The SAML endpoints are used by SAML applications to initiate sign-on and signoff operations. The SAML service implements functions to initiate SAML 2.0 single sign-on and single logout authentication flows.
The SAML protocol allows clients to obtain a requestor’s authentication state. SAML 2.0 uses security tokens, which contain assertions about the requestor, to pass authentication and authorization information about the requestor between the identity provider and the resource provider.
A SAML SSO authentication request uses the following authentication flow:
<AuthnRequest>
message to be delivered by the user agent to the SAML service endpoint using either HTTP Redirect
or HTTP POST
.environmentId
and flowSessionId
query parameters. The authentication UI uses flow orchestration and action services endpoints to complete the authentication flow. The authentication API checks on every call to ensure that the session token cookie contains the current token for the session associated with the flow. On successful completion of the flow, a new session token is generated for the session and set in the cookie.resume
endpoint of the SAML service.<Response>
message delivered by the user agent to the identity provider using HTTP POST
.The following is a sample SAML assertion generated for an authentication <AuthnRequest>
request:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:59">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
</samlp:AuthnRequest>
The following data model describes the supported attributes for a SAML <AuthnRequest>
request. For more information see Security Assertion Markup Language (SAML) V2.0 Technical Overview.
Property | Required? | Description |
---|---|---|
id |
Required | The value of the ID attribute in the request. The InResponseTo attribute in the corresponding response must match this value. |
version |
Required | The value should be set to 2.0 . |
IssueInstant |
Required | The time (in UTC) that the request was issued. |
destination |
Required | A URI reference indicating the address to which this request has been sent. It is required if the <AuthnRequest> request, optional otherwise. If submitted, it should match the location at which the message was received. |
consent |
Optional | A string that specifies whether or not (and under what conditions) consent has been obtained from a principal in the sending of this request. |
ForceAuthn |
Optional | A boolean that when set to true specifies that the identity provider must authenticate the presenter directly rather than rely on a previous security context. If a value is not provided, the default value is false . |
IsPassive |
Optional | A boolean that when set to true specifies that the identity provider and the user agent itself must not visibly take control of the user interface from the requester and interact with the presenter in a noticeable fashion. If a value is not provided, the default value is false . |
AssertionConsumerServiceIndex |
Optional | This value specifies the location to which the <Response> message should be returned to the requester. It applies only to profiles in which the requester is different from the presenter. If omitted, then the identity provider must return the <Response> message to the default location associated with the requester for the profile of use. |
AssertionConsumerServiceURL |
Optional | This value specifies the location to which the <Response> message must be returned to the requester. This attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute and is typically accompanied by the ProtocolBinding attribute. |
ProtocolBinding |
Optional | A URI reference that identifies a SAML protocol binding used when returning the <Response> message. This attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute and is typically accompanied by the AssertionConsumerServiceURL attribute. |
ProviderName |
Optional | This value specifies the human-readable name of the requester. It is used only for logging purposes, if available and if needed. |
<saml:Issuer> |
Required | This value specifies the service provider (9)SP) Entity ID. It identifies the entity that generated the request message. This should be treated as the client_id . |
<ds:Signature> |
Optional | An XML Signature that authenticates the requester and provides message integrity. |
<RequestedAuthnContext> |
Optional | A value that specifies the requirements, if any, that the requester places on the authentication context that applies to the responding provider’s authentication of the presenter. |
<saml:Subject> |
Optional | A value that specifies the requested subject that names the actual identity about which it wishes to receive an assertion. |
<NameIDPolicy> |
Optional | A value that specifies the constraints on the name identifier to be used to represent the requested subject. |
<saml:Conditions> |
Optional | A value that specifies the SAML conditions the requester expects to limit the validity and/or use of the resulting assertion (or assertions). |
<Scoping> |
Optional | A value that specifies a set of identity providers trusted by the requester to authenticate the presenter, as well as limitations and context related to proxying of the <AuthnRequest> message to subsequent identity providers by the responder. |
The following is a sample SAML assertion response:
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_2"
InResponseTo="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:22:05"
Destination="https://sp.example.com/SAML2/SSO/POST">
<saml:Issuer>https://auth.pingone.com/{{envID}}</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_4"
Version="2.0"
IssueInstant="2004-12-05T09:22:05">
<saml:Issuer>https://auth.pingone.com/{{envID}}</saml:Issuer>
<!-- a POSTed assertion MUST be signed -->
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="identifier_1"
Recipient="https://sp.example.com/SAML2/SSO/POST"
NotOnOrAfter="2004-12-05T09:27:05"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2004-12-05T09:17:05"
NotOnOrAfter="2004-12-05T09:27:05">
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2004-12-05T09:22:00"
SessionIndex="identifier_3">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
IdP-initiated SSO allows users to authenticate through their identity provider, which then issues and signs SAML assertions to service providers. This allows users to access multiple applications and services with a single authentication.
IdP-Initiated SSO uses the following flow:
IdP-Initiated SSO has the following benefits:
You can start the IdP-Initiated SSO authentication session using the Get Identity Provider Initiated SSO request.
A SAML single logout (SLO) operation uses the following flow:
<LogoutRequest>
message to the identity provider that sent the corresponding <AuthnRequest>
authentication assertion.Set-Cookie
in the response to immediately expire the session cookie.<LogoutRequest>
message to determine the session(s) being terminated.<LogoutResponse>
message to the original requesting session participant.The following workflow outlines the interaction between PingOne applications and DaVinci flows and flow policies.
PingOne applications support a configuration option to assign DaVinci flow policies to the application. For information about creating DaVinci flows and flow policies, see Getting Started with DaVinci. For information on designating a DaVinci flow as a PingOne flow, see Setting a trigger type on the flow.
The SAML SSO service retrieves the application configuration data. Based on the configuration, the application can use either a PingOne sign-on policy or a DaVinci flow policy to determine the sign-on workflow. To assign DaVinci flow policies to applications, see Application Flow Policy Assignments.
For DaVinci flow policy use cases, the DaVinci widget renders the sign-on flow page. For more information about DaVinci widgets, see Launching a flow with the widget in the PingOne admin documentation.
The DaVinci widget manages the flow, and after the flow completes, the PingOne SSO Connector creates a session and passes control back to the protocol service.
The SAML SSO service processes the response, performs attribute mapping using user attributes from the PingOne directory, creates a SAMLResponse, and sends it to the SAML application.
The application continues its normal flow, calling the PingOne token endpoint to obtain the tokens.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
acsUrls |
URL | Required | Mutable | The Assertion Consumer Service URLs. The first URL in the list is used as default. There must be at least one URL. |
assertionDuration |
Integer | Required | Mutable | The assertion validity duration in seconds. |
assertionSigned |
Boolean | Optional | Mutable | Whether the SAML assertion itself should be signed. The default value is true . |
defaultTargetUrl |
String | Optional | Mutable | A URL that sets the relay state if the identity provider does not include an applicationUrl query parameter in its /{{envID}}/saml20/idp/startsso request. |
description |
String | Optional | Mutable | A description of the resource. |
enabled |
Boolean | Optional | Mutable | Whether the application is enabled. The default is false if this value is not set. |
icon.id |
String | Optional | Mutable | The icon resource’s unique identifier. |
icon.href |
String | Optional | Mutable | The URL of the icon resource. |
id |
String | Required | Immutable | The resource’s unique identifier. |
idpSigning.key.id |
String | Optional | Mutable | The certificate to be used by the identity provider to sign assertions and responses. If this property is omitted, the default signing certificate for the environment is used. |
loginPageUrl |
String | Optional | Mutable | The URL of the authentication flow UI that this application uses to interact with the end-user through the authentication flow. If a URL is not specified, the default PingOne hosted UI is used. |
name |
String | Required | Mutable | The name of SAML attribute and should be unique within an environment. Note that samlAssertion.subject is a reserved case-insensitive name that indicates the mapping to be used for the subject in the assertion. |
protocol |
String | Required | Mutable | The protocol used by the application. This value determines the set of additional protocol specific properties, links, and embedded resources associated with the resource. Options are OPENID_CONNECT and SAML . |
RelayState |
String | Required | Mutable | The target application ID for SAML assertions used in IdP-initiated SSO. |
responseSigned |
Boolean | Optional | Mutable | Whether the SAML assertion response itself should be signed. The default value is false . |
returnUrl |
String | Optional | Mutable | The endpoint of the PingOne SSO Connector receiving the ppmResponse from the PingOne SAML SSO service. This is strictly validated based on configuration. |
sloBinding |
String | Optional | Mutable | The binding protocol to be used for the logout response. Options are HTTP_REDIRECT or HTTP_POST . The default is HTTP_POST . Existing configurations with no data default to HTTP_POST . |
sloEndpoint |
URL | Optional | Mutable | The logout endpoint URL. If a sloEndpoint logout endpoint URL is not defined, logout actions result in an error. |
sloResponseEndpoint |
URL | Optional | Mutable | The endpoint URL to submit the logout response. If a value is not provided, the sloEndpoint property value is used to submit SLO response. |
spEntityId |
String | Required | Immutable | The service provider entity ID used to lookup the application. This is a required property and is unique within the environment. |
spVerification.cert.id |
String | Optional | Mutable | The certificate ID used to verify the service provider signature. |
You can configure SAML applications for access control by setting the accessControl
properties on the application. For more information about accessControl
properties, see Application Operations. When accessControl
properties are set for an application, the user must meet the requirements specified by these application properties. If the user attempts to authenticate, then the application’s accessControl
conditions are evaluated before creating an assertion.
An assertion is created if the user meets the the application’s access control conditions. If the conditions are not met, then an authorization failed error is returned with the top level code urn:oasis:names:tc:SAML:2.0:status:Responder
and the second level code urn:oasis:names:tc:SAML:2.0:status:RequestDenied
. If access is denied, a USER.ACCESS_DENIED
event is published; otherwise, a USER.ACCESS_ALLOWED
event is published.
For more information, see Control access to applications through roles and groups.
To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.
Service | Event |
---|---|
applications | ATTRIBUTE.CREATED |
applications | ATTRIBUTE.UPDATED |
applications | ATTRIBUTE.DELETED |
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
400 | The request could not be completed. |
401 | You weren’t authenticated to perform this operation. |
404 | The requested resource was not found. |