SAMLApplications
The SAML-protocol applications in the environment.
Table-Specific Information
We recommend using the built-in Client Application Developer role to read and write data for this table.
SELECT
Reading data from this entity requires Read Application/applications:read:application permission.The driver uses the PingOne Platform API to process WHERE clause conditions built with the following columns and operators.
- Id supports the following operators: =, IN.
All other filters are processed client-side within the driver.
For example, the following queries are processed server-side:
SELECT * FROM Administrators.SAMLApplications WHERE Id = '085f7c1a-396f-47f2-881b-c34c46b6eb66';
SELECT * FROM Administrators.SAMLApplications WHERE Id IN ('085f7c1a-396f-47f2-881b-c34c46b6eb66', '96f33e5d-682b-4214-855e-2e105421a35a');
INSERT
Creating data in this table requires Create Application/applications:create:application permission.Refer to the query example below:
INSERT INTO Administrators.SAMLApplications (Name, Description, Type, IsEnabled, ACSUrls, AssertionDuration, ServiceProviderEntityId) VALUES ('My SAML App', 'My SAML App', 'WEB_APP', false, 'https://acs.com', 3600, '05aacbac-6fb4-4eeb-9ef7-e5af3172476d')
UPDATE
Updating data in this table requires Update Application/applications:update:application permission.Refer to the query example below:
UPDATE Administrators.SAMLApplications SET IsEnabled = true WHERE Id = '085f7c1a-396f-47f2-881b-c34c46b6eb66'
DELETE
Deleting data from this table requires Delete Application/applications:delete:application permission.Refer to the query example below:
DELETE FROM Administrators.SAMLApplications WHERE Id = '085f7c1a-396f-47f2-881b-c34c46b6eb66'
Columns
| Name | Type | ReadOnly | References | Description |
| Id [KEY] | String | True |
The application identifier (UUID). | |
| Name | String | False |
The name of the application. | |
| Description | String | False |
The application's description. | |
| IsEnabled | Boolean | False |
Boolean value indicating whether the application is enabled for authorization to PingOne. | |
| Type | String | False |
The type of the application. Possible values are: 'WEB_APP', 'CUSTOM_APP', and 'TEMPLATE_APP'. | |
| EnvironmentId | String | True | Information.Environments.Id |
The identifier (UUID) of the environment in which the application exists. |
| CreatedAt | Datetime | True |
The time at which the application was created. | |
| UpdatedAt | Datetime | True |
The time at which the application was last updated. | |
| LoginPageURL | String | False |
The application's login page URL. | |
| HomePageURL | String | False |
The application's home page URL. | |
| IsHiddenFromPortal | Boolean | False |
Boolean value indicating whether the application is hidden in the application portal. | |
| IconURL | String | False |
The URL of the application's icon. | |
| AccessControlRolesCriteria | String | False |
The user role criteria for accessing the application. Possible values are 'ADMIN_USERS_ONLY'. A user is an admin user if they have one or more of the following roles: 'Organization Admin', 'Environment Admin', 'Identity Data Admin' or 'Client Application Developer'. | |
| CORSRestriction | String | False |
The application's restriction in regards to CORS requests. Possible values are 'ALLOW_NO_ORIGINS' and 'ALLOW_SPECIFIC_ORIGINS'. 'ALLOWS_NO_ORIGINS' rejects all CORS requests. 'ALLOW_SPECIFIC_ORIGINS' rejects all CORS requests except those listed in the 'CORSAllowedOrigins' column. | |
| CORSAllowedOrigins | String | False |
The origins from which CORS requests to the Authorization and Authentication APIs are allowed. This applies only when 'CORSRestriction' is set to 'ALLOW_SPECIFIC_ORIGINS'. | |
| TemplateIntegrationId | String | False |
The identifier (UUID) of the integration in Integration Catalog. | |
| TemplateVersionId | String | False |
The identifier (UUID) of the integration version in Integration Catalog. | |
| ACSUrls | String | False |
The Assertion Consumer Service URLs. The first URL in the list is used as default (there must be at least one URL). | |
| AssertionDuration | Integer | False |
The assertion validity duration in seconds. | |
| IsAssertionSigned | Boolean | False |
Boolean value indicating whether the SAML assertion itself should be signed. | |
| DefaultTargetURL | String | False |
A URL that sets the relay state if the identity provider does not include an 'applicationUrl' query parameter in its '/{{envID}}/saml20/idp/startsso' request. | |
| EnableRequestedAuthenticationContext | Boolean | False |
Boolean value indicating whether 'requestedAuthnContext' is taken into account in policy decision-making. | |
| SigningAlgorithm | String | False |
The algorithm used by the identity provider (IdP) signing key. Possible values are: 'SHA256withRSA', 'SHA384withRSA', 'SHA512withRSA', 'SHA256withECDSA', 'SHA384withECDSA', and 'SHA512withECDSA'. | |
| SigningKeyId | String | False |
The identifier (UUID) of the certificate to be used by the identity provider to sign assertions and responses. If 'null' or empty, the default signing certificate for the environment is used instead. | |
| NameIdFormat | String | False |
The format of the subject's 'NameID' attribute in the SAML assertion. Possible values are: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', and 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'. | |
| IsResponseSigned | Boolean | False |
Boolean value indicating whether the SAML assertion response itself should be signed. | |
| SessionNotOnOrAfterDuration | Integer | False |
Used in cases when the SAML application requires a different 'SessionNotOnOrAfter' attribute value within the 'AuthnStatement' element than the 'NotOnOrAfter' value set in the 'AssertionDuration' column. | |
| SLOBinding | String | False |
The binding protocol to be used for the logout response. Possible values are: 'HTTP_REDIRECT' and 'HTTP_POST'. | |
| SLOEndpoint | String | False |
The logout endpoint URL. If 'null' or empty, logout actions result in an error. | |
| SLOResponseEndpoint | String | False |
The endpoint URL to submit the logout response. If 'null' or empty, the value in the 'SLOEndpoint' column is used to submit the SLO response instead. | |
| SLOWindow | Integer | False |
Defines how long PingOne can exchange logout messages with the application, specifically a 'LogoutRequest' from the application, since the initial request. This setting is per application. The SLO logout is separate from the user session logout that revokes all tokens. | |
| EncryptionAlgorithm | String | False |
The algorithm for encrypting the assertions. Possible values are: 'AES_128', 'AES_256', and 'TRIPLEDES'. | |
| EncryptionCertificateId | String | False |
The identifier (UUID) of the encryption public certificate that has been uploaded to PingOne. | |
| ServiceProviderEntityId | String | False |
The service provider entity ID used to lookup the application. | |
| EnableAuthenticationRequestSigning | Boolean | False |
Boolean value indicating whether Authentication Request signing should be enforced. |