SAML IdP Connector
The Security Assertion Markup Language (SAML) IdP connector lets you authenticate users with a SAML IdP-based identity provider in your PingOne DaVinci flow.
SAML 2.0 is a well-supported standard for authentication and authorization. You can use this connector to show a customizable sign-on button that allows your users to authenticate with your organization’s SAML IdP identity provider.
Setup
Requirements
To use the connector, you’ll need administrator access to your identity provider’s SAML IdP configuration.
Configuring the SAML IdP conenctor
Add the connector in DaVinci as shown in Adding a connector, then configure it as follows.
Connector configuration
Consult your identity provider’s documentation for help finding and configuring your SAML IdP settings. |
DaVinci SAML SP Metadata URL
Your DaVinci SAML IdP SP Metadata URL. This allows an identity provider to redirect the browser back to DaVinci. Enter this URL in your provider’s SAML IdP configuration.
Identity Provider SAML Metadata
This field accepts the SAML IdP metadata provided by your identity provider. This information should be available in your identity provider’s SAML IdP configuration.
The connector does not support the following in the Identity Provider SAML Metadata field:
|
Application Redirect URL
Your application’s redirect URL, such as "https://app.yourorganization.com/". Enter this URL if you embed the DaVinci widget in your application. This allows DaVinci to redirect the browser back to your application.
Using the connector in a flow
Authenticating users
The Sign On with SAML Identity Provider capability lets you show a customizable sign-on button in your flow. When a user clicks this button, the connector sends a SAML authentication request to your configured SAML provider.
You can configure standard SAML parameters, such as relayState
and notBeforeSkew
. For help with these, consult your preferred SAML documentation.
No special configuration is needed. Add the capability and populate its properties according to the help text.
Capabilities
Sign On with SAML Identity Provider
Authenticate the user with an identity provider that supports SAML.
Show details
- Properties
- Sign On with SAML IdP
button
- signRequest
toggleSwitch
-
When enabled, DaVinci signs the SAML request using the X.509 certificate. The certificate is provided to the identity provider through the DaVinci SAML SP Metadata URL, which is available in the connector settings.
- nameIdFormat
dropDown
-
Select the name format used by the identity provider.
- Force Authentication
toggleSwitch
-
When enabled, the user must re-authenticate even if they have an existing session. Enable this for high-value and high-risk transactions.
- Authentication Context Class Reference
textArea
-
The Context Class Reference to use for the transaction, such as "{ "comparison": "exact", "class_refs": ["urn:oasis:names:tc:SAML:2.0:ac:classes:Password"] }". This allows you to define the type of authentication required for the transaction.
- requireSessionIndex
toggleSwitch
-
When enabled, a unique session identifier is carried through the authentication process and allows DaVinci to identify the user’s session. Enable this for improved security.
- Allow Unencrypted Assertions
toggleSwitch
-
When enabled, DaVinci accepts SAML assertions from the identity provider that are not encrypted. Only enable this for low-risk transactions in an environment where encryption is not possible.
- RelayState Parameter
textField
-
Optional information to include when sending the SAML request to the identity provider, formatted as a URL. This information is included in the response from the identity provider.
- Audience Parameter
textField
-
The audience value to provide in the SAML request, such as "https://sp.example.com". This value must match one of the audiences listed in the SAML assertion. When this field is blank, the connector uses the DaVinci entity ID.
- NotBeforeSkew Parameter
textField
-
The allowable difference in time between when a SAML assertion becomes valid and the current time, in seconds. Use this to accommodate for differences in clock time between systems.
- showPoweredBy
toggleSwitch
- skipButtonPress
toggleSwitch
- Output Schema
- output
object
- rawResponse
object
- properties
object
- response_header
object
- properties
object
-
- version
string
- destination
string
- in_response_to
string
- id
string
- version
- type
string
- user
object
- properties
object
-
- name_id
string
- session_index
string
- given_name
string
- surname
string
- email
string
- name
string
- attributes
object
- properties
object
- name_id
- tenantid
string
- objectidentifier
string
- displayname
string
- identityprovider
string
- authnmethodsreferences
array
- items
array
- type
string
- givenname
string
- surname
string
- emailaddress
string
- name
string
Sign On with SAML Identity Provider (Dynamic)
Authenticate the user with an identity provider that supports SAML. Use a different connector based on a variable from the flow.
Show details
- Properties
- Sign On with SAML IdP
button
- ID of SAML IdP Connection
textField
-
The ID of another DaVinci SAML connector instance, such as "f33f64e40bcf79c2ce86ad0dcc563457". Populate this with a variable to dynamically change which SAML connector is used based on the context of the flow.
- signRequest
toggleSwitch
-
When enabled, DaVinci signs the SAML request using the X.509 certificate. The certificate is provided to the identity provider through the DaVinci SAML SP Metadata URL, which is available in the connector settings.
- RelayState Parameter
textField
-
Optional information to include when sending the SAML request to the identity provider, formatted as a URL. This information is included in the response from the identity provider.
- nameIdFormat
dropDown
-
Select the name format used by the identity provider.
- Force Authentication
toggleSwitch
-
When enabled, the user must re-authenticate even if they have an existing session. Enable this for high-value and high-risk transactions.
- Authentication Context Class Reference
textArea
-
The Context Class Reference to use for the transaction, such as "{ "comparison": "exact", "class_refs": ["urn:oasis:names:tc:SAML:2.0:ac:classes:Password"] }". This allows you to define the type of authentication required for the transaction.
- requireSessionIndex
toggleSwitch
-
When enabled, a unique session identifier is carried through the authentication process and allows DaVinci to identify the user’s session. Enable this for improved security.
- Allow Unencrypted Assertions
toggleSwitch
-
When enabled, DaVinci accepts SAML assertions from the identity provider that are not encrypted. Only enable this for low-risk transactions in an environment where encryption is not possible.
- Audience Parameter
textField
-
The audience value to provide in the SAML request, such as "https://sp.example.com". This value must match one of the audiences listed in the SAML assertion. When this field is blank, the connector uses the DaVinci entity ID.
- NotBeforeSkew Parameter
textField
-
The allowable difference in time between when a SAML assertion becomes valid and the current time, in seconds. Use this to accommodate for differences in clock time between systems.
- showPoweredBy
toggleSwitch
- skipButtonPress
toggleSwitch
- Output Schema
- output
object
- rawResponse
object
- properties
object
- response_header
object
- properties
object
-
- version
string
- destination
string
- in_response_to
string
- id
string
- version
- type
string
- user
object
- properties
object
-
- name_id
string
- session_index
string
- given_name
string
- surname
string
- email
string
- name
string
- attributes
object
- properties
object
- name_id
- tenantid
string
- objectidentifier
string
- displayname
string
- identityprovider
string
- authnmethodsreferences
array
- items
array
- type
string
- givenname
string
- surname
string
- emailaddress
string
- name
string