PingOne Advanced Identity Cloud

Configure a SAML 2.0 application journey

Configure the remote SP so that a specific authentication journey is always run for users authenticating with your SAML 2.0 app. The federation flow invokes the associated journey regardless of any existing sessions or requested or configured authentication contexts.

To configure a SAML 2.0 app journey, specify a journey in Native Consoles > Access Management > Realms > Realm Name > Applications > Federation > Entity Providers > Remote SP > Advanced > Tree Name.

When you configure an app journey, the processing of the SAML 2.0 request depends on the authentication context requested by the SP.

You can access the requested authentication context and configured mappings by including a Scripted Decision node in the journey that queries the samlApplication script binding.

The following table shows the SAML response for each comparison type and the requested authentication context.

Authentication context Comparison type Response

SP requested authn context

Exact / None

Requested authn context included

SP requested authn context

Better / Maximum / Minimum

UNSPECIFIED

SP doesn’t request authn context

-

UNSPECIFIED

IDP-initiated (no requested authn context)

-

UNSPECIFIED

You can’t delete a journey if it’s referenced by a SAML 2.0 app.