": [
        {
          "id": "123f67f8-c56c-4903-9c9b-c4b162e22789"
        }
      ]
    },
    "spEntityId": "sp-1560792011",
    "spSigning": {
        "key": {
            "id": "a65318d7-eaa2-4070-bb73-ffe21a6fca06"
        }
    },
    "idpEntityId": "idp-1560792011"
}

Update an identity provider

To update a property value associated with a selected identity provider resource, use the PUT /environments/{environmentId}/identityProviders/{providerId} operation to modify the specified attribute values. For example, you can change the description attribute value of the identity provider.

curl -X "PUT" "https://api.pingone.com/v1/environments/{environmentId}/identityProviders/{providerId}" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d '{
  "description": "My Facebook external identity provider."
}'

Delete an identity provider

To delete an identity provider resource, you need to specify the environment ID and the identity provider resource ID in the request URL. The DELETE /environments/{environmentId}/applications/{applicationId} operation deletes the identified identity provider resource.

curl -X "DELETE" "https://api.pingone.com/v1/environments/{environmentId}/identityProviders/{providerId}" \
-H 'Authorization: Bearer jwtToken'

For successful delete operations, a 204 NO CONTENT message is returned by the request.

Get identity provider attributes

The GET /environments/{environmentId}/identityProviders/{providerId}/attributes endpoint returns a list of all identity provider attribute resources for the specified identity provider resource.

curl -X "GET" "https://api.pingone.com/v1/environments/{environmentId}/identityProviders/{providerId}/attributes" \
-H 'Authorization: Bearer jwtToken'

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a/attributes"
        }
    },
    "_embedded": {
        "attributes": [
            {
                "_links": {
                    "self": {
                        "href": "https://api.pingone.com/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a/attributes/d14033ff-cc74-4ea3-9170-400a877de472"
                    },
                    "identityProvider": {
                        "href": "https://api.pingone.com/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a"
                    }
                },
                "name": "username",
                "value": "${providerAttributes.email}",
                "update": "EMPTY_ONLY",
                "id": "d14033ff-cc74-4ea3-9170-400a877de472",
                "mappingType": "CORE",
                "environment": {
                    "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
                },
                "identityProvider": {
                    "id": "ad6e99f3-1053-4ce0-9623-09bab0a1c74a"
                },
                "createdAt": 1558567181201,
                "updatedAt": 1558567181201
            },
            {
                "_links": {
                    "self": {
                        "href": "https://api.pingone.com/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a/attributes/065281f6-923d-483f-a63f-98888b0c7b01"
                    },
                    "identityProvider": {
                        "href": "https://api.pingone.com/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a"
                    }
                },
                "name": "email",
                "value": "${providerAttributes.email}",
                "update": "EMPTY_ONLY",
                "id": "065281f6-923d-483f-a63f-98888b0c7b01",
                "mappingType": "CUSTOM",
                "environment": {
                    "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
                },
                "identityProvider": {
                    "id": "ad6e99f3-1053-4ce0-9623-09bab0a1c74a"
                },
                "createdAt": 1559592542048,
                "updatedAt": 1559592542048
            }
        ]
    },
    "size": 2
}

Get one identity provider attribute

To get data for a single identity provider attribute resource, the GET /environments/{environmentId}/identityProviders/{providerId}/attributes/{attributeId} operation returns data only for the identity provider attribute resource with the specified ID.

curl -X GET "https://api.pingone.com/v1/environments/{environmentId}/identityProviders/{providerId}/attributes/{attributeId}" \
-H "Authorization: Bearer jwtToken"

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a/attributes/065281f6-923d-483f-a63f-98888b0c7b01"
        },
        "identityProvider": {
            "href": "https://api.pingone.com/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a"
        }
    },
    "name": "email",
    "value": "${providerAttributes.email}",
    "update": "EMPTY_ONLY",
    "id": "065281f6-923d-483f-a63f-98888b0c7b01",
    "mappingType": "CUSTOM",
    "environment": {
        "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "identityProvider": {
        "id": "ad6e99f3-1053-4ce0-9623-09bab0a1c74a"
    },
    "createdAt": 1559592542048,
    "updatedAt": 1559592542048
}

Add identity provider attributes

The POST /environments/{environmentId}/identityProviders/{providerId}/attributes operation adds a new identity provider attribute mapping resource for the specified identity provider.

Facebook

For FACEBOOK type attribute mappings, supported Facebook provider attributes can be mapped to any searchable PingOne user attribute. The following sample shows the POST /environments/{environmentId}/identityProviders/{providerId}/attributes operation to add a Facebook identity provider mapping attribute resource.

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/identityProviders/{providerId}/attributes" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d '{
    "name": "name.given",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.first_name}"
}'

The response data for the new Facebook identity provider attribute mapping looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a/attributes/065281f6-923d-483f-a63f-98888b0c7b01"
        },
        "identityProvider": {
            "href": "https://api.pingone.com/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a"
        }
    },
    "name": "name.family",
    "value": "${providerAttributes.first_name}",
    "update": "EMPTY_ONLY",
    "id": "065281f6-923d-483f-a63f-98888b0c7b01",
    "mappingType": "CUSTOM",
    "environment": {
        "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "identityProvider": {
        "id": "ad6e99f3-1053-4ce0-9623-09bab0a1c74a"
    },
    "createdAt": 1559592542048,
    "updatedAt": 1559592542048
}

Google

For GOOGLE type attribute mappings, supported Google provider attributes can be mapped to any searchable PingOne user attribute. The following sample shows the POST /environments/{environmentId}/identityProviders/{providerId}/attributes operation to add a Google identity provider mapping attribute resource.

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/identityProviders/{providerId}/attributes" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d '{
    "name": "nickname",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.nickname.value}"
}'

The response data for the new Google identity provider attribute mapping looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a/attributes/065281f6-923d-483f-a63f-98888b0c7b01"
        },
        "identityProvider": {
            "href": "https://api.pingone.com/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/e46e99f3-1053-4ce0-9623-09bab0a1c74a"
        }
    },
    "name": "nickname",
    "value": "${providerAttributes.nickname.value}",
    "update": "EMPTY_ONLY",
    "id": "ad5281f6-923d-483f-a63f-98888b0c7b01",
    "mappingType": "CUSTOM",
    "environment": {
        "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "identityProvider": {
        "id": "e46e99f3-1053-4ce0-9623-09bab0a1c74a"
    },
    "createdAt": 1559592542048,
    "updatedAt": 1559592542048
}

LinkedIn

For LINKEDIN type attribute mappings, supported LinkedIn provider attributes can be mapped to any searchable PingOne user attribute. The following sample shows the POST /environments/{environmentId}/identityProviders/{providerId}/attributes operation to add a LinkedIn identity provider mapping attribute resource.

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/identityProviders/{providerId}/attributes" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d '{
    "name": "email",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.emailAddress}"
}'

The response data for the new LinkedIn identity provider attribute mapping looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a/attributes/065281f6-923d-483f-a63f-98888b0c7b01"
        },
        "identityProvider": {
            "href": "https://api.pingone.com/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/e46e99f3-1053-4ce0-9623-09bab0a1c74a"
        }
    },
    "name": "email",
    "value": "${providerAttributes.emailAddress}",
    "update": "EMPTY_ONLY",
    "id": "065281f6-923d-483f-a63f-98888b0c7b01",
    "mappingType": "CUSTOM",
    "environment": {
        "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "identityProvider": {
        "id": "e46e99f3-1053-4ce0-9623-09bab0a1c74a"
    },
    "createdAt": 1559592542048,
    "updatedAt": 1559592542048
}

SAML

The following sample shows the POST /environments/{environmentId}/identityProviders/{providerId}/attributes operation to add a SAML identity provider attribute resource for the specified identity provider.

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/identityProviders/{providerId}/attributes" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d '{
	"name": "externalId",
	"value": "${providerAttributes.externalId}",
	"update": "ALWAYS"
}'

The response data for the new SAML identity provider attribute mapping looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/c9900572-0d85-40b6-a228-f51ac7b67bc7/identityProviders/5cf3a911-174a-4d7a-8cc0-2d038a2de164/attributes/668d84f5-b848-4006-bb25-363214960c27"
        },
        "identityProvider": {
            "href": "https://api.pingone.com/environments/c9900572-0d85-40b6-a228-f51ac7b67bc7/identityProviders/5cf3a911-174a-4d7a-8cc0-2d038a2de164"
        }
    },
    "name": "externalId",
    "value": "${providerAttributes.externalId}",
    "update": "ALWAYS",
    "id": "668d84f5-b848-4006-bb25-363214960c27",
    "mappingType": "CUSTOM",
    "environment": {
        "id": "c9900572-0d85-40b6-a228-f51ac7b67bc7"
    },
    "identityProvider": {
        "id": "5cf3a911-174a-4d7a-8cc0-2d038a2de164"
    },
    "createdAt": 1559601707798,
    "updatedAt": 1559601707798
}

Update an identity provider attribute

To update a property value associated with a selected identity provider attribute resource, use the PUT /environments/{environmentId}/identityProviders/{providerId}/attributes/{attributeId} operation to modify the specified attribute values.

curl -X "PUT" "https://api.pingone.com/v1/environments/{environmentId}/identityProviders/{providerId}" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d '{
	"name": "name.family",
	"value": "${providerAttributes.last_name}",
	"update": "EMPTY_ONLY"
}'

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a/attributes/065281f6-923d-483f-a63f-98888b0c7b01"
        },
        "identityProvider": {
            "href": "https://api.pingone.com/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/identityProviders/ad6e99f3-1053-4ce0-9623-09bab0a1c74a"
        }
    },
    "name": "name.family",
    "value": "${providerAttributes.last_name}",
    "update": "EMPTY_ONLY",
    "id": "065281f6-923d-483f-a63f-98888b0c7b01",
    "mappingType": "CUSTOM",
    "environment": {
        "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "identityProvider": {
        "id": "ad6e99f3-1053-4ce0-9623-09bab0a1c74a"
    },
    "createdAt": 1559592542048,
    "updatedAt": 1559593262040
}

Delete an identity provider attribute

To delete an identity provider attribute resource, you need to specify the environment ID, the identity provider resource ID, and the attribute ID in the request URL. The DELETE /environments/{environmentId}/identityProviders/{providerId}/attributes/{attributeId} operation deletes the identified identity provider attribute resource.

curl -X "DELETE" "https://api.pingone.com/v1/environments/{environmentId}/identityProviders/{providerId}/attributes/{attributeId}" \
-H 'Authorization: Bearer jwtToken'

For successful delete operations, a 204 NO CONTENT message is returned by the request.