The identity provider endpoints manage external identity provider configurations. It is one of several related services that enable the social login and inbound SAML login features in PingOne. An identity provider configuration allows linked users to authenticate and gain access to PingOne resources using the login flow and credentials provided by the external identity provider.

PingOne supports several external identity providers. Identity provider resources in PingOne configure the external identity provider settings, which include the type of provider and the user attributes from the external identity provider that are mapped to PingOne user attributes.

The mapping attribute placeholder value must be expressed using the following syntax in the request body:

${providerAttributes.<IdP attribute name>}

Base identity provider data model

Property Description
authoritative A boolean that specifies whether the identity provider is another way to sign in (value: false) or the identity provider is the only way to sign in (value: true). The default value is false.
authority.condition An object that specifies the condition in which this identity provider should be used to authenticate a user. At this time, the authority.condition attribute only supports the contains operator in value comparison rules against the ${username} or ${user.email} attributes nested in an or rule. For more information about policy condition syntax, see Sign-on policy action conditions.
description A string that specifies the description of the identity provider.
enabled A string that specifies the current enabled state of the identity provider. Options are ENABLED or DISABLED.
environment.id A string that specifies the environment associated with the identity provider resource.
icon.id The ID for the identity provider icon.
icon.href The HREF for the identity provider icon.
id A string that specifies the resource ID.
loginButtonIcon.id The image ID for the identity provider login button icon. For Facebook, Google, and LinkedIn identity providers, updates to the login button are ignored to preserve the identity provider’s branding rules.
loginButtonIcon.href The HREF for the identity provider login button icon image file. For Facebook, Google, and LinkedIn identity providers, updates to the login button are ignored to preserve the identity provider’s branding rules.
name A string that specifies the name of the identity provider. This is a required property.
type A string that specifies the identity provider type. This is a required property. Options are FACEBOOK, GOOGLE, LINKEDIN, OPENID_CONNECT, LDAP, APPLE, AMAZON, TWITTER, YAHOO,and SAML.

Mapping attributes data model

Property Description
mappingType A string that specifies the mapping type. Options are: CORE (This attribute is required by the schema and cannot be removed. The name and update properties cannot be changed.) or CUSTOM (All user-created attributes are of this type.)
name A string that specifies the user attribute, which is unique per provider. The attribute must not be defined as read only from the user schema or of type COMPLEX based on the user schema. Valid examples: username, and name.first. The following attributes may not be used: account, id, created, updated, lifecycle, mfaEnabled, and enabled.
value A string that specifies a placeholder referring to the attribute (or attributes) from the provider. Placeholders must be valid for the attributes returned by the identity provider type and use the ${} syntax (for example, username="${email}"). For SAML, any placeholder is acceptable, and it is mapped against the attributes available in the SAML assertion after authentication. The ${samlAssertion.subject} placeholder is a special reserved placeholder used to refer to the subject name ID in the SAML assertion response.
update A string that specifies whether to update the user attribute in the directory with the non-empty mapped value from the identity provider. Options are: EMPTY_ONLY (only update the user attribute if it has an empty value); ALWAYS (always update the user attribute value).

Attribute type mapping rules

User attribute type Provider JSON value type Result
String * Valid. The value is cast at runtime, as necessary.
Complex * Error
Boolean Boolean Valid
Boolean * Error
JSON Object Valid
JSON * Error
JSON (sub-attribute) * Valid

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.
500 An unexpected error occurred.