To test the execution of a SAML identity provider connection for an application configured in your PingOne environment, there needs to be a working SAML identity provider somewhere for your environment to communicate with.

The easiest way to do this is by using two PingOne environments. You can then execute an authentication flow for an application existing in one PingOne environment, by using external authentication as a user in a second PingOne environment acting as the SAML identity provider.

Prerequisites

This scenario illustrates the following operations supported by the PingOne APIs:

Workflow order of operations

To test the SAML application connection, the following tasks must be completed successfully:

  1. Make a GET request to /environments/{{sourceEnvID}}/keys to get the signing key for the source environment.

    a. Download the PEM or PKCS7 file for the signing key.

  2. Make a GET request to /environments to get the environment IDs.

  3. Make a POST request to /environments/{{sourceEnvID}}/applications to create a SAML application.

  4. (Optional) Make a POST request to/environments/{{sourceEnvID}}/applications/{{appID}}/attributes to any attribute mappings needed for the source environment application.

  5. Make a POST request to /environments/{{destinationEnvID}}/certificates to create a certificate in the destination environment using the PEM or PKCS7 file you downloaded in the intial step.

  6. Make a GET request to /environments/{{destinationEnvID}}/certificates to get a certificate for the destination environment to assign to the identity provider you’ll create.

  7. Make a POST request to /environments/{{destinationEnvID}}/identityProviders to create the SAML identity provider configuration in the destination environment.

  8. (Optional) Make a POST request to /environments/{{destinationEnvID}}/identityProviders/{{providerID}}/attributes to add any needed attribute mappings for the identity provider in the destination environment.

  9. Make a POST request to /environments/{{destinationEnvID}}/signOnPolicies to create a sign-on policy for the new identity provider in the destination environment.

  10. Make a POST request to /environments/{{destinationEnvID}}/signOnPolicies/{policyId}/actions to create a new IDENTIFIER_FIRST sign-on policy action associated with the new sign-on policy.

  11. Make a PUT request to /environments/{{destinationEnvID}}/applications/{applicationId}/signOnPolicyAssignments to associate this sign-on policy with the specified SAML application.

Execute the authentication flow

  1. Copy the Self-Service URL for the destination environment. The Self-Service URL is found on the Settings → Environment → Properties page.

  2. Open a private browser window, and enter the Self-Service URL you copied.

  3. Click the button that matches your SAML IdP connection.

  4. Authenticate as a user in the source environment. Depending on your configuration, you may need to perform account linking or user verification.

Click the Run in Postman button below to download the Postman collection for this use case.

Run in Postman