Connectors

SAML IdP Connector

The Security Assertion Markup Language (SAML) IdP connector lets you authenticate users with a SAML IdP-based identity provider in your PingOne DaVinci flow.

SAML 2.0 is a well-supported standard for authentication and authorization. You can use this connector to show a customizable sign-on button that allows your users to authenticate with your organization’s SAML IdP identity provider.

Setup

Resources

For information and setup help, see the following:

Requirements

To use the connector, you’ll need administrator access to your identity provider’s SAML IdP configuration.

Configuring the SAML IdP conenctor

Add the connector in DaVinci as shown in Adding a connector, then configure it as follows.

Connector configuration

Consult your identity provider’s documentation for help finding and configuring your SAML IdP settings.

DaVinci SAML SP Metadata URL

Your DaVinci SAML IdP SP Metadata URL. This allows an identity provider to redirect the browser back to DaVinci. Enter this URL in your provider’s SAML IdP configuration.

Identity Provider SAML Metadata

This field accepts the SAML IdP metadata provided by your identity provider. This information should be available in your identity provider’s SAML IdP configuration.

The connector does not support the following in the Identity Provider SAML Metadata field:

  • The md: prefix, which is associated with the SAML Metadata specification

  • The ds: prefix, which is associated with the XML Digital Signature specification

  • The xmlns attribute in the EntityDescriptor, which is associated with XML Namespace.

Application Redirect URL

Your application’s redirect URL, such as "https://app.yourorganization.com/". Enter this URL if you embed the DaVinci widget in your application. This allows DaVinci to redirect the browser back to your application.

Using the connector in a flow

Authenticating users

The Sign On with SAML Identity Provider capability lets you show a customizable sign-on button in your flow. When a user clicks this button, the connector sends a SAML authentication request to your configured SAML provider.

You can configure standard SAML parameters, such as relayState and notBeforeSkew. For help with these, consult your preferred SAML documentation.

No special configuration is needed. Add the capability and populate its properties according to the help text.

Capabilities

Sign On with SAML Identity Provider

Authenticate the user with an identity provider that supports SAML.

Show details
Properties
Sign On with SAML IdP button
signRequest toggleSwitch

When enabled, DaVinci signs the SAML request using the X.509 certificate. The certificate is provided to the identity provider through the DaVinci SAML SP Metadata URL, which is available in the connector settings.

nameIdFormat dropDown

Select the name format used by the identity provider.

Force Authentication toggleSwitch

When enabled, the user must re-authenticate even if they have an existing session. Enable this for high-value and high-risk transactions.

Authentication Context Class Reference textArea

The Context Class Reference to use for the transaction, such as "{ "comparison": "exact", "class_refs": ["urn:oasis:names:tc:SAML:2.0:ac:classes:Password"] }". This allows you to define the type of authentication required for the transaction.

requireSessionIndex toggleSwitch

When enabled, a unique session identifier is carried through the authentication process and allows DaVinci to identify the user’s session. Enable this for improved security.

Allow Unencrypted Assertions toggleSwitch

When enabled, DaVinci accepts SAML assertions from the identity provider that are not encrypted. Only enable this for low-risk transactions in an environment where encryption is not possible.

RelayState Parameter textField

Optional information to include when sending the SAML request to the identity provider, formatted as a URL. This information is included in the response from the identity provider.

Audience Parameter textField

The audience value to provide in the SAML request, such as "https://sp.example.com". This value must match one of the audiences listed in the SAML assertion. When this field is blank, the connector uses the DaVinci entity ID.

NotBeforeSkew Parameter textField

The allowable difference in time between when a SAML assertion becomes valid and the current time, in seconds. Use this to accommodate for differences in clock time between systems.

showPoweredBy toggleSwitch
skipButtonPress toggleSwitch
Output Schema
output object
rawResponse object
properties object
response_header object
properties object
version string
destination string
in_response_to string
id string
type string
user object
properties object
name_id string
session_index string
given_name string
surname string
email string
name string
attributes object
properties object
tenantid string
objectidentifier string
displayname string
identityprovider string
authnmethodsreferences array
items array
type string
givenname string
surname string
emailaddress string
name string

Sign On with SAML Identity Provider (Dynamic)

Authenticate the user with an identity provider that supports SAML. Use a different connector based on a variable from the flow.

Show details
Properties
Sign On with SAML IdP button
ID of SAML IdP Connection textField

The ID of another DaVinci SAML connector instance, such as "f33f64e40bcf79c2ce86ad0dcc563457". Populate this with a variable to dynamically change which SAML connector is used based on the context of the flow.

signRequest toggleSwitch

When enabled, DaVinci signs the SAML request using the X.509 certificate. The certificate is provided to the identity provider through the DaVinci SAML SP Metadata URL, which is available in the connector settings.

RelayState Parameter textField

Optional information to include when sending the SAML request to the identity provider, formatted as a URL. This information is included in the response from the identity provider.

nameIdFormat dropDown

Select the name format used by the identity provider.

Force Authentication toggleSwitch

When enabled, the user must re-authenticate even if they have an existing session. Enable this for high-value and high-risk transactions.

Authentication Context Class Reference textArea

The Context Class Reference to use for the transaction, such as "{ "comparison": "exact", "class_refs": ["urn:oasis:names:tc:SAML:2.0:ac:classes:Password"] }". This allows you to define the type of authentication required for the transaction.

requireSessionIndex toggleSwitch

When enabled, a unique session identifier is carried through the authentication process and allows DaVinci to identify the user’s session. Enable this for improved security.

Allow Unencrypted Assertions toggleSwitch

When enabled, DaVinci accepts SAML assertions from the identity provider that are not encrypted. Only enable this for low-risk transactions in an environment where encryption is not possible.

Audience Parameter textField

The audience value to provide in the SAML request, such as "https://sp.example.com". This value must match one of the audiences listed in the SAML assertion. When this field is blank, the connector uses the DaVinci entity ID.

NotBeforeSkew Parameter textField

The allowable difference in time between when a SAML assertion becomes valid and the current time, in seconds. Use this to accommodate for differences in clock time between systems.

showPoweredBy toggleSwitch
skipButtonPress toggleSwitch
Output Schema
output object
rawResponse object
properties object
response_header object
properties object
version string
destination string
in_response_to string
id string
type string
user object
properties object
name_id string
session_index string
given_name string
surname string
email string
name string
attributes object
properties object
tenantid string
objectidentifier string
displayname string
identityprovider string
authnmethodsreferences array
items array
type string
givenname string
surname string
emailaddress string
name string