The SAML endpoints are used by SAML applications to initiate sign-on and signoff operations. The SAML service implements functions to initiate SAML 2.0 single sign-on and single logout authentication flows.

SAML data model

Property Description
acsUrls A string that specifies the Assertion Consumer Service URLs. The first URL in the list is used as default (there must be at least one URL). This is a required property.
assertionDuration An integer that specifies the assertion validity duration in seconds. This is a required property.
assertionSigned A boolean that specifies whether the SAML assertion itself should be signed. The default value is true.
description A string that provides a description of the resource.
enabled A boolean that specifies whether the application is enabled. The default is FALSE if this value is not set.
icon.id A string that specifies the icon resource’s unique identifier.
icon.href A string that specifies the URL to the icon resource.
id A string that specifies the resource’s unique identifier.
idpSigning.key.id A string that specifies the certificate to be used by the identity provider to sign assertions and responses. If this property is omitted, the default signing certificate for the environment is used.
loginPageUrl A string that specifies the URL of the authentication flow UI that this application uses to interact with the end-user through the authentication flow. If a URL is not specified, the default PingOne hosted UI is used.
name A string that specifies the name of SAML attribute and should be unique within an environment. Note that samlAssertion.subject is a reserved case-insensitive name that indicates the mapping to be used for the subject in the assertion. This is a required property.
protocol A string that specifies the protocol used by the application. This value determines the set of additional protocol specific properties, links, and embedded resources associated with the resource. Options are OPENID_CONNECT and SAML.
responseSigned A boolean that specifies whether the SAML assertion response itself should be signed. The default value is false.
sloBinding A string that specifies the binding protocol to be used for the logout response. Options are HTTP_REDIRECT or HTTP_POST. The default is HTTP_POST; existing configurations with no data default to HTTP_POST. This is an optional property.
sloEndpoint A string that specifies the logout endpoint URL. This is an optional property. However, if a sloEndpoint logout endpoint URL is not defined, logout actions result in an error.
sloResponseEndpoint A string that specifies the endpoint URL to submit the logout response. If a value is not provided, the sloEndpoint property value is used to submit SLO response.
spEntityId A string that specifies the service provider entity ID used to lookup the application. This is a required property and is unique within the environment.
spVerification.cert.id A string that specifies the certificate ID used to verify the service provider signature.

Application access control conditions

You can configure SAML applications for access control by setting the accessControl properties on the application. For more information about accessControl properties, see Applications. When accessControl properties are set for an application, the user must meet the requirements specified by these application properties. If the user attempts to authenticate, then the application’s accessControl conditions are evaluated before creating an assertion.

An assertion is created if the user meets the the application’s access control conditions. If the conditions are not met, then an authrization failed error is returned with the top level code urn:oasis:names:tc:SAML:2.0:status:Responder and the second level code urn:oasis:names:tc:SAML:2.0:status:RequestDenied. If access is denied, a USER.ACCESS_DENIED event is published; otherwise, a USER.ACCESS_ALLOWED event is published.

For more information, see Control access to applications through roles and groups.

Response codes

Code Message
200 Successful operation.
201 Successfully created.
400 The request could not be completed. .
401 You weren’t authenticated to perform this operation.
404 The requested resource was not found.