This step associates a sign-on policy action with the new sign-on policy you created in Step 4. The POST /environments/{{envID}}/signOnPolicies/{{policyID}}/actions operation creates the sign-on policy action resource, which is associated with the sign-on policy ({{policyID}}) specified in the request URL.

PingOne supports several sign-on policy action types. To establish a SAML username/password login flow, the type property for the action resource associated with the sign-on policy can be set to LOGIN.

For a sign-on action that supports SAML, the sign-on policy action must include the property to specify the SAML identity provider ID that you created in Step 2.

In addition, it is recommended that a sign-on policy that supports a SAML external identity provider also include the registration property to allow automatic account creation and account linking between the user’s identity provider account and the PingOne account. For details about the registration sign-on action and how it relates to account linking, see External identity provider login flow states.

In this sample, the priority property is set to 1, which designates this policy as the first sign-on policy executed, if there is more than one sign-on policy associated with the application. In addition, this action includes the recovery property to enable the password.recover authentication flow, allowing users to recover a forgotten password.