The SAML connector lets you authenticate users with a SAML-based identity provider in your PingOne DaVinci flow.
SAML 2.0 is a well-supported standard for authentication and authorization. You can use this connector to show a customizable sign-on button that allows your users to authenticate with your organization's SAML identity provider.
Setup
Resources
For information and setup help, see the following documentation:
- DaVinci documentation:
Requirements
To use the connector, you'll need:
- Administrator access to your identity provider's SAML configuration
Configuring the SAML connector
Add the connector in DaVinci as shown in Adding a connector, then configure it as follows.
Connector configuration
Consult your identity provider's documentation for help finding and configuring your SAML settings.
DaVinci SAML SP Metadata URL
Your DaVinci SAML SP Metadata URL. This allows an identity provider to redirect the browser back to DaVinci. Enter this URL in your provider's SAML configuration.
Identity Provider SAML Metadata
This field accepts the SAML metadata provided by your identity provider. This information should be available in your identity provider's SAML configuration.
Application Redirect URL
Your application's redirect URL, such as "https://app.yourorganization.com/". Enter this URL if you embed the DaVinci widget in your application. This allows DaVinci to redirect the browser back to your application.
Using the connector in a flow
Authenticating users
The Sign On with SAML Identity Provider capability lets you show a customizable sign-on button in your flow. When a user clicks this button, the connector sends a SAML authentication request to your configured SAML provider.
You can configure standard SAML parameters, such as
relayState and notBeforeSkew. For
help with these, consult your preferred SAML documentation.
No special flow configuration is needed. Add the capability and populate its properties according to the help text.
Capabilities
- Sign On with SAML Identity Provider
-
Authenticate the user with an identity provider that supports SAML.
Details- Details
-
- Properties
-
-
Sign On with SAML IdP
button -
signRequest
toggleSwitch -
When enabled, DaVinci signs the SAML request using the X.509 certificate. The certificate is provided to the identity provider through the DaVinci SAML SP Metadata URL, which is available in the connector settings.
-
nameIdFormat
dropDown -
Select the name format used by the identity provider.
-
Force Authentication
toggleSwitch -
When enabled, the user must re-authenticate even if they have an existing session. Enable this for high-value and high-risk transactions.
-
Authentication Context Class Reference
textArea -
The Context Class Reference to use for the transaction, such as "{ "comparison": "exact", "class_refs": ["urn:oasis:names:tc:SAML:2.0:ac:classes:Password"] }". This allows you to define the type of authentication required for the transaction.
-
requireSessionIndex
toggleSwitch -
When enabled, a unique session identifier is carried through the authentication process and allows DaVinci to identify the user's session. Enable this for improved security.
-
Allow Unencrypted Assertions
toggleSwitch -
When enabled, DaVinci accepts SAML assertions from the identity provider that are not encrypted. Only enable this for low-risk transactions in an environment where encryption is not possible.
-
RelayState Parameter
textField -
Optional information to include when sending the SAML request to the identity provider, formatted as a URL. This information is included in the response from the identity provider.
-
Audience Parameter
textField -
The audience value to provide in the SAML request, such as "https://sp.example.com". This value must match one of the audiences listed in the SAML assertion. When this field is blank, the connector uses the DaVinci entity ID.
-
NotBeforeSkew Parameter
textField -
The allowable difference in time between when a SAML assertion becomes valid and the current time, in seconds. Use this to accommodate for differences in clock time between systems.
-
showPoweredBy
toggleSwitch -
skipButtonPress
toggleSwitch
-
Sign On with SAML IdP
- Output Schema
-
-
output
object -
-
rawResponse
object -
properties
object -
-
response_header
object -
properties
object -
-
version
string -
destination
string -
in_response_to
string -
id
string
-
version
-
type
string -
user
object -
properties
object -
-
name_id
string -
session_index
string -
given_name
string -
surname
string -
email
string -
name
string -
attributes
object -
properties
object -
-
tenantid
string -
objectidentifier
string -
displayname
string -
identityprovider
string -
authnmethodsreferences
array -
items
array -
-
type
string
-
type
-
givenname
string -
surname
string -
emailaddress
string -
name
string
-
tenantid
-
name_id
-
response_header
-
rawResponse
-
output
- Sign On with SAML Identity Provider (Dynamic)
-
Authenticate the user with an identity provider that supports SAML. Use a different connector based on a variable from the flow.
Details- Details
-
- Properties
-
-
Sign On with SAML IdP
button -
ID of SAML IdP Connection
textField -
The ID of another DaVinci SAML connector instance, such as "f33f64e40bcf79c2ce86ad0dcc563457". Populate this with a variable to dynamically change which SAML connector is used based on the context of the flow.
-
signRequest
toggleSwitch -
When enabled, DaVinci signs the SAML request using the X.509 certificate. The certificate is provided to the identity provider through the DaVinci SAML SP Metadata URL, which is available in the connector settings.
-
RelayState Parameter
textField -
Optional information to include when sending the SAML request to the identity provider, formatted as a URL. This information is included in the response from the identity provider.
-
nameIdFormat
dropDown -
Select the name format used by the identity provider.
-
Force Authentication
toggleSwitch -
When enabled, the user must re-authenticate even if they have an existing session. Enable this for high-value and high-risk transactions.
-
Authentication Context Class Reference
textArea -
The Context Class Reference to use for the transaction, such as "{ "comparison": "exact", "class_refs": ["urn:oasis:names:tc:SAML:2.0:ac:classes:Password"] }". This allows you to define the type of authentication required for the transaction.
-
requireSessionIndex
toggleSwitch -
When enabled, a unique session identifier is carried through the authentication process and allows DaVinci to identify the user's session. Enable this for improved security.
-
Allow Unencrypted Assertions
toggleSwitch -
When enabled, DaVinci accepts SAML assertions from the identity provider that are not encrypted. Only enable this for low-risk transactions in an environment where encryption is not possible.
-
Audience Parameter
textField -
The audience value to provide in the SAML request, such as "https://sp.example.com". This value must match one of the audiences listed in the SAML assertion. When this field is blank, the connector uses the DaVinci entity ID.
-
NotBeforeSkew Parameter
textField -
The allowable difference in time between when a SAML assertion becomes valid and the current time, in seconds. Use this to accommodate for differences in clock time between systems.
-
showPoweredBy
toggleSwitch -
skipButtonPress
toggleSwitch
-
Sign On with SAML IdP
- Output Schema
-
-
output
object -
-
rawResponse
object -
properties
object -
-
response_header
object -
properties
object -
-
version
string -
destination
string -
in_response_to
string -
id
string
-
version
-
type
string -
user
object -
properties
object -
-
name_id
string -
session_index
string -
given_name
string -
surname
string -
email
string -
name
string -
attributes
object -
properties
object -
-
tenantid
string -
objectidentifier
string -
displayname
string -
identityprovider
string -
authnmethodsreferences
array -
items
array -
-
type
string
-
type
-
givenname
string -
surname
string -
emailaddress
string -
name
string
-
tenantid
-
name_id
-
response_header
-
rawResponse
-
output