For information about the authorization flow for a SAML authentication request, see SAML authentication requests.

The GET /{environmentId}/saml20/idp/sso operation initiates the SAML single sign-on action through a GET request. In the request URL, the SAMLRequest parameter contains the encoded SAML authentication request information.

In the request URL, the SAMLRequest parameter contains the encoded SAML authentication request information. Here is a sample SAML <AuthnRequest> in plain text:

<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="identifier_1"
    Version="2.0"
    IssueInstant="2004-12-05T09:21:59">
    <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
  </samlp:AuthnRequest>

For SAML assertions, PingOne supports the following Subject NameID formats:

Format Description
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified The Subject’s NameID format is not specified.
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress The Subject’s NameID format is in the form of an email address.
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent The Subject’s NameID format is an opaque unique identifier for a user that retains the same value over time.
urn:oasis:names:tc:SAML:2.0:nameid-format:transient The Subject’s NameID format is a randomly generated identifier. A different value is used for each SSO for a given user.