To test the execution of a SAML identity provider connection for an application configured in your PingOne environment, there needs to be a working SAML identity provider somewhere for your environment to communicate with.

The easiest way to do this is by using two PingOne environments. You can then execute an authentication flow for an application existing in one PingOne environment, by using external authentication as a user in a second PingOne environment acting as the SAML identity provider.

Prerequisites

• A destination PingOne environment to act as the service provider for the SAML application. This is the environment you’ll use to configure the SAML identity provider connection. Authentication flows in this environment can be configured to allow external authentication.

• A source PingOne environment that will act as the SAML identity provider. Users here will be able to complete authentication flows in the destination environment.

• Cross-environment admin permissions for the destination and source environments.

• A PingOne access token for each environment.

This scenario illustrates the following operations supported by the PingOne APIs:

• Get the certificate for the source environment.
• Create a SAML application in the source environment.
• Create a SAML identity provider in the destination environment.
• Create a sign-on policy in the destination environment.
• Create a sign-on policy action to enable the sign-on policy for the SAML identity provider connection.
• Set the sign-on policy as the default for the destination environment.

Workflow order of operations

To test the SAML application connection, the following tasks must be completed successfully:

1. Make a GET request to /environments/{{sourceEnvID}}/keys to get the signing key for the source environment.

   a. Download the PEM or PKCS7 file for the signing key.

2. Make a GET request to /environments to get the environment IDs.

3. Make a POST request to /environments/{{sourceEnvID}}/applications to create a SAML application.

4. (Optional) Make a POST request to/environments/{{sourceEnvID}}/applications/{{appID}}/attributes to any attribute mappings needed for the source environment application.

5. Make a POST request to /environments/{{destinationEnvID}}/certificates to create a certificate in the destination environment using the PEM or PKCS7 file you downloaded in the intial step.

6. Make a GET request to /environments/{{destinationEnvID}}/certificates to get a certificate for the destination environment to assign to the identity provider you’ll create.

7. Make a POST request to /environments/{{destinationEnvID}}/identityProviders to create the SAML identity provider configuration in the destination environment.

8. (Optional) Make a POST request to /environments/{{destinationEnvID}}/identityProviders/{{providerID}}/attributes to add any needed attribute mappings for the identity provider in the destination environment.

9. Make a POST request to /environments/{{destinationEnvID}}/signOnPolicies to create a sign-on policy for the new identity provider in the destination environment.

10. Make a POST request to /environments/{{destinationEnvID}}/signOnPolicies/{{policyID}}/actions to create a new IDENTIFIER_FIRST sign-on policy action associated with the new sign-on policy.

11. Make a PUT request to /environments/{{destinationEnvID}}/applications/{{appID}}/signOnPolicyAssignments to associate this sign-on policy with the specified SAML application.

Execute the authentication flow

1. Copy the Self-Service URL for the destination environment. The Self-Service URL is found on the Settings → Environment → Properties page.

2. Open a private browser window, and enter the Self-Service URL you copied.

3. Click the button that matches your SAML IdP connection.

4. Authenticate as a user in the source environment. Depending on your configuration, you may need to perform account linking or user verification.

Click the Run in Postman button below to download the Postman collection for this use case.