If SAML is specified as the the external identity provider, any SAML attribute defined in the assertion can be used as the mapping attribute placeholder value.

The placeholder value must use the following syntax:

${providerAttributes.<SAML attribute name>}

When you create a new SAML identity provider entity, the POST request automatically maps the PingOne username attribute to the SAML samlAssertion.subject attribute. The username attribute is the core mapping attribute; the default SAML attribute value is ${samlAssertion.subject}, which is a special reserved placeholder to refer to the subject name ID in the SAML assertion response.

SAML attributes can be mapped to any searchable PingOne user attribute, such as username, name.family, name.given, email, phone, externalId, or population.id.

The following sample shows the request body to map the PingOne externalId attribute to an externalId attribute defined in the SAML assertion.

	"name": "externalId",
	"value": "${providerAttributes.samlAssertion.externalId}",
	"update": "EMPTY_ONLY"

The sample shows the request with the type property set to SAML. In addition, this sample uses an expand filter in the request URL to show SAML attribute details.

Note: The _embedded attribute in the response lists the SAML attribute mapping resources associated with the new identity provider resource. This particular identity provider has only the default mapping, in which the PingOne username attribute is mapped to the ${samlAssertion.subject} SAML attribute.

SAML service provider settings data model

Property Description
authnRequestSigned A boolean that specifies whether the SAML authentication request will be signed when sending to the identity provider.
idpEntityId A string that specifies the entity ID URI that is checked against the issuerId tag in the incoming response.
idpVerification.certificates[].id A array that specifies the identity provider’s certificate IDs used to verify the signature on the signed assertion from the identity provider. Signing is done with a private key and verified with a public key.
spEntityId A string that specifies the service provider’s entity ID, used to look up the application.
spSigning.key.id A string that specifies the service provider’s signing key ID. If this property value is omitted, the default signing key for the environment is used.
ssoBinding A string that specifies the binding for the authentication request. Options are HTTP_POST and HTTP_REDIRECT.
ssoEndpoint A string that specifies the SSO endpoint for the authentication request.

SAML core attributes

Property Description
username A string that specifies the core SAML attribute. The default value is ${samlAssertion.subject} and the default update value is EMPTY_ONLY.