An external identity provider configuration in PingOne to support a SAML identity provider allows users to authenticate and gain access to application resources using a SAML sign-on flow and credentials.

Note: To configure SAML as an external identity provider, you must provide the SAML identity provider’s verification certificate ID, which is used to verify the signature on the signed assertion from the identity provider. You should also provide the service provider’s signing key ID. If you do not provide the signing key, the default signing key for the environment is used.

The SAML identity provider’s verification certificate and the signing key can be imported using the PingOne certificate management service. For information about importing certificates, see Certificate management.

This scenario illustrates the following operations supported by the PingOne APIs:

Create an identity provider configuration
Create a sign-on policy
Create a sign-on policy action
Assign the sign-on policy to an application

Workflow order of operations

To create a sign-on policy that supports a SAML external identity provider, the following tasks must be completed successfully:

Make a POST request to /environments/{{envID}}/certificates to upload the SAML external identity provider’s verification certificate and (optionally) to /environments/{{envID}}/keys to upload the signing key.
Make a POST request to /environments/{{envID}}/identityProviders to create the SAML identity provider configuration.
Make a POST request to /environments/{{envID}}/populations to create a population for users who will use their SAML credentials to sign on.
Make a POST request to /environments/{{envID}}/signOnPolicies to create a new sign-on policy.
Make a POST request to /environments/{{envID}}/signOnPolicies/{{policyID}}/actions to create a new LOGIN sign-on policy action, which is associated with the new sign-on policy.

Click the Run in Postman button below to download the Postman collection for this use case.