Through the REST API
- Last Updated: May 20, 2026
- 2 minute read
- MarkLogic Server
- Version 12.0
- Documentation
To set up SAML-based authentication and authorization with PingOne through the REST API, follow these steps:
-
Create the external security object with code like this:
JavaScript/JSON
curl -X POST --anyauth -k -u <username>:<password> -H "Content-Type:application/json" \ -d @create_extsec.json http://<machine URI>:8002/manage/v2/external-securityContents of
create_extsec.json{ "external-security-name": "PingOne-SAML", "description": "PingOne external security object for SAML", "authentication": "saml", "cache-timeout": 300, "authorization": "saml", "saml-server": { "saml-entity-id": "http://localhost:8010/", "saml-attribute-name": [ "group" ], "saml-destination": "https://auth.pingone.asia/a58...3c8/saml20/idp/sso", "saml-issuer": "http://localhost:8010/", "saml-idp-certificate-authority": "-----BEGIN CERTIFICATE----- MII...qY= -----END CERTIFICATE-----" } }XQuery/XML
curl -X POST --anyauth -k -u <username>:<password> -H "Content-Type:application/xml" \ -d @create_extsec.xml http://<machine URI>:8002/manage/v2/external-securityContents of
create_extsec.xml<external-security-properties xmlns="http://marklogic.com/manage"> <external-security-name>PingOne-SAML</external-security-name> <description>PingOne external security object for SAML</description> <authentication>saml</authentication> <cache-timeout>300</cache-timeout> <authorization>saml</authorization> <saml-server> <saml-entity-id>http://localhost:8010/</saml-entity-id> <saml-attribute-names> <saml-attribute-name>group</saml-attribute-name> </saml-attribute-names> <saml-destination>https://auth.pingone.asia/a58...3c8/saml20/idp/sso</saml-destination> <saml-issuer>http://localhost:8010/</saml-issuer> <saml-idp-certificate-authority>-----BEGIN CERTIFICATE----- MII...qY= -----END CERTIFICATE-----</saml-idp-certificate-authority> </saml-server> </external-security-properties> -
Create any HTTP, XDBC, WebDAV, or ODBC app servers that you wish to configure with this external security object.
-
Configure your app servers to use this external security object with code like this:
JSON application
curl -X PUT --anyauth -k -u <username>:<password> \ -H "Content-type:application/json" \ -d '{ "external-security": "PingOne-SAML", "internal-security": false, "authentication": "saml" }' \ http://<machine URI>:8002/manage/v2/servers/<app server name>/properties?group-id=DefaultXML application
curl -X PUT --anyauth -k -u admin:admin \ -H "Content-type:application/xml" \ -d '<http-server-properties xmlns="http://marklogic.com/manage"> <external-security>PingOne-SAML</external-security> <internal-security>false</internal-security> <authentication>saml</authentication> </http-server-properties>' \ http://<machine URI>:8002/manage/v2/servers/<app server name>/properties?group-id=Default -
Assign external names to your desired roles with code like this:
Note:
The external names are the values returned under the role attribute of the SAML response.JSON application
curl -X PUT --anyauth -k -u <username>:<password> \ -H "Content-type:application/json" \ -d '{"external-name": "dh-admin"}' \ http://<machine URI>:8002/manage/v2/roles/<MarkLogic Server role name like manage-user>/propertiesXML application
curl -X PUT --anyauth -k -u <username>:<password> \ -H "Content-type:application/xml" \ -d '<role-properties xmlns="http://marklogic.com/manage/role/properties"> <external-names> <external-name>dh-admin</external-name> </external-names> </role-properties>' \ http://<machine URI>:8002/manage/v2/roles/<MarkLogic Server role name like manage-user>/properties
MarkLogic Server is now set up for SAML-based authentication and authorization with PingOne.