To test the execution of a SAML identity provider connection for an application configured in your PingOne environment, there needs to be a working SAML identity provider somewhere for your environment to communicate with.
The easiest way to do this is by using two PingOne environments. You can then execute an authentication flow for an application existing in one PingOne environment, by using external authentication as a user in a second PingOne environment acting as the SAML identity provider.
A destination PingOne environment to act as the service provider for the SAML application. This is the environment you’ll use to configure the SAML identity provider connection. Authentication flows in this environment can be configured to allow external authentication.
A source PingOne environment that will act as the SAML identity provider. Users here will be able to complete authentication flows in the destination environment.
Cross-environment admin permissions for the destination and source environments.
A PingOne access token for each environment.
This scenario illustrates the following operations supported by the PingOne APIs:
Workflow order of operations
To test the SAML application connection, the following tasks must be completed successfully:
Make a GET
request to /environments/{{sourceEnvID}}/keys
to get the signing key for the source environment.
a. Download the PEM or PKCS7 file for the signing key.
Make a GET
request to /environments
to get the environment IDs.
Make a POST
request to /environments/{{sourceEnvID}}/applications
to create a SAML application.
(Optional) Make a POST
request to/environments/{{sourceEnvID}}/applications/{{appID}}/attributes
to any attribute mappings needed for the source environment application.
Make a POST
request to /environments/{{destinationEnvID}}/certificates
to create a certificate in the destination environment using the PEM or PKCS7 file you downloaded in the intial step.
Make a GET
request to /environments/{{destinationEnvID}}/certificates
to get a certificate for the destination environment to assign to the identity provider you’ll create.
Make a POST
request to /environments/{{destinationEnvID}}/identityProviders
to create the SAML identity provider configuration in the destination environment.
(Optional) Make a POST
request to /environments/{{destinationEnvID}}/identityProviders/{{providerID}}/attributes
to add any needed attribute mappings for the identity provider in the destination environment.
Make a POST
request to /environments/{{destinationEnvID}}/signOnPolicies
to create a sign-on policy for the new identity provider in the destination environment.
Make a POST
request to /environments/{{destinationEnvID}}/signOnPolicies/{{policyID}}/actions
to create a new IDENTIFIER_FIRST sign-on policy action associated with the new sign-on policy.
Make a PUT
request to /environments/{{destinationEnvID}}/applications/{{appID}}/signOnPolicyAssignments
to associate this sign-on policy with the specified SAML application.
Execute the authentication flow
Copy the Self-Service URL for the destination environment. The Self-Service URL is found on the Settings → Environment → Properties page.
Open a private browser window, and enter the Self-Service URL you copied.
Click the button that matches your SAML IdP connection.
Authenticate as a user in the source environment. Depending on your configuration, you may need to perform account linking or user verification.
Click the Run in Postman button below to download the Postman collection for this use case.