PingOne Advanced Identity Cloud

Support for SAML 2.0 IdP-initiated flows in integrated mode

The following improvements make it easier to configure IdP-initiated SSO flow using journeys:

Redirect to a journey on the hosted SP

For IdP-initiated SSO in integrated mode, you must configure the hosted SP to send the user to an authentication journey after validating the SAML 2.0 assertion from the IdP. This lets you validate the IdP and perform SAML 2.0 authentication on the SP side.

You can also define additional actions the user must fulfill, such as performing multi-factor authentication (MFA) or checking organizational details before accessing the SAML 2.0 application.

Include a Scripted Decision node in the journey and query the samlApplication binding to access the assertion and response details, which you can then use to validate the IdP.

If a Local Authentication URL is configured, it takes precedence, but Advanced Identity Cloud doesn’t validate that the specified journey exists on the hosted SP.

If you haven’t configured a journey in either setting, an IdP-initiated SSO SAML flow results in an invalid request error.

For SP-initiated SSO, the flow continues in the originating journey, ignoring any redirect journey configured on the hosted SP.

To configure a redirect journey:

  1. In Native Consoles > Access Management, go to Realms > realm name > Applications > Federation > Entity Providers > Hosted SP Name.

  2. Under Assertion Processing > Redirect Tree, select the name of your authentication journey from the Redirect Tree Name list.

  3. Save your changes.

You can’t delete a journey if it’s set as the redirect journey in the hosted SP.

Node configuration to validate the IdP entity ID

Use the new configuration option to check that the IdP entity ID in the incoming SAML assertion matches the IdP entity ID configured for the node.

Learn more in SAML2 Authentication node.

Retrieve the assertion in a script

The samlApplication binding is present when the Scripted Decision node is part of a journey that meets any of the following conditions:

Map<String, Object> getAssertion()

Returns the assertion as a map after the SAML2 Authentication node completes in a journey where Advanced Identity Cloud is the SP, or set as the redirect journey for an IdP-initiated flow.

The method returns null on the IdP side.

Example assertion object 
{
    "version": "2.0",
    "issueInstant": 1751545205000,
    "subject": {
        "subjectConfirmation": [
            {
                "subjectConfirmationData": {
                    "elementName": "SubjectConfirmationData",
                    "mutable": false,
                    "notOnOrAfter": 1751545805000,
                    "inResponseTo": "s26958253e04e9cfdbfc0c979d6159000837401b7b",
                    "content": [
                        ""
                    ],
                    "recipient": "https://<tenant-env-fqdn>/am/Consumer/metaAlias/alpha/sp1",
                    "notBefore": null,
                    "address": null,
                    "contentType": null
                },
                "method": "urn:oasis:names:tc:SAML:2.0:cm:bearer",
                "nameID": null,
                "mutable": false,
                "encryptedID": null,
                "baseID": null
            }
        ],
        "nameID": {
            "@class": "com.sun.identity.saml2.assertion.impl.NameIDImpl",
            "value": "iPR60UhHDG6EhKsnbbf1MNnLdOuh",
            "nameQualifier": "idp1",
            "format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
            "mutable": false,
            "spnameQualifier": "sp1",
            "spprovidedID": ""
        },
        "mutable": false,
        "encryptedID": null,
        "baseID": null
    },
    "advice": null,
    "signature": "",
    "conditions": {
        "notOnOrAfter": 1751545805000,
        "conditions": [],
        "audienceRestrictions": [
            {
                "audience": [
                    "sp1"
                ],
                "mutable": false
            }
        ],
        "oneTimeUses": [],
        "proxyRestrictions": [],
        "notBefore": 1751544605000,
        "mutable": false
    },
    "id": "s254b47654db6b3771a81112aae4eee68b98863df3",
    "statements": [],
    "authnStatements": [
        {
            "authnContext": {
                "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
                "authnContextDecl": null,
                "authnContextDeclRef": null,
                "authenticatingAuthority": null,
                "mutable": false
            },
            "subjectLocality": null,
            "authnInstant": 1751545204000,
            "sessionIndex": "s286b2a8df2df74bcc739daa096621bf1662d20401",
            "sessionNotOnOrAfter": null,
            "mutable": false
        }
    ],
    "authzDecisionStatements": [],
    "attributeStatements": [],
    "issuer": {
        "value": "idp1",
        "nameQualifier": "",
        "format": "",
        "mutable": false,
        "spnameQualifier": "",
        "spprovidedID": ""
    },
    "signed": true,
    "mutable": false,
    "timeValid": true
}