Through JavaScript or XQuery

To set up SAML-based authentication and authorization with PingOne using JavaScript or XQuery through the Query Console, follow these steps:

1. Create the external security object with code like this:

   JavaScript

   Copy

   'use strict';
   
   declareUpdate();
   const sec = require('/MarkLogic/security');
   
   const samlIssuer = "http://localhost:8010/";
   const attributeNames = ["group"];
   const samlDestination = "https://auth.pingone.asia/a58...3c8/saml20/idp/sso";
   const samlIdpCa = "-----BEGIN CERTIFICATE----- MII...qY= -----END CERTIFICATE-----";
   
   const samlAgent = sec.samlServer(
       samlIssuer, 
       attributeNames, 
       null, 
       null, 
       samlDestination, 
       samlIssuer, 
       samlIdpCa
     );
   
   sec.createExternalSecurity(
       'PingOne-SAML',
       'PingOne external security object for SAML',
       'saml',
       300,
       'saml',
       null,
       samlAgent
     );
   

   XQuery

   Copy

   xquery version "1.0";
   
   import module namespace sec = "http://marklogic.com/xdmp/security"
     at "/MarkLogic/security.xqy";
   
   let $saml-issuer := "http://localhost:8010/"
   let $attribute-names := ("group")
   let $saml-destination := "https://auth.pingone.asia/a58...3c8/saml20/idp/sso"
   let $saml-idp-ca := "-----BEGIN CERTIFICATE----- MII...qY= -----END CERTIFICATE-----"
   
   let $saml-agent := sec:saml-server(
       $saml-issuer, 
       $attribute-names, 
       (), 
       (), 
       $saml-destination, 
       $saml-issuer, 
       $saml-idp-ca
     )
   
   return sec:create-external-security(
       'PingOne-SAML',
       'PingOne external security object for SAML',
       'saml',
       300,
       'saml',
       (),
       $saml-agent,
       ()
     )
   

2. Create any HTTP, XDBC, WebDAV, or ODBC app servers that you wish to configure with this external security object.

3. Configure your app servers to use this external security object with code like this:

   JavaScript

   Copy

   'use strict';
   
   declareUpdate();
   
   const admin = require('/MarkLogic/admin.xqy');
   const config = admin.getConfiguration();
   const groupid = admin.groupGetId(config, "Default");
   const appserver = <app server name>;
   const extsec = "PingOne-SAML";
   
   admin.saveConfiguration(
     admin.appserverSetExternalSecurity(
       config,
       groupid,
       admin.appServerGetId(
         config, appserver
       ),
       extsec,
       false,
       "saml"
     )
   );
   

   XQuery

   Copy

   xquery version "1.0-ml";
   
   import module namespace admin = "http://marklogic.com/xdmp/admin"
     at "/MarkLogic/admin.xqy";
   
   let $config := admin:get-configuration()
   let $group-id := admin:group-get-id($config, "Default")
   let $app-server := <app server name>
   let $ext-sec := ("PingOne-SAML")
   
   return admin:save-configuration(
       admin:appserver-set-external-security(
         $config, 
         admin:appserver-get-id(
           $config, $group-id, $app-server
         ),
         $ext-sec,
         fn:false(),
         "saml"
       )
     )
   

4. Assign external names to your desired roles with code like this:

   Note:
   
   The external names are the Name of your configured Groups in PingOne.

   JavaScript

   Copy

   declareUpdate();
   const sec = require('/MarkLogic/security.xqy');
   
   const roleName = <MarkLogic Server role name like "manage-user">;
   const externalName = "dh-admin";
   sec.roleSetExternalNames(roleName, externalName);
   

   XQuery

   Copy

   xquery version "1.0-ml";
   import module namespace sec = "http://marklogic.com/xdmp/security"
     at "/MarkLogic/security.xqy";
   
   let $role-name := <MarkLogic Server role name like "manage-user">
   let $external-name := "dh-admin"
   return sec:role-set-external-names($role-name, $external-name)
   

MarkLogic Server is now set up for SAML-based authentication and authorization with PingOne.