PingOne Platform API Reference - Early Access

PingOne is a cloud-based framework for secure identity access management. The PingOne API gives developers the tools to integrate enterprise and third-party applications with the PingOne platform.

This document describes a number of PingOne services, including the Management API services, the Authentication API services, and the Multi-factor Authentication services. There is also material in this document that refers to the integrations between the PingOne platform and other Ping products that facilitate extended functionality beyond PingOne.

For architectural and background information, see PingOne for Developers Foundations. For a guided walkthrough using the PingOne APIs, see PingOne for Developers Getting Started.

New to PingOne?

If you're new to PingOne, the following topic links will help you learn more and start working with the PingOne API.

Early Access

These early access features are available for preview purposes only, and are not covered under standard Support SLAs. You can open support cases for feedback, bug reports, configuration questions, or other inquiries related to early access features, but resolution times for these cases will vary. These cases often require collaboration with our Engineering and Product teams, so timelines might exceed the usual SLAs for your Support package.

We encourage you to use any of the early access features you find applicable. You'll need to enable each feature you'd like to use. See Early Access Features for instructions.

Flows and Forms

The early access APIs in Flows and Forms document the deprecated Flow Definitions service in PingOne. The Flow Definitions service was replaced by PingOne DaVinci.

If you want to use Postman

You can download or fork the Postman collection for the early access Flows and Forms APIs, and test them in your Postman environment. If you don't already have a Postman installation, you can install the free version. See Download Postman.

Import or fork the Postman collection PingOne Flows and Forms APIs - Early Access into your Postman installation by clicking the Run in Postman button below:

Run In Postman

Refer to Postman and the PingOne APIs for more information.

External Services Management

The external services API allows you to make outbound HTTP requests from PingOne to an external resource server. It functions like a PingOne HTTP client. By configuring an external service resource in PingOne, you configure how to send an HTTP request at invocation time.

PingOne external services configurations integrate with PingOne flows, which allows for outbound HTTP requests in the context of a flow.

Terminology

  • External Service

    External services are a group of requests and additional configuration information to support the requests. Some configuration properties, such as variables and secrets, can be referenced by any of the external service’s requests.

  • Request

    The HTTP request configuration includes properties such as a URL, headers, and body to define the request to the external resource server. When an external service request is invoked, PingOne uses the defined configuration to create and send an HTTP request.

  • PingOne's expression language

    External service requests use PingOne's expression language, which is based on SPEL, to give you flexibility to define complex configuration attributes. For more information, see PingOne's expression language.

Frequently asked questions

How do I resolve an expression error?

When you invoke an external service request you may get an expression error. The error should provide clues on what went wrong. For more information about PingOne's expression language, see PingOne's expression language. It is also important to remember that all inputs must be strings.

How do I change the request configuration at invocation time?

If you need to have the URL, a header, or body parameter be dynamic per request, then you must use inputs. You can reference an input in the request configuration (inputs.myInputName) and then at invocation time send the input in. For examples of this action, see the “Getting Started” topic.

What happens when I invoke an external service request?

PingOne finds your configuration by environment ID, external service ID, and request name. The configuration is then used to generate and send an HTTP request. As a part of generating an HTTP request, the configuration is scanned for variables, secrets, and input references, and these rferences are resolved to concrete values. The HTTP request is sent and the response is by default mapped to { status: <status>, headers: <responseHeaders>, body: <responseBody> }.

How do I avoid duplicating configuration across multiple external service requests?

If you have requests that need the same information (like a URL or header value) you can use variables or secrets (or both). The difference between the two is that secrets are encrypted and managed through a separate endpoint for stricter administrative control.

How do I protect a sensitive value like an API key or secret?

Configure a secret for the external service and then reference it in your request configuration.

How do I configure authentication on an external service request?

If it is a header-based authentication, you can set a header on the request and use a secret for the value.

How do I fix an error that I’m getting when trying to invoke an external service request?

You may be encountering one of the following error reasons:

  • SSL_HANDSHAKE_FAILED

    When sending the outbound HTTP request the SSL handshake failed. Please check your configuration.

  • NO_HTTP_RESPONSE

    We sent the outbound HTTP request but did not get an HTTP response from the server.

  • TIMEOUT

    We sent the outbound HTTP request but did not get an HTTP response in the time allowed. The timeout is 8 seconds.

  • TOO_MANY_INVOCATIONS

    We did not send the outbound HTTP request because a limit was reached. You are allowed 45 concurrent outbound HTTP requests per environment.

  • MALICIOUS_URL

    The URL targeted a host that we determine to be malicious.

  • INVOCATION_FAILED

    There was an error likely unrelated to your configuration or targeted service. If this error persists please contact support.

  • INVOCATION_ERROR

    We did not send the outbound HTTP request and it is likely because of a reason with your configuration. There may be details on the error giving more details.

Data models

See the following topics for data model property definitions:

Getting Started with External Services

The Getting Started topics show you how to create an external service with four requests:

  • one request that uses static values
  • one request that uses a variable
  • one request that uses a secret
  • one request that uses an input

After creating the external service configuration with these four requests successfully, additional topics show you how to invoke all four external service requests.

Click the Run in Postman button below to download a Postman collection that includes the requests described in this section.

Run in Postman

Create your first external service

Add your first request to the external service

Invoke your first request

Add a variable and use it in a request

Invoke your request that uses a variable

Add a secret and use it in a request

Add requests that use a variable and a secret

Invoke your request that uses a secret

Add invocation inputs in a request

Invoke your request that uses an input

External Services

The external services API provides endpoints to create, read, update, and delete external services resources.

External services data model
Property Description
authSchemes A list of authorization schemes that can be used by a request.
authSchemes.name A string that specifies the name of the authentication scheme. This property is set by the administrator and is unique for each external service. The maximum size is 256 characters. The string can contain unicode letters, combining marks, numeric characters, whitespace, punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$). This is a required property.
authSchemes.type A string that specifies the type of authentication scheme. Options are API_KEY, BEARER, BASIC, and OAUTH_2. This is a required property.
authSchemes.type.{properties} The properties associated with the type of authentication scheme.
  • API_KEY: key (String): required
  • BEARER: token (String): required
  • BASIC:
    • username (String): required
    • password (String): required
  • OAUTH_2:
    • tokenEndpointAuthType (String): Required if type is Oauth. Values can be client_secret_basic or client_secret_post
    • scope (List): optional;
    • tokenEndpoint (String): required
    • clientId (String): required
    • clientSecret (String): required
description A string that specifies the description of the external service. The string can contain unicode letters, combining marks, numeric characters, whitespace, punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$).
id A string that specifies the resource’s unique identifier.
name A string that specifies the name of the external service. The maximum length for a name is 256 charactersand the name must be unique within the environment. The string can contain unicode letters, combining marks, numeric characters, whitespace, and punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$).
requests A list of requests asociated with this external service.
secrets A list of encrypted secret names.
variables A map of variables that can be referenced by requests.
Requests schema data model
Property Description
description A string that specifies the description of the request. The string can contain unicode letters, combining marks, numeric characters, whitespace, punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$).
displayName A string that specifies the display name of the request. The display name defaults to the method name plus the URL. This value can be edited by the administrator. This property can be used in PingOne interface dropdown menus to select the request. It is comprised of unicode letters, combining marks, numeric characters, whitespace, punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$).
inputs A list that specifies auto-generated input references in the request configuration.
name A string that specifies the name of the request. A request is executed by its name, which must be unique per external service. Names are comprised of alphanumeric letters, underscore, hyphen, and period (regex: ^[a-zA-Z0-9_. -]+$). Maximum length of 256 characters. This is a required property.
request An object that defines the request properties. This is a required property.
request.authScheme A string that specifies the name of the configured external service auth scheme to use for the request. Options are API_KEY, BEARER, BASIC, and OAUTH_2.
request.method A string that specifies the HTTP method. This is a required property.
request.url A string (in PingOne's expression language) that specifies the request URL. This is a required property.
request.headers A map of strings that specifies the HTTP request headers to send on invocations of the request. The map of header names to values (in PingOne's expression language).
request.body An object that specifies the request body type.
request.body.type An enumeration that specifies the request Content-Type. Options are JSON. This is a required property.
request.body.template A string (in PingOne's expression language) that specifies the request body template, which is of any JSON type. This is a required property.
request.inputSchema A string that specifies the input schema for any inputs that are referenced in any parts of the request. This is a required property if input is configured.
response An object that defines the response properties.
response.output A string (in PingOne's expression language) that used to generate the response of a request invocation. If this property is not configured, the default value is the following expression (in PingOne's expression language): "{\"status\": + response.status, \"headers\": + response.headers, \"body\": + response.body}".
response.outputSchema A string that that specifies the output schema for any output properties that are returned by the request. This is a required property if output is configured.
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

You need the Environment Admin role to perform operations on external services resources.

CREATE External Service

READ External Services

READ One External Service

UPDATE External Service

DELETE External Service

External Services Secrets

The external services secrets endpoint provides operations to read and update the external service secret. The name property of the external service secret must be unique within the environment. A secret resource is a name-value pair configured by the administrator and applicable to the entire external service. Secret values are encrypted and can be referenced in the external service configuration.

External services secrets data model
Property Description
name A string that specifies the name of the external service secret. This property is set by the administrator and is unique for each external service. This is a required property.
value A string that specifies the value of the external service secret. This is a required property.
Response codes
Code Message
200 Successful operation.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

READ External Service Secrets

UPDATE External Service Secrets

External Services Requests

The external services requests endpoint provides operations to invoke the external service request. The inputs property specifies the inputs required by the request. The request can have several inputs, specified in the following format in the request body:

{
    "inputs": {
        "input1": "input1Value",
        "input2": {
            "aProperty": "aValue"
        },
        "input3": [ { "aProperty": "aValue" } ]
    }
}
External services invocation request data model
Property Description
inputs A JSON map that specifies the input properties required by the request. All input properties needed by the request must be defined in the input JSON. Otherwise, the request will fail. This is a required property if the request requires input properties. If the request does not require any input, this property can be omitted.
External services invocation response data model
Property Description
outputs A JSON map that specifies the response dictated by the external service's response mapped by request's response output configuration. The value could be any JSON type, based on the request's response output configuration. This is a required property.
Response codes
Code Message
200 Successful operation.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Invoke External Service Request

Flow Definitions

Flow definitions define a series of steps that designate the actions of a workflow. The flow execution endpoint references a flow definition resource that specifies an initial step and all additional steps required to complete the flow execution. For more information about flow executions, see Flow Executions.

Flow definitions include step definitions that define an operational step to perform a specific work action, which generates output that is processed by the flow. A flow step can also designate flow-control actions that branch or end the flow. For more information, see Flow Definition Steps.

The flow definitions API provides operations to create, read, update, and delete flow definitions. It also provides endpoints to get and enhance flow definition step schema metadata. For information about flow definition step schema metadata, see Flow Definition Steps.

Flow definitions data model
Property Description
description A string that specifies the description of the flow definition.
enabled A boolean that specifies whether the flow is enabled. Disabled flows cannot be executed. This is a required property.
environment.id A string that specifies the environment ID associated with this flow definition resource.
id A string that specifies the resource’s unique identifier.
name A string that specifies the flow definition name, which must be provided and must be unique within an environment.
trigger A predefined trigger that can initiate the flow definition execution. The trigger marks the step definition from which the flow starts.
trigger.configuration An object that specifies the trigger configuration data.
trigger.inputs An object that specifies the trigger-specific inputs.
trigger.next A string that specifies the first step definition to execute.
trigger.type A string that specifies the type of trigger. Options are EXPERIENCE and SIGN_ON_POLICY. For more information about trigger types, see READ Trigger Type Metadata.
stepDefinitions A map that specifies the step definitions available in the flow definition, differentiated by a human-readable identifier as the key. The key must be a string with unicode letters, numeric characters, underscore, and dash: ^[\p{L}\p{N}_-]+$. This key is used in variable paths to reference outputs from the step at runtime (for example, ${steps.login.outputs.something}).
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

CREATE Flow Definition Basic (EXPERIENCE trigger)

CREATE Flow Definition Basic (SIGN_ON_POLICY trigger)

CREATE Agreement Consent Flow Definition (EXPERIENCE trigger)

CREATE Agreement Consent Flow Definition (SIGN_ON_POLICY trigger)

CREATE Agreement Consent Flow Definition (SIGN_ON_POLICY trigger) Copy

CREATE Agreement Reconsent Flow Definition (EXPERIENCE trigger)

CREATE Agreement Reconsent Flow Definition (EXPERIENCE trigger) Copy

CREATE Agreement Reconsent Flow Definition (SIGN_ON_POLICY trigger)

CREATE Agreement Reconsent Flow Definition (SIGN_ON_POLICY trigger) Copy

CREATE Registration Flow Definition (Experience)

CREATE Registration Flow Definition (Sign-on Policy)

CREATE Registration with Consent Flow Definition (Sign-on Policy)

CREATE MFA Enrollment (EXPERIENCE trigger)

CREATE MFA Enrollment (SIGN_ON_POLICY trigger)

CREATE MFA Challenge (EXPERIENCE trigger)

CREATE MFA Challenge (SIGN_ON_POLICY trigger)

CREATE Sign On (EXPERIENCE trigger)

CREATE Sign On (SIGN_ON_POLICY trigger)

CREATE Identity Provider Sign On (SIGN_ON_POLICY trigger)

CREATE Password Recovery (EXPERIENCE trigger)

CREATE Password Recovery (SIGN_ON_POLICY trigger)

READ Flow Definitions

READ One Flow Definition

UPDATE Flow Definition

DELETE Flow Definition

READ Step Type Metadata

READ Trigger Type Metadata

Enrich Step Type Metadata

Flow Definition Steps

Flow definition steps specify the actions of a workflow. The step definition performs a specific operation, which generates output that is processed by the flow. A flow step can also designate flow-control actions that branch or end the flow.

Step definitions data model
Property Description
configuration An object that specifies the step type specific configuration properties as described and validated by the step type metadata.
description A string that specifies the description of the description for this step type as defined by the administrator.
displayName A string that specifies the display name for this step.
iconURL A string that specifies the icon for this step type as defined in the step type metadata.
input An object that specifies the step type specific input properties as described by the step type metadata. Any use of placeholders are resolved at execution time.
outlets An object that specifies the set of results a step definition can produce.
outlets.result An object that specifies the result to handle. Valid results for the specified step type are defined in the step type metadata. An outlet for the ERROR result may be used with any step definition to handle errors from the step. If an outlet for the ERROR result is not defined, errors from the step result in a failed flow.
outlets.result.displayName A string that specifies the display name for this result as defined in the step type metadata.
outlets.result.description A string that specifies the description for this result as defined in the step type metadata.
outlets.result.next A string that specifies the next step definition key in the sequence. This value must point to an existing step definition instance.
type A string that specifies the step definition type. There are several step definition type options. The supported step definition types are best viewed by running the /flowMetadata/stepTypes endpoint. For more information, see READ Step Type Metadata.
Step type metadata data model
Property Description
configurationSchema A JSON schema object that defines a structure of step definition configuration properties that are expected for a specific type. Step definitions are validated against a submitted step definition. For more information about the JSON Schema specification, see JSON Schema.
configurationUiSchema A JSON schema object that defines the user interface representation of the step configuration.
description A string that specifies the description of the step type.
displayName A string that specifies the display name for this step.
iconUrl A string that specifies the URL for the step icon in the user interface.
inputSchema A JSON schema object that defines the input structure of step definition configuration properties that are expected for a specific type. For more information about the JSON Schema specification, see JSON Schema.
configurationUiSchema A JSON schema object that defines the user interface representation of the step configuration. For more information about the JSON Schema specification, see JSON Schema.
configurationUiSchema A JSON schema object that defines the user interface representation of the step configuration.
resultMetadata An object that lists all the expected results of a step.
resultMetadata.description A string that specifies the description represented in the user interface.
resultMetadata.displayName A string that specifies the display name represented in the user interface.
resultMetadata.outputSchema A JSON schema object that specifies the expected structure of the response that the result can provide.
resultMetadata.typeName A string that specifies the step definition type name. The name cannot be ERROR because this is a reserved type name. For more information about step definition type options, see READ Step Type Metadata.
version A string that specifies the step type version.
Step type metadata enrichment data model
Property Description
configuration An object that specifies a step definition configuration that can be used as part of the enrichment process. This value should match the configurationSchema of the stepType for which the request is submitted.
trigger An object that specifies a source trigger under which the steps should be enriched. This is a required property.
trigger.configuration An object that specifies optional trigger specific properties.
trigger.type A string that specifies a unique trigger type. This is a required property.
Flow and step definition context placeholders
Parameter Description
${flow.*} The current flow execution state. For example, ${flow.inputs.parameters.applicationId}.
${steps.stepName.outputs.*} The current step execution state, where stepName designates the name of the step. For example, ${steps.registrationForm.outputs.formData.user}.

Flow definition step types

The following section documents the supported flow definition step types and the request schema, response schema, the supported results, and the custom content type (if applicable) associated with any step type actions.

For more information about flow definitions and step types, see Flow Definitions.

This step type specifies a user's consent to an agreement. The result reflects the user's decision to consent to an agreement and saves the user's consent.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration schema properties for the AGREEMENT_CONSENT_ACCEPT step type.
Input property Description
user.id A string that specifies the user ID associated with the saved consent.
agreementConsent.agreement.id A string that specifies the agreement ID associated with the saved consent. This resource provides details containing user information and the agreement information to which the user has provided consent.
agreementConsent.consentedAt The date and time when the consent decision was made.
agreementConsent.language.id A string that specifies the language ID associated with the agreement to which the user has given consent.
agreementConsent.revision.id A string that specifies the revision ID associated with the agreement to which the user has given consent.

The following properties are returned for the SAVED result.

Output property Description
agreementConsent.status A string that specifies the current status of user's consent in relation to this agreement.
agreementConsent.id A string that specifies the agreement consent ID associated with this agreement.
agreementConsent.agreement.id A string that specifies the agreement ID associated with this agreement consent.
agreementConsent.language.id A string that specifies the language ID associated with the agreement to which the user has given consent.
agreementConsent.revision.id A string that specifies the revision ID associated with the agreement to which the user has given consent.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the AGREEMENT_CONSENT_ACCEPT step type.
Parameters Description
There are no flow action parameters associated with the AGREEMENT_CONSENT_ACCEPT step type.

This step type specifies a request for consent from the user. Submitting the form initiates a user.consent action to accept or deny consent to the agreement. The following step type definition properties are used with flow definition and flow execution resources.

Step properties used with flow definitions
Configuration schema property Description
agreement.id A string that specifies the agreement ID for the agreement that requires user consent.
Input property Description
There are no input properties for the AGREEMENT_CONSENT_FORM step type.

The following properties are returned for the ACCEPTED result.

Output property Description
agreementConsent.status A string that specifies the current status of user's consent in relation to this agreement.
agreementConsent.agreement.id A string that specifies the agreement ID associated with this agreement consent.
agreementConsent.consentedAt The date and time when the consent decision was made.
agreementConsent.language.id A string that specifies the language ID associated with the agreement to which the user has given consent.
agreementConsent.revision.id A string that specifies the revision ID associated with the agreement to which the user has given consent.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
user.consent The link to initiate the consent action. The action must provide a value for the accept property and specify application/vnd.pingidentity.user.consent+json as the custom content type in the request.
Parameters Description
accept A boolean that specifies whether the user accepts the agreement.

Agreement Reconsent Form

This step type specifies a request for consent from the user to update the user's consent to an agreement. This step presents a form to the end user to prompt for renewed consent to an agreement. Submitting the form initiates a user.consent action to accept or deny consent to the agreement.

Step properties used with flow definitions
Configuration schema property Description
agreement.id A string that specifies the agreement ID for the agreement that requires user consent.
Input property Description
user.id A string that specifies the user ID associated with the saved consent.
user.preferredLanguage A string that specifies the user's perferred language.

The following properties are returned for the SAVED result.

Output property Description
agreementConsent.status A string that specifies the current status of user's consent in relation to this agreement.
agreementConsent.id A string that specifies the agreement consent ID associated with this agreement.
agreementConsent.agreement.id A string that specifies the agreement ID associated with this agreement consent.
agreementConsent.language.id A string that specifies the language ID associated with the agreement to which the user has given consent.
agreementConsent.revision.id A string that specifies the revision ID associated with the agreement to which the user has given consent.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
user.consent The link to initiate the consent action. The action must provide a value for the accept property and specify application/vnd.pingidentity.user.consent+json as the custom content type in the request.
Parameters Description
accept A boolean that specifies whether the user accepts the agreement.

API Request

This step type makes an API request to a third-party service.

Step properties used with flow definitions
Configuration schema property Description
method A string that specifies the request method type. Options are GET, POST, PUT, PATCH, and DELETE.
Input property Description
url A string that specifies the request URL.
query An object that specifies the query parameters to include on the request.
headers An object that specifies the HTTP headers to include on the request.
body A string that specifies the body of the request.

The following properties are returned for the SUCCEEDED result.

Output property Description
agreementConsent.status A string that specifies the current status of user's consent in relation to this agreement.
agreementConsent.id A string that specifies the agreement consent ID associated with this agreement.
agreementConsent.agreement.id A string that specifies the agreement ID associated with this agreement consent.
agreementConsent.language.id A string that specifies the language ID associated with the agreement to which the user has given consent.
agreementConsent.revision.id A string that specifies the revision ID associated with the agreement to which the user has given consent.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the API_REQUEST step type.
Parameters Description
There are no flow action parameters associated with the API_REQUEST step type.

Branch

This step type branches the flow based on one or more conditions. The step returns a NO_MATCH result if no condition is met. For information about the common policy language used to specify conditions, see Sign-On Policy Actions.

Step properties used with flow definitions
Configuration schema property Description
conditions An array of conditions to be evaluated.
conditions.condition An object that is defined using the common policy language to define a flow condition to match.
conditions.result A string that specifies the result when this specific flow condition is matched.
conditions.displayName A string that specifies the display name for the result.
Input property Description
There are no configuration schema properties for the BRANCH step type.

The following properties are returned for the NO_MATCH result.

Output property Description
There are no output properties for the BRANCH step type.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the BRANCH step type.
Parameters Description
There are no flow action parameters associated with the BRANCH step type.

Complete Flow

This step type completes the flow and returns a result.

Step properties used with flow definitions
Configuration schema property Description
result An object that specifies the result needed to complete the flow. Results are defined by the trigger type used by this flow. Enumerations are dynamically generated at configuration time of conditions to be evaluated.
Input property Description
{{someProperty}} An object that specifies the flow output. Properties are derived dynamically based on the configured result.
Output property Description
There are no output properties for the COMPLETE_FLOW step type.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the COMPLETE_FLOW step type.
Parameters Description
There are no flow action parameters associated with the COMPLETE_FLOW step type.

Create Risk Evaluation

This step type creates a risk evaluation in PingOne.

Step properties used with flow definitions
Configuration schema property Description
riskPolicySet.id A string that specifies the risk policy set to use for risk evaluation.
useDefaultPolicy A boolean that specifies whether to use the environment's default policy set for the risk evaluation. If this property is set to false, a risk policy set ID must be specified in the riskPolicySet.id property.
profileDevice A boolean that specifies whether the device will be profiled during the step execution. If the value of this property is set to true, the step prompts for a device profile action.
Input property Description
riskEvaluation.event.targetResource.id A string that specifies the ID of the target application, which is the application the user attempts to access.
riskEvaluation.event.targetResource.name A string that specifies the name of the target application, which is the application the user attempts to access. The riskEvaluation.event.targetResource is an optional property, but if the riskEvaluation.event.targetResource.name property is specified, then the riskEvaluation.event.targetResource.id property must also be specified.
riskEvaluation.event.ip A string that specifies the origin IP address. This is a required property.
riskEvaluation.event.flow.type A string that specifies the flow type. The default value is AUTHENTICATION.
riskEvaluation.event.user.name A string that specifies the name of the user associated with the risk evaluation.
riskEvaluation.event.user.type A string that specifies the type of user associated with the risk evaluation. Options are EXTERNAL and PING_ONE. This is a required property.
riskEvaluation.event.user.id A string that specifies the user ID associated with the risk evaluation. If the user type is PING_ONE, the user name is filled automatically according to the user ID. If the user does not exist in PING ONE, the step produces an error. If the user type is EXTERNAL, the user name should be added so that it displays in the dashboards; if the user name is not provided, the user ID is shown. This is a required property.
riskEvaluation.event.sharingType A string that specifies associated device sharing type. Options are UNSPECIFIED, SHARED, and PRIVATE.
riskEvaluation.event.browser.userAgent A string that specifies the user agent of the browser that triggered the flow. The placeholder, ${flow.inputs.headers.user-agent}, is recommended for browser-based flows.
riskEvaluation.event.origin A string that specifies the calling service.

The step returns the risk level of the transaction, which can be evaluated as HIGH, MEDIUM, or LOW. The following properties are returned for the HIGH, MEDIUM, or LOW risk levels.

The following properties are always returned in the risk evaluation.

Output property Description
riskEvaluation.id A string that specifies the ID of risk evaluation.
riskEvaluation.riskPolicySet.id A string that specifies the ID of risk policy set used for risk evaluation.
riskEvaluation.riskPolicySet.name A string that specifies the name of risk policy set used for risk evaluation.
riskEvaluation.result.value A string that specifies the risk result custom value.
riskEvaluation.details.ipAddressReputation An object that specifies the risk associated with IP address reputation.
riskEvaluation.details.ipAddressReputation.score An integer that specifies the risk associated with IP address reputation, expressed as a number between 0 and 100.
riskEvaluation.details.ipAddressReputation.level A string that specifies the risk level associated with IP address reputation. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.anonymousNetworkDetected A boolean that specifies whether the IP is associated with an anonymous network.
riskEvaluation.details.country A string that specifies the country where the flow originated, according to the IP address.
riskEvaluation.details.impossibleTravel A boolean that specifies whether the velocity required to move between the user's previous successful location to its current inferred location is too large.

The following properties are returned in the risk evaluation only for environments with data consent enabled.

Output property Description
riskEvaluation.details.ipVelocityByUser.level A string that specifies the risk associated with IP velocity by user. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.ipVelocityByUser.reason A string that specifies the reason for the risk associated with IP velocity by user.
riskEvaluation.details.ipVelocityByUser.threshold An object that provides information about the threshold used to determine the IP velocity level.
riskEvaluation.details.ipVelocityByUser.threshold.source A string that specifies the source used to calculate the threshold.
riskEvaluation.details.ipVelocityByUser.threshold.high A number that specifies whether the user accessed more than this number of IPs during the past hour. If so, the user is flagged as having HIGH IP velocity.
riskEvaluation.details.ipVelocityByUser.threshold.medium A number that specifies whether the user accessed more than this number of IPs during the past hour. If so, the user is flagged as having MEDIUM IP velocity.
riskEvaluation.details.ipVelocityByUser.threshold.calculatedAt A string that specifies date and time at which the threshold was calculated.
riskEvaluation.details.ipVelocityByUser.threshold.expiresAt A string that specifies date and time at which the threshold will expire and be re-calculated.
riskEvaluation.details.ipVelocityByUser.velocity.distinctCount An integer that specifies the distinct count of IPs accessed by the user in the previous seconds specified by the during property.
riskEvaluation.details.ipVelocityByUser.velocity.during An integer that specifies the number of seconds to use in determining the distinctCount value.
riskEvaluation.details.userVelocityByIp.level A string that specifies the risk associated with user velocity by IP. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.userVelocityByIp.reason A string that specifies the reason for the risk associated with user velocity by IP.
riskEvaluation.details.userVelocityByIp.threshold An object that provides information about the threshold used to determine the user velocity level.
riskEvaluation.details.userVelocityByIp.threshold.high A number that specifies whether the IP was accessed by more than this number of users during the past hour. If so, it is flagged as having HIGH user velocity.
riskEvaluation.details.userVelocityByIp.threshold.medium A number that specifies whether the IP was accessed by more than this number of users during the past hour. If so, it is flagged as having MEDIUM user velocity.
riskEvaluation.details.userVelocityByIp.threshold.calculatedAt A string that specifies date and time at which the threshold was calculated.
riskEvaluation.details.userVelocityByIp.threshold.expiresAt A string that specifies date and time at which the threshold will expire and be re-calculated.
riskEvaluation.details.userVelocityByIp.velocity.distinctCount An integer that specifies the distinct count of users that accessed the IP in the previous seconds specified by the during property.
riskEvaluation.details.userVelocityByIp.velocity.during An integer that specifies the number of seconds to use in determining the distinctCount value.
riskEvaluation.details.userRiskBehavior.level A string that specifies the risk associated with user risk behavior. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.userRiskBehavior.reason A string that specifies the reason for the risk associated with user risk behavior.
riskEvaluation.details.userBasedRiskBehavior.level A string that specifies the risk associated with user-based risk behavior. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.userBasedRiskBehavior.reason A string that specifies the reason for the risk associated with user-based risk behavior.
Step properties used with flow executions
Flow state Description
PROFILE_DEVICE A flow status that prompts for a device profile action. The action is initiated only if the value of the profileDevice configuration property is set to true.
Links Description
profile.device The link to initiate an action to set the device profile. The action must provide a value for the browserFingerprint property and specify application/vnd.pingidentity.device.profile+json as the custom content type.
Parameters Description
browserFingerprint An object that specifies the browser fingerprint attributes.

Create User

This step type creates a new user in PingOne.

Step properties used with flow definitions
Configuration schema property Description
population.id A string that specifies the population ID to associate with the new user. This is a required property.
lifecycle.status A string that specifies the account lifecycle of the newly created user. Options are ACCOUNT_OK, and VERIFICATION_REQUIRED. When this step is used in conjunction with the VERIFY_ACCOUNT step, the status value is typically set to the VERIFICATION_REQUIRED flow state without sending a verification code.
Input property Description
user An object that specifies the user to create. The new user's properties are derived dynamically from non read-only attributes of the environment's schema at configuration time.

The following properties are returned for the SUCCEEDED result.

Output property Description
{{userProperties}} An object that specifies the flow output. Properties are dynamically derived from the environment's schema at configuration time.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the CREATE_USER step type.
Parameters Description
There are no flow action parameters associated with the CREATE_USER step type.

Form

This step type prompts the end user to submit a custom form. The step might include additional results for any buttons on the form.

Step properties used with flow definitions
Configuration schema property Description
form.id A string that specifies the form ID for the form to submit to the form manager service. This is a required property.
Input property Description
formData An object that specifies the context data used to render the form and pre-fill fields. Properties are derived from the selected form and retrieved from the form manager service at configuration time.

The following properties are returned for the SUBMITTED result.

Output property Description
form.id A string that specifies the form ID.
form.name A string that specifies the form name.
formData An object that encapsulates the submitted form data. Properties are derived from the selected form and retrieved from the form manager service at configuration time.
Step properties used with flow executions
Flow state Description
FORM_REQUIRED A flow status that requires the user to submit a form.
Flow state response schema property Description
form.id A string that specifies the ID of the form.
{{formDataProperties}} The properties required by the form.
Links Description
form.submit The link to initiate the form submit action. The action must specify application/vnd.pingidentity.form.submit+json as the custom content type.
Parameters Description
{{formDataProperties}} The properties required by the form.
Links Description
form.action The link to specify the form action. The action must specify application/vnd.pingidentity.form.action+json as the custom content type.
Parameters Description
key The key of the form field that was clicked.

Identity Provider

This step type delegates user authentication to an external identity provider.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration schema properties for the IDENTITY_PROVIDER_AUTHENTICATION step type.
Input property Description
identityProvider.id A string that specifies the external identity provider's ID. This is a required property.
identityProvider.loginHint A string that specifies the login identifier to the identity provider.
identityProvider.acrValues An array that designates the names of the authentication policies applicable to the authorization request.

The following properties are returned for the ACCOUNT_LINKED result.

Output property Description
externalAuthentication.id A string that specifies the ID for the external authentication transaction. This is a required property.
externalAuthentication.externalId A string that specifies the unique identifier for the user returned by the external identity provider. This is a required property.
externalAuthentication.identityProvider.id A string that specifies the ID for the external identity provider. This is a required property.
externalAuthentication.attributes An object that specifies the mapped attributes returned by the external identity provider.
linkedUser An object that specifies the user linked to the external account from the extrnal identity provider. Properties are dynamically derived from the environment's schema at configuration time. This is a required property.

The following properties are returned for the ACCOUNT_LINKING_REQUIRED result.

Output property Description
externalAuthentication.id A string that specifies the ID for the external authentication transaction. This is a required property.
externalAuthentication.externalId A string that specifies the unique identifier for the user returned by the external identity provider. This is a required property.
externalAuthentication.identityProvider.id A string that specifies the ID for the external identity provider. This is a required property.
externalAuthentication.attributes An object that specifies the mapped attributes returned by the external identity provider.
mappedUser An object that specifies the user with mapped attribute values that can be used to pre-fill an external identity provider registration form. This is a required property.
matchingUsers An object that specifies the list of existing users that may be candidates for linking to the external account. These users are matched based on mapped attribute values.
user[].{{properties}} An object that specifies the flow output. User properties are dynamically derived from the environment's schema at configuration time.
Step properties used with flow executions
Properties for the EXTERNAL_AUTHENTICATION_REQUIRED flow state
Flow state Description
EXTERNAL_AUTHENTICATION_REQUIRED A flow status that prompts the user to authenticate with an external identity provider to continue the flow.
Flow state response schema property Description
authenticate.href A string that specifies the browser URL redirect to authenticate with the external identity provider.
Flow state embedded resource property Description
identityProvider.name A string that specifies the identity provider's name.
identityProvider.type A string that specifies the identity provider's type. Options are FACEBOOK, GOOGLE, LINKEDIN, OPENID_CONNECT, APPLE, AMAZON, TWITTER, YAHOO, PAYPAL, MICROSOFT, GITHUB, and SAML.
Flow execution actions
externalAuthentication.check action
Links Description
externalAuthentication.check The link to initiate an action to check the external authentication ID. The action must provide a value for the id property and specify application/vnd.pingidentity.externalAuthentication.check+json as the custom content type in the request.
Parameters Description
externalAuthentication.id A string that specifies the external authentication ID. This is a required property.

Invoke External Service

This step type invokes an external service request. Note that the input properties in the request and the output properties in the response are generated dynamically based on the input and output schemas defined in the external service configuration.

Step properties used with flow definitions
Configuration schema property Description
externalService.id A string that specifies the ID of the external service, which is the target of the request.
request.id A string that specifies the request configuration to execute.
Input property Description
{someRequestProperty} The input properties are dynamically generated based on list of inputs on request configuration.

The following properties are returned for the INVOCATION_OUTPUT result.

Output property Description
someOutputProperty The output properties are populated dynamically if if output schema is provided.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the EXTERNAL_SERVICE_INVOKE step type.
Parameters Description
There are no flow action parameters associated with the EXTERNAL_SERVICE_INVOKE step type.

MFA Auto Enrollment

This step type pairs an MFA offline device automatically with the user account during MFA enrollment.

Step properties used with flow definitions
Configuration schema property Description
sms.enabled A boolean that that when set to true auto enrolls an SMS device.
sms.mode A string that specifies the available modes to auto enroll an SMS device. Options are CREATE, OVERRIDE, and REPLACE. The default value is CREATE.
voice.enabled A boolean that that when set to true auto enrolls a voice device.
voice.mode A string that specifies the available modes to auto enroll a voice device. Options are CREATE, OVERRIDE, and REPLACE. The default value is CREATE.
email.enabled A boolean that that when set to true auto enrolls an email device.
email.mode A string that specifies the available modes to auto enroll an email device. Options are CREATE, OVERRIDE, and REPLACE. The default value is CREATE.
Input property Description
user.id A string that specifies the user ID of the user account. This is a required property.
user.sms.mobilePhone A string that specifies the phone number of the SMS device. This is a required property.
user.sms.oldMobilePhone A string that specifies the phone number of the old SMS device. This is a required property.
user.voice.mobilePhone A string that specifies the phone number of the voice device. This is a required property.
user.voice.oldMobilePhone A string that specifies the phone number of the old voice device. This is a required property.
user.email.email A string that specifies the email address of the email device. This is a required property.
user.email.oldEmail A string that specifies the email address of the old email device. This is a required property.

The following properties are returned for the ENROLLED result.

Output property Description
devices.sms.id A string that specifies the ID of the SMS device.
devices.sms.type A string that specifies the device type.
devices.sms.phone A string that specifies the phone number associated with the device.
devices.voice.id A string that specifies the ID of the voice device.
devices.voice.type A string that specifies the device type.
devices.voice.phone A string that specifies the phone number associated with the device.
devices.email.id A string that specifies the ID of the email device.
devices.email.type A string that specifies the device type.
devices.email.email A string that specifies the email address associated with the device.

The following properties are returned for the NOT_APPLICABLE result.

Output property Description
There are no output properties for the NOT_APPLICABLE result.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the MFA_AUTO_ENROLLMENT step type.
Parameters Description
There are no flow action parameters associated with the MFA_AUTO_ENROLLMENT step type.

MFA Challenge

This step type performs a multi-factor authentication in PingOne. The step returns a SUCCEEDED result.

Step properties used with flow definitions
Configuration schema property Description
deviceAuthenticationPolicy.id A string that specifies the device authentication policies to use during authentication. This is a required property.
deviceSelection A string that specifies the device selection mode. Options are DEFAULT_TO_FIRST, and PROMPT_TO_SELECT. The default value is DEFAULT_TO_FIRST. This is a required property.
template.name A string that specifies the name of the notification template used for user notifications. Options are STRONG_AUTHENTICATION, and TRANSACTION. This is a required property.
template.variant A string that specifies the notification template variant.
useDefaultPolicy A boolean that, when set to true, specifies that the default device authentication policy for the environment is used during MFA evaluation.
Input property Description
user.id A string that specifies the user ID. This is a required property.
template.locale A string that specifies the notifications template locale. This is a required property.
template.variables An object that specifies the notifications template variables.
webauthn.compatibility A string that specifies the webauthn compatibility.
mobile.clientContext An object that specifies the mobile client context.
mobile.payload A string that specifies the mobile payload. The default value is ${flow.inputs.parameters.mobilePayload}.
application.id A string that specifies the application ID. The default value is ${flow.inputs.parameters.applicationId}.
session.id A string that specifies the session ID. The default value is ${flow.inputs.parameters.sessionId}.
userAgent A string that specifies the user agent of the browser that triggered the flow. The default value is ${flow.inputs.headers.user-agent}.

The following properties are returned for the SUCCEEDED result.

Output property Description
device.id A string that specifies the device ID.
device.nickname A string that specifies the device nickname.
device.type A string that specifies the device type. Options are MOBILE, EMAIL, SMS, VOICE, TOTP, PLATFORM, and SECURITY_KEY.
amr An array that specifies the authentication methods.
Step properties used with flow executions
Properties for the DEVICE_SELECTION_REQUIRED flow state
Flow state Description
DEVICE_SELECTION_REQUIRED A flow status that prompts the user to select an available device to use for authentication.
Flow state response schema property Description
deviceAuthentication An object that specifies the device authentication parameters.
Properties for the OTP_REQUIRED flow state
Flow state Description
OTP_REQUIRED A flow status that requires the user to complete a multi-factor authentication action using a one-time passcode.
Flow state response schema property Description
devices An object that specifies the user devices available that can be used to complete the multi-factor authentication action.
deviceAuthentication.authSession.type A string that specifies the type of authentication session.
deviceAuthentication.authSession.id A string that specifies the authentication session ID.
deviceAuthentication.selectedDevice.id A string that specifies the ID of the device used for authentication.
deviceAuthentication.user.id A string that specifies the user ID of the authenticating user.
Properties for the ASSERTION_REQUIRED flow state
Flow state Description
ASSERTION_REQUIRED A flow status that prompts the user to activate the WebAuthn device to finalize the authentication process.
Flow state response schema property Description
devices An object that specifies the available devices that can be used for activation.
deviceAuthentication.authSession.type A string that specifies the type of authentication session.
deviceAuthentication.authSession.id A string that specifies the authentication session ID.
deviceAuthentication.selectedDevice.id A string that specifies the ID of the device used for authentication.
deviceAuthentication.user.id A string that specifies the user ID of the authenticating user.
Properties for the PUSH_CONFIRMATION_REQUIRED flow state
Flow state Description
PUSH_CONFIRMATION_REQUIRED A flow status that results when a push was sent to a native device to confirm the authentication.
Flow state response schema property Description
devices An object that specifies the available devices that can be used for activation.
deviceAuthentication.authSession.type A string that specifies the type of authentication session.
deviceAuthentication.authSession.id A string that specifies the authentication session ID.
deviceAuthentication.selectedDevice.id A string that specifies the ID of the device used for authentication.
deviceAuthentication.user.id A string that specifies the user ID of the authenticating user.
Properties for the PUSH_CONFIRMATION_TIMED_OUT flow state
Flow state Description
PUSH_CONFIRMATION_TIMED_OUT A flow status that specifies that a push was sent to a native device, but the native device did not answer the push during the allowed timeframe.
Flow state response schema property Description
devices An object that specifies the available devices that can be used for activation.
deviceAuthentication.authSession.type A string that specifies the type of authentication session.
deviceAuthentication.authSession.id A string that specifies the authentication session ID.
deviceAuthentication.selectedDevice.id A string that specifies the ID of the device used for authentication.
deviceAuthentication.user.id A string that specifies the user ID of the authenticating user.
Flow execution actions
Device device.select action
Links Description
device.select The link to initiate an action to specify an MFA device to associate with the user. The action must provide a value for the type property and specify application/vnd.pingidentity.device.select+json as the custom content type in the request.
Parameters Description
device.id A string that specifies the ID of the selected device. This is a required property.
compatibility A string that specifies the browser WebAuthn compatibility. Options are FULL, SECURITY_KEY_ONLY, and NONE.
Device otp.check action
Links Description
otp.check The link to initiate an action to validate the one-time passcode received by the selected device. The action must specify application/vnd.pingidentity.otp.check+json as the custom content type in the request.
Parameters Description
otp A string that specifies the one-time passcode. This is a required property.
Device assertion.check action
Links Description
assertion.check The link to initiate an action to validate the assertion received by the selected FIDO2 device. The action must specify application/vnd.pingidentity.assertion.check+json as the custom content type in the request.
Parameters Description
assertion A string that specifies the WebAuthn Assertion response. This is a required property.
compatibility A string that specifies the browser WebAuthn compatibility. Options are FULL, SECURITY_KEY_ONLY, and NONE.
origin A string that specifies the full URL of the calling service. This is a required property.

MFA Enrollment

This step type pairs an MFA device with the user account during MFA enrollment. The step returns either the ENROLLED or SKIPPED result.

Step properties used with flow definitions
Configuration schema property Description
useDefaultPolicy A boolean that when set to true specifies that the environment's default device authentication policy is used during MFA evaluation. This is a required property.
deviceAuthenticationPolicy.id A string that specifies the ID device authentication policy to use during authentication. This is a required property only in cases in which the useDefaultPolicy property is set to false.
template.variant A string that specifies the notification template variant.
Input property Description
user.id A string that specifies the user ID of the user account from the identity provider. This is a required property.
user.email A string that specifies the user's email address.
user.mobilePhone A string that specifies the user's mobile phone number.
webauthn.compatibility A string that specifies the webauthn compatibility. Options are FULL, SECURITY_KEY_ONLY, and NONE.
template.locale A string that specifies the notification template locale.
template.variables An object that specifies the notification template variables.

The following properties are returned for the ENROLLED result.

Output property Description
device.id A string that specifies the device ID.
device.type A string that specifies the device type. Options are MOBILE, EMAIL, SMS, VOICE, TOTP, PLATFORM, and SECURITY_KEY.

The following properties are returned for the SKIPPED result.

Output property Description
There are no output properties for the SKIPPED result.
Step properties used with flow executions
Properties for the DEVICE_ENROLLMENT_REQUIRED flow state
Flow state Description
DEVICE_ENROLLMENT_REQUIRED A flow status that prompts the user to either enroll a device or skip the enrollment process.
Flow state response schema property Description
email A string that specifies the user email provided in the step inputs.
mobilePhone A string that specifies the user mobile phone number provided in the step inputs.
allowedtypes An array that specifies the allowed device types for pairing. Options are MOBILE, EMAIL, SMS, VOICE, TOTP, PLATFORM, and SECURITY_KEY.
mfaSettings An object that specifies the environment's MFA settings.
applications An array that specifies the environment applications.
Properties for the ACTIVATION_REQUIRED flow state
Flow state Description
ACTIVATION_REQUIRED A flow status that prompts the user to activate the offline device to finalize the enrollment process.
Flow state response schema property Description
device An object that specifies the user device pending for activation. The device properties shown depend on the device type.
Properties for the PAIRING_REQUIRED flow state
Flow state Description
PAIRING_REQUIRED A flow status that prompts the user to pair the mobile device to finalize the mobile enrollment process. The client will have to poll the HAL self link (/{envID}/flowExecutions/{flowExecutionID}) to verify the pairing.
Flow state response schema property Description
device An object that specifies the user device pending for activation. The device properties shown depend on the device type.
pairingKey.code A string that specifies the mobile pairing key code, used to finalize the mobile enrollment process.
Properties for the MOBILE_PAIRING_FAILURE flow state
Flow state Description
MOBILE_PAIRING_FAILURE A flow status that results when mobile pairing has failed. This status returns the error code and the mobile pairing error details.
Flow state response schema property Description
error An object that specifies the error details.
error.code A string that specifies the error code.
error.message A string that specifies the error message.
Flow execution actions
Device create device.create action
Links Description
device.create The link to initiate an action to specify an MFA device to associate with the user. The action must provide a value for the type property and specify application/vnd.pingidentity.device.create+json as the custom content type in the request.
Parameters Description
type A string that specifies the device type. Options are MOBILE, EMAIL, SMS, VOICE, TOTP, PLATFORM, and SECURITY_KEY. This is a required property.
nickname A string that specifies the device nickname.
email A string that specifies the user's email address.
phone A string that specifies the user's phone number.
application.id A string that specifies the associated application ID, which is required for pairing with devices of type MOBILE.
rp.id A string that specifies an RP ID, which is based on a host's domain name.
rp.name A string that specifies a human-readable name for the user account.
Device activate device.activate action
Links Description
device.activate The link to initiate an action to activate an MFA device. The action must specify application/vnd.pingidentity.device.activate+json as the custom content type in the request.
Parameters Description
otp A string that specifies the one-time passcode.
attestation A string that specifies the FIDO2 attestation.
origin A string that specifies the calling service.
Device skip device.skipEnrollment action
Links Description
device.skipEnrollment The link to skip device enrollment. This action can be used only if device registration is configured to allow skipping. The action must specify the application/vnd.pingidentity.device.skipEnrollment+json as the custom content type in the request.
Parameters Description
There are no parameters required for the device.skipPairing action.
Device delete device.delete action
Links Description
device.delete The link to delete the device registration process. This action must specify the application/vnd.pingidentity.device.delete+json as the custom content type in the request.
Parameters Description
There are no parameters required for the device.delete action.
Resend OTP otp.resend action
Links Description
otp.resend The link to resend the OTP to complere the device registration process for SMS, email, and voice devices. This action must specify the application/vnd.pingidentity.otp.resend+json as the custom content type in the request.
Parameters Description
There are no parameters required for the otp.resend action.

MFA Mobile Auto Enrollment

This step type pairs an MFA mobile device with the user account during MFA enrollment.

Step properties used with flow definitions
Configuration schema property Description
{{properties}} An object that specifies the properties that are dynamically derived at configuration time.
Input property Description
user.id A string that specifies the user ID of the user account. This is a required property.
application.id A string that specifies the application ID. This is a required property.
mobile.payload A string that specifies the mobile payload. This is a required property.

The following properties are returned for the ENROLLMENT_INITIATED result.

Output property Description
enrollment An object that specifies the enrollment data created by the auto enrollment flow.

The following properties are returned for the NOT_APPLICABLE result.

Output property Description
There are no output properties for the NOT_APPLICABLE result.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the MFA_MOBILE_AUTO_ENROLLMENT step type.
Parameters Description
There are no flow action parameters associated with the MFA_MOBILE_AUTO_ENROLLMENT step type.

Password Check

This step type specifies an action to check a PingOne user's password.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration schema properties for the USER_PASSWORD_CHECK step.
Input property Description
user.id A string that specifies the user ID of the user account associated with the password check action. This is a required property.
user.password A string that specifies the user's password to check. This is a required property.

The following properties are returned for the PASSWORD_VALID result.

Output property Description
passwordState.user.id A string that specifies the user's password state.
passwordState.passwordPolicy.id A string that specifies the password policy ID.
passwordState.status A string that specifies the current status of the password.
passwordState.lastChanged The date and time the password was last changed.
passwordState.warnings.expires A string that specifies the date and time the password expires.

The following properties are returned for the PASSWORD_EXPIRED result.

Output property Description
passwordState.user.id A string that specifies the user's password state.
passwordState.passwordPolicy.id A string that specifies the password policy ID.
passwordState.status A string that specifies the current status of the password.
passwordState.lastChangedAt The date and time the password was last changed.
passwordState.warnings.expires A string that specifies the date and time the password expires.

The following properties are returned for the MUST_CHANGE_PASSWORD result.

Output property Description
passwordState.user.id A string that specifies the user's password state.
passwordState.passwordPolicy.id A string that specifies the password policy ID.
passwordState.status A string that specifies the current status of the password.
passwordState.lastChangedAt The date and time the password was last changed.
passwordState.warnings.expires A string that specifies the date and time the password expires.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the USER_PASSWORD_CHECK step type.
Parameters Description
There are no flow action parameters associated with the USER_PASSWORD_CHECK step type.

Password Recover

This step type verifies an account by prompting for a verification code sent to the user through email. The step returns a VERIFIED result after the verification code is submitted successfully by the end user. The step can also return a SKIPPED result if the user chooses to skip the account verification step.

Step properties used with flow definitions
Configuration schema property Description
allowSkip A boolean that specifies whether the user is allowed to skip account verification.
Input property Description
userId A string that specifies the user ID of the user account to verify. This is a required property.

The following properties are returned for the VERIFIED result.

Output property Description
There are no output properties for the VERIFIED result.

The following properties are returned for the SKIPPED result.

Output property Description
There are no output properties for the SKIPPED result.
Step properties used with flow executions
Flow state Description
VERIFICATION_CODE_REQUIRED A flow status prompts the user to complete an account verification action. The user can submit a verification code to verify the account, have another verification code sent, or optionally skip verification if the step is configured to allow skipping.
Account verification user.verify action
Links Description
user.verify The link to initiate an action to send a verification code to the user. The action must provide a value for the verificationCode property and specify application/vnd.pingidentity.user.verify+json as the custom content type.
Parameters Description
verificationCode A string that specifies the verification code sent to the user.
Account verification user.sendVerificationCode action
Links Description
user.sendVerificationCode The link to initiate an action to send a verification code to the user. The action must provide a value for the verificationCode property and specify application/vnd.pingidentity.user.sendVerificationCode+json as the custom content type.
Parameters Description
There are no parameters required for the user.sendVerificationCode action.
Account verification user.skipVerification action
Links Description
user.skipVerification The link to skip account verification. This action can be used only if account verification is configured to allow skipping. The action must specify the application/vnd.pingidentity.user.skipVerification+json as the custom content type.
Parameters Description
There are no parameters required for the user.skipVerification action.

PingID Authentication for Windows Passwordless Login

This step type authenticates users with PingID. It is used for passwordless login on Windows devices.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration schema properties for the PINGID_AUTHENTICATION_FOR_WINDOWS_PASSWORDLESS_LOGIN step type.
Input property Description
user.username A string that specifies the user name as it is defined in PingID.

The following properties are returned for the SUCCEEDED result.

Output property Description
pingIdDevice.id A string that specifies the PingID device ID.
Step properties used with flow executions
Flow state Description
There is no flow status associated with the PINGID_AUTHENTICATION_FOR_WINDOWS_PASSWORDLESS_LOGIN step type.
Links Description
device.select The link to initiate the PingID device select action. The action must specify application/vnd.pingidentity.device.select+json as the custom content type in the request.
Parameters Description
device.id A string that specifies the selected PingID device ID.
Links Description
authentication.poll The link to specify an action to check the current authentication status. The action must specify application/vnd.pingidentity.authentication.poll+json as the custom content type in the request.
Parameters Description
There are no parameters for the authentication.poll action.
Links Description
otp.check The link to initiate an action to validate the one-time passcode. The action must specify application/vnd.pingidentity.otp.check+json as the custom content type in the request.
Parameters Description
otp A string that specifies the offline device one-time passcode.
Links Description
certificate.create The link to initiate an action to create a certificate. The action must specify application/vnd.pingidentity.certificate.create+json as the custom content type in the request.
Parameters Description
csr A string that specifies the certificate signing request, which is Base-64 encoded PEM format that contains information that is included in the certificate.
Links Description
certificate.create The link to initiate an action to create a certificate. The action must specify application/vnd.pingidentity.certificate.create+json as the custom content type in the request.
Parameters Description
csr A string that specifies the certificate signing request, which is Base-64 encoded PEM format that contains information that is included in the certificate.
pin A string that specifies the PIN that protects the certificate's private key.
Links Description
certificate.readPin The link to initiate an action to retrieve the PIN code that protects the certificate's private key. The action must specify application/vnd.pingidentity.certificate.readPin+json as the custom content type in the request.
Parameters Description
certificate.id A string that specifies the certificate ID.
Links Description
authentication.resume The link to initiate an action to complete the authentication. The action must specify application/vnd.pingidentity.authentication.resume+json as the custom content type in the request.
Parameters Description
There are no parameters for the authentication.resume action.

Read User

This step type reads user account data for the user specified by the ID in the input property.

Step properties used with flow definitions
Configuration schema property Description
{{properties}} An object that specifies the user properties. Properties are dynamically derived from the environment's schema at configuration time.
Input property Description
user.id A string that specifies the user ID. This is a required property.

The following properties are returned for the SUCCEEDED result.

Output property Description
{{userProperties}} An object that specifies the flow output. Properties are dynamically derived from the environment's schema at configuration time.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the USER_READ step type.
Parameters Description
There are no flow action parameters associated with the USER_READ step type.

Reset Password

This step type specifies an action to reset a user's password using the current password.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration schema properties for the USER_PASSWORD_RESET step.
Input property Description
user.id A string that specifies the user ID of the user account associated with the password reset action. This is a required property.
currentPassword A string that specifies the user's current password. This is a required property.
newPassword A string that specifies the new password for the user account. This is a required property.

The following properties are returned for the SUCCEEDED result.

Output property Description
passwordState.user.id A string that specifies the user's password state.
passwordState.passwordPolicy.id A string that specifies the password policy ID.
passwordState.status A string that specifies the current status of the password.
passwordState.lastChanged The date and time the password was last changed.
passwordState.warnings.expires A string that specifies the date and time the password expires.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the USER_PASSWORD_RESET step type.
Parameters Description
There are no flow action parameters associated with the USER_PASSWORD_RESET step type.

Send Recovery Code

This step type specifies an action to send a recovery code to recover a forgotten password.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration schema properties for the USER_PASSWORD_SEND_RECOVERY_CODE step.
Input property Description
user.id A string that specifies the user ID of the user account associated with the send recovery code action. This is a required property.

The following properties are returned for the SUCCEEDED result.

Output property Description
passwordState.user.id A string that specifies the user's password state.
passwordState.passwordPolicy.id A string that specifies the password policy ID.
passwordState.status A string that specifies the current status of the password.
passwordState.lastChanged The date and time the password was last changed.
passwordState.warnings.expires A string that specifies the date and time the password expires.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the USER_PASSWORD_SEND_RECOVERY_CODE step type.
Parameters Description
There are no flow action parameters associated with the USER_PASSWORD_SEND_RECOVERY_CODE step type.

Terminate Flow

This step type ends the flow and returns an error message.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration properties for the TERMINATE_FLOW step type.
Input property Description
error.code A string that specifies the unique error code for the error. This is a required property.
error.message A string that specifies the message describing the error. The error message can include HTML formatted text such as links, headings, lists, and line breaks. This is a required property.
Output property Description
There are no output properties for the TERMINATE_FLOW step type.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the TERMINATE_FLOW step type.
Parameters Description
There are no flow action parameters associated with the TERMINATE_FLOW step type.

Update User

This step type specifies an action to update the user record in PingOne.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration schema properties for the USER_PATCH step.
Input property Description
user.id A string that specifies the user ID of the user account associated with the update action. This is a required property.

The following properties are returned for the SUCCEEDED result.

Output property Description
user.{{properties}} The updated user record. User properties are dynamically derived from the environment's schema at configuration time.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the USER_PATCH step type.
Parameters Description
There are no flow action parameters associated with the USER_PATCH step type.

User Lookup

This step type that specifies a user lookup action to determine the authentication authority. The response returns either a PING_ONE_USER_MATCHED or IDENTITY_PROVIDER_USER_MATCHED result.

Step properties used with flow definitions
Configuration schema property Description
matchAttributes.[] An array that specifies the attributes to match against the provided identifier when searching for a user in the directory. Only unique attributes can be specified, and the attributes are searched in order, returning the first user that matches. If no match is found, the action returns an error. The default attribute is username. This is a required property.
matchPingOneUsersOnly A boolean that specifies whether to match only users whose authentication authority is PingOne. This property defaults to false if it is not set.
Input property Description
identifier A string that specifies the identifier to use when searching for the user. This is a required property.

The following properties are returned for the PING_ONE_USER_MATCHED result.

Output property Description
user An object that specifies the attributes of the matched user. Properties are dynamically derived from the environment's schema at configuration time.

The following properties are returned for the IDENTITY_PROVIDER_USER_MATCHED result.

Output property Description
user An object that specifies the attributes of the matched user. Properties are dynamically derived from the environment's schema at configuration time.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this action.
Links Description
There are no flow actions associated with the USER_LOOKUP step type.
Parameters Description
There are no flow action parameters associated with the USER_LOOKUP step type.

Verify Email

This step type verifies an account by prompting for a verification code sent to the user through email. The step returns a VERIFIED result after the verification code is submitted successfully by the end user. The step can also return a SKIPPED result if the user chooses to skip the account verification step.

Step properties used with flow definitions
Configuration schema property Description
allowSkip A boolean that specifies whether the user is allowed to skip account verification.
Input property Description
userId A string that specifies the user ID of the user account to verify. This is a required property.

The following properties are returned for the VERIFIED result.

Output property Description
There are no output properties for the VERIFIED result.

The following properties are returned for the SKIPPED result.

Output property Description
There are no output properties for the SKIPPED result.
Step properties used with flow executions
Flow state Description
VERIFICATION_CODE_REQUIRED A flow status prompts the user to complete an account verification action. The user can submit a verification code to verify the account, have another verification code sent, or optionally skip verification if the step is configured to allow skipping.
Account verification user.verify action
Links Description
user.verify The link to initiate an action to send a verification code to the user. The action must provide a value for the verificationCode property and specify application/vnd.pingidentity.user.verify+json as the custom content type.
Parameters Description
verificationCode A string that specifies the verification code sent to the user.
Account verification user.sendVerificationCode action
Links Description
user.sendVerificationCode The link to initiate an action to send a verification code to the user. The action must provide a value for the verificationCode property and specify application/vnd.pingidentity.user.sendVerificationCode+json as the custom content type.
Parameters Description
There are no parameters required for the user.sendVerificationCode action.
Account verification user.skipVerification action
Links Description
user.skipVerification The link to skip account verification. This action can be used only if account verification is configured to allow skipping. The action must specify the application/vnd.pingidentity.user.skipVerification+json as the custom content type.
Parameters Description
There are no parameters required for the user.skipVerification action.

Forms

The forms API, which supports the form builder interface in the PingOne Admin Console, provides tools for administrators to create custom forms presented to users during the authentication workflow. This capability allows administrators to:

  • Define the interactive fields and the corresponding data to be collected during a registration or sign-on flow, which could include text inputs, checkboxes, dropdowns, and radio buttons with the potential for dynamic options or dynamically static options (dropdowns with options saved as part of the form or as input for an argument).

  • Define the user experience that they want to deliver to the customer, such as field ordering, labeling, control over input validation and error feedback, and support for contextual or formatting items such as text (headers, explanatory text) images, and dividers.

The forms API provides endpoints to create, read, update, and delete form builder resources.

Forms category types

The API allows the following form types:

  • REGISTRATION

    A registration form that allows administrators to configure the controls and the information gathered during the registration flow. This form type allows form fields that do not map directly to PingOne user schema properties.

  • SELF_SERVICE

    A self-service form that allows administrators to configure the controls and the information gathered during a self-service flow. All fields in the self-service form must be associated with PingOne user schema properties.

  • PROGRESSIVE_PROFILING

    A custom registration form that prompts the user for additional information during the registration or sign-on flow. All fields in the progressive profiling form must be associated with PingOne user schema properties.

  • CUSTOM

    A custom registration form that allows form fields that do not map directly to PingOne user schema properties. For example, the form could include radio buttons with options of “employee” or “contractor” that the flow manager processes to direct the user to the next relevant form.

Forms data model
Property Description
created The time the resource was created.
category A string that specifies the type of custom-defined form. Options are REGISTRATION, SELF_SERVICE, PROGRESSIVE_PROFILING, and CUSTOM. The CUSTOM and REGISTRATION form types allow the form to be built with fields that do not map specifically to the PingOne directory attributes. This is a required property.
cols An integer that specifies the number of columns in the form.
components An object that specifies the form configuration elements.
description A string that specifies the description of the population.
fieldTypes A read-only that specifies the list of the FormField types in the form. Options are TEXT, SUBMIT_BUTTON, FLOW_LINK, FLOW_BUTTON, and RECAPTCHA_V2.
id A string that specifies the resource’s unique identifier.
markOptional A boolean that specifies whether optional fields are highlighted in the rendered form. This is a required property.
markRequired A boolean that specifies whether required fields are highlighted in the rendered form. This is a required property.
modified The time the resource was last updated.
name A string that specifies the form name, which must be provided and must be unique within an environment. This is a required property.
Form components data model
Property Description
button A form button object that contains the button text. This is a required property.
button.text A string that specifies the form button text. This is a required property.
fields A list of form fields that specifies the form fields that make up the form. Options include text inputs, passwords, radio buttons, checkboxes, dropdowns, headers, and dividers. This is a required property.
FormField data model
  • FormElement represents a FormField of types TEXT, PASSWORD, RADIO, CHECKBOX, DROPDOWN.
  • FormItem represents a FormField of types DIVIDER, PARAGRAPH, EMPTY_FIELD, ERROR_DISPLAY.
  • FormElementPasswordVerify represents a FormField of type PASSWORD_VERIFY.
  • FormSubmit represents a FormField of type SUBMIT_BUTTON.
  • FormFlowLink represents FormField of type FLOW_LINK.
  • FormFlowButton represents a FormField of type FLOW_BUTTON.
  • FormRecaptchaV2 represents a FormField of type RECAPTCHA_V2.
  • FormQrCode represents a FormField of type QR_CODE.
Property Description
position An object containing field position information. This is a required property.
position.col An integer that specifies the column position of the field. This is a required property.
position.row An integer that specifies the row position of the field. This is a required property.
position.width An integer that specifies the width of the field.
type A string that specifies the type of the field. Options are TEXT, PASSWORD, PASSWORD_VERIFY, RADIO, CHECKBOX, DROPDOWN, DIVIDER, EMPTY_FIELD, TEXTBLOB, ERROR_DISPLAY, SUBMIT_BUTTON, FLOW_LINK, FLOW_BUTTON, RECAPTCHA_V2, and QR_CODE.
. This is a required property.
FormElement data model
Property Description
key A string that specifies the field unique key for the HTML name attribute. This is a required property.
label A string that specifies the field label. This is a required property.
layout A string that specifies layout attributes for radio button and checkbox fields. Options are HORIZONTAL or VERTICAL. This is a required property when the type is RADIO or CHECKBOX.
options An array of strings that specifies the unique list of options. This is a required property when the type is RADIO, CHECKBOX, or DROPDOWN.
required A boolean that specifies whether the field is required. This is a required property.
validation An object containing validation data for the field. This is a required property when the type is TEXT.
validation.regex A string that specifies a validation regular expression. The expression must be a valid regular expression string. This is a required property when the validation type is CUSTOM.
validation.type A string that specifies the validation type. Options are NONE and CUSTOM. This is a required property when the field type is TEXT.
validation.errorMessage A string that specifies the error message to be displayed when the field validation fails.
FormElementPasswordVerify data model

The FormElementPasswordVerify object is an extension of FormElement and contains all of the same fields in FormElement as well as those listed below.

Property Description
labelPasswordVerify A string that verifies password field label.
FormItem data model
Property Description
content A string that specifies the field content (for example, HTML when the field type is TEXTBLOB.
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

READ Forms

READ One Form

CREATE Registration Form

CREATE Progressive Profiling Form

CREATE Self Service Form

CREATE Sign On Form

CREATE Identity Provider Sign On Form

CREATE Password Reset Form

CREATE Password Recovery User Lookup Form

CREATE Password Recovery Form

CREATE Custom Form

UPDATE Form

DELETE One Form

Forms: Recaptcha

The Recaptcha configuration API provides support for a Recaptcha V2 field in a form definition. It includes operations to read, update, and delete the environment's Recaptcha configuration.

Recaptcha V2 data model
Property Description
created The time the configuration was created.
environment.id A string that specifies the environment's unique identifier.
modified The time the configuration was last updated.
siteKey A string that specifies the public site key for the Recaptcha configuration provided by Google. This is a required property.
secretKey A string that specifies the confidential secret key for the Recaptcha configuration provided by Google. This is a required property.
Response codes
Code Message
200 Successful operation.
204 No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.

READ Recaptcha Configuration

UPDATE Recaptcha Configuration

DELETE Recaptcha Configuration

Configuration Management

The Configuration Management service gives you a secure and flexible approach to automating (promoting) configurations across multiple environments, enabling the seamless creation, updating, and deletion of resources while supporting dynamic configurations through variable management. Resource dependencies are maintained, ensuring smooth cross-environment transitions and promotions. Auditing and reporting enhance oversight and compliance.

To use the Configuration Management service you need to have the Environment Admin role for at least two environments. The general workflow is:

  • Select configurations that you want to promote from one environment to another (generally, through development, testing, and production stages).
  • If desired, use promotion variables to dynamically substitute different property values for a configuration resource included in a promotion operation.
  • Execute the promotion plan returned by the Read One Promotion or Read All Promotions to move the configuration from the source environment to the target environment.

The Configuration Management service is comprised of these sub-services:

Resources requiring special handling

Certificates

Certificates are not a promotable resource in PingOne, however special handling of them is required for resources that reference them. Certificate references can be promoted in using either default certificates or through the use of promotion variables:

  • Default certificates

    When a configuration resource is using the default certificate as its signing key (a SAML application, for example), the application can be promoted, and will reference the default signing key existing in the target environment. Certificate rotation for the signing key can be done by setting a new default certificate in the target environment, and then promoting the configuration resource or resources using the default signing key in the source environment.

  • Certificates as promotion variables

    You can handle all certificate references other than default certificates using promotion variables. You'll need to create a promotion variable with the certificate ID in each environment. When the resource or resources referencing the certificate are promoted, the promotion operation will use the variable value to substitute the correct certificate in the target environment or environments. If there are other configuration resources that use the certificate, they will also use the correct certificate when any of these configuration resources are promoted to the same target environment or environments.

Attributes

You can promote individual attributes in the schema. However if you're promoting an application that references a custom attribute, the promotion plan will include all attributes in the schema. In this case, you can then exclude the unnecessary attributes by editing the promotion plan prior to starting the promotion operation.

If you want to use Postman

You can download or fork the Postman collection for the early access Configuration Management APIs, and test them in your Postman environment. If you don't already have a Postman installation, you can install the free version. See Download Postman.

Import or fork the Postman collection PingOne Configuration Management APIs - Early Access into your Postman installation by clicking the Run in Postman button below:

Run In Postman

Refer to Postman and the PingOne APIs for more information.

Snapshots

A snapshot is a point in time representation of any configuration resource in PingOne. A snapshot is triggered when the request POST {{apiPath}}/environments/{{envID}}/snapshots is called. The configuration resource, and optionally all of its dependencies, are then stored by the Snapshot service. The snapshots are stored and indexed using the original identifier (ID) of the configuration resource. For example, an applications snapshot will be stored using the ID of the application. Subsequent calls to the request POST {{apiPath}}/environments/{{envID}}/snapshots for the same configuration resource generates a new version of the configuration resource each time the request is called. You can retrieve the version history of any configuration resource using the original identifier of the resource. You'll use the snapshot created for a configuration resource to promote (apply) the configuration resource from the source environment to another environment.

Snapshots data model

Property Type Required? Mutable? Description
baseResourceURL String Required Mutable The URL of the resource to use. The form is: "https://api.pingone.com/v1/environments/{{envId}}/{{resourceName}}/{{resourceId}}", where "resourceName" is the name of the configuration resource to snapshot.
createdAt Date N/A Read-only The date and time at which the resource was created (ISO 8601 format).
completedAt Date N/A Read-only The date and time at which the snapshot creation was completed (ISO 8601 format).
configuration Object N/A Read-only The JSON representation of the configuration resource. If the configuration resource has been deleted, this will be empty (null).
error String N/A Read-only If an error occurs while creating the snapshot, it's returned here.
id String Required Immutable The identifier of the configuration resource.
resourceId String Optional Mutable The identifier of the configuration resource.
resourceUrl String Optional Mutable The URL of the configuration resource.
referencedResources String[] Optional Mutable The list of identifiers for any dependent or referenced configuration resources. The dependent or referenced resources can be only one level down in the possible tree of such resources.
snapshotId String N/A Read-only The identifier of the snapshot.
startedAt Date N/A Read-only The date and time at which the snapshot creation was started (ISO 8601 format).
status String N/A Read-only The status of the snapshot creation process. This can be any one of: COMPLETE, WAITING, IN_PROGRESS, ERROR.
updatedAt Date N/A Read-only The date and time at which the resource was last updated (ISO 8601 format).
versionedAt Date N/A Read-only The date and time of the updatedAt property on the original resource. For deleted events, this will be the date and time the event was published.

Create Snapshot

Read Latest Snapshot

Read One Snapshot Version

Read All Snapshot Versions

Promotions

A promotion includes, at a minimum, source and target environment references, automatically generated source and target snapshots, the resource or resources to promote to the target environment, and a promotion plan for the promotion operation. You need to have the Environment Admin role for both the source and target environments. You can optionally include a specific source environment snapshot to use, as well as a mapping of the source environment configuration resource or resources to the target environment configuration resource or resources.

A PingOne admin having Environment Admin permissions can review the promotion plan, and update the promotion mapping and variable definitions or declarations as needed. The promotion plan is then regenerated based on the updates. Use the Read One Promotion or Read All Promotions to view the promotion plan.

If you do not set any promotion variables, the configuration resource or resources that you specify for the source or target environment will be used as is, and cannot be changed during the promotion operation. See Promotion Variables for more information.

When you choose to start the promotion operation, the promotion plan supplies the promotion operation instructions to the Promotions service. The Promotions service then:

  • Filters out any configuration resources that haven't changed, and calls the required target environment API using the new or altered resources.
  • Sets the promotion’s started_at and status values.
  • Collects any errors into a JSON array, and returns the errors.
  • Updates the promotion's completedAt and status values when the promotion operation is complete.

Promotions data model

Property Type Required? Mutable? Description
createdAt Date N/A Read-only The date and time the promotion was created.
completedAt Date N/A Read-only The date and time the promotion operation completed.
description String Optional Mutable A description of the promotion to be performed.
errors Object[] N/A Read-only An array of JSON objects correlating the configuration resource identifier in the source environment to the error messages from the target environment.
excludedResources Object[]* Optional Mutable An array of JSON objects. *Optionally, this can be an array of strings. Contains the resource identifiers, and resource URLs for the configuration resources to be excluded from promotion.
resourceMapping Map Optional Mutable A mapping of the configuration resource identifiers in the source environment to the configuration resource identifiers in the target environment.
promotionPlan Object[] N/A Read-only An array of JSON objects containing the promotion plan generated. The promotion plan is generated by the POST operation, but is returned only by either of the GET operations. For a DELETE operation, the payload property in the response will be empty.
promotionPlan.steps Object[] N/A Read-only An array of JSON objects identifying the resource or resources, the configuration of the resource or resources, and the target environment or environments.
promotionPlan.totalDistance Integer N/A Read-only (Internal use only.) A comparison metric the Configuration Management service uses to determine whether there is a comparable resource in the target environment to replace.
selectedResources Object[]* Optional Mutable An array of JSON objects. *Optionally, this can be an array of strings. Contains the resource identifiers, and resource URLs for the configuration resources selected for promotion. If this is omitted, the entire current environment is used (the environment ID is injected.)
sourceEnvironment String Optional Immutable A JSON object containing the ID of the source environment. If not specified, the current source environment for the actor is used.
sourceSnapshotId String Optional Mutable The identifier of the snapshot to use as the promotion source.
startedAt Date N/A Read-only The date and time the promotion operation started.
status String N/A Read-only An enumeration indicating the status of the promotion. This can be: NEW, PREPARING, READY, IN_PROGRESS, COMPLETED, VALIDATION_FAILED, or ERROR.
targetEnvironment Object Required Immutable A JSON object containing the identifier of the target environment.
targetSnapshotId String Optional Mutable The identifier of the snapshot to use as the promotion target.

Excluded Resources

Currently, not all resources, services, or products can be used in a promotion operation.

Excluded products or services
  • PingOne DaVinci (except for Forms)
  • PingOne Authorize
Excluded resources

Some resources can never be promoted, while others will be supported for promotion, but currently are not.

Permanently excluded resources

These resources are expected to never be supported for promotion:

  • Active Identity Counts
  • Activities
  • Adaptive Trust Policies
  • Applications Role Assignments
  • Application Signons
  • Application Signons Statistics
  • Certificates
  • Connectors
  • Dashboards
  • Data Exploration Batches
  • Data Explorations
  • Data Exploration Templates
  • Licenses
  • Licenses Expires At
  • Licenses Metrics Active Identity Counts
  • Licenses Name
  • PingOne for Enterprise Orchestrations
  • PingOne for Enterprise Callback
Currently excluded resources

These resources will be supported for promotion, but are not currently:

  • Admin Config
  • API Servers
  • Application Entitlements
  • Application Permissions
  • Application Resources
  • Application Roles
  • Applications Secret
  • Authorization Attributes
  • Authorization Changes
  • Authorization Conditions
  • Authorization Connector Templates
  • Authorization Policies
  • Authorization Processors
  • Authorization Rules
  • Authorization Services
  • Authorization Statements
  • Branding Settings
  • Connector Instances
  • Credential Counts
  • Credential Issuer Profile
  • Credential Types
  • Custom Domains
  • Davinci Applications
  • Decision Endpoints
  • Delegated Admins
  • Device Authentications
  • Digital Wallet Applications
  • External Services
  • Fido Devices Metadata
  • Flow Definitions
  • Flow Metadata
  • Flow Policies
  • Flows
  • Fraud Evaluations
  • Fraud Events Details
  • Fraud Feedbacks
  • Fraud Sessions
  • Identity Cloud
  • Identity Cloud Orchestrations
  • Images
  • Integrations
  • Languages
  • Legacy
  • Locales
  • Metrics
  • Migrate
  • Notification Callback
  • Notification Callback AWS email
  • Notification Callback Syniverse
  • Notification Callback Twilio
  • Notification Callback Whatsapp
  • Notifications
  • Notifications Quota
  • OAuth Jobs
  • OAuth Tokens
  • Organization Quota
  • Password Storage Scheme Config
  • Pingid
  • Pingid Mobile App Versions
  • Pingid Mobile Display Names
  • Pingid Mobile Os Versions
  • Portal
  • Presentation Sessions
  • Promotions
  • Promotion Variable Declarations
  • Propagation
  • Propagation Mappings
  • Propagation Plans
  • Propagation Provisioning Syncs
  • Propagation Revisions ID
  • Propagation Revisions ID Latest
  • Propagation Rules
  • Propagation Store Metadata
  • Propagation Stores
  • QS Dashboards
  • Rate Limit IP Configs
  • Recaptcha V2 Config
  • Resources Secret
  • Risk Evaluations
  • Risk Feedback
  • Roles
  • Seen Devices
  • Sessions
  • Snapshots
  • Software Licenses
  • Solutions
  • Subscriptions
  • Tiles
  • Total Identities
  • Translations
  • Users
  • Variables
  • Voice Phrases

Create Promotion

Start Promotion

Read All Promotions

Read One Promotion

Read Promotion Status

Update Promotion

Delete Promotion

Promotion Variables

Use promotion variables to to account for environment-specific differences, such as 3rd party integrations or URLs. You can specify configuration resource property values for either the source or target environment to be substituted for existing property values by the promotion operation. Only the promotion variables you set can change property values for use by the promotion operation. If you do not set any promotion variables, the configuration resource or resources that you specify for the source or target environment will be used as is, and cannot be changed during the promotion operation.

To use promotion variables, you need to:

  1. Specify the configuration resource to be promoted in a snapshot.
  2. Define the variable or variables to be used for a source or target environment configuration resource property. See Variable Definitions.
  3. Declare the variables to be used by the promotion operation. See Variable Declarations.

A few things to be aware of:

  • The variables are scoped only to the specified configuration resources, and are not applied to any dependent resources.
  • Variables are not versioned with a snapshot, so for each promotion operation, you need to ensure the variable settings for a configuration resource are correct.
  • Any configuration resources that you change directly without updating the variables will be overwritten by a subsequent promotion operation. This is because the promotion operation will use the existing variable set.

Variable Resources

Not all configuration resources or properties can be used as promotion variables. Here's the listing of configuration resources, and the associated properties that are supported as promotion variables:

Resource Properties
Applications acsUrls
audienceRestriction
corsSettings
defaultTargetUrl
deviceCustomVerificationUri
devicePathId
domainName
homePageUrl
idpSigning.algorithm
idpSigning.key.id
initiateLoginUri
jwks
jwksUrl
kerberos.key.id
mobile.bundleId
mobile.huaweiAppId
mobile.huaweiPackageName
mobile.integrityDetection.googlePlay.serviceAccountCredentials
mobile.packageName
mobile.uriPrefix
postLogoutRedirectUris
redirectUris
replyUrl
sloEndpoint
sloResponseEndpoint
spEncryption.certificate.id
spEntityId
spVerification.cert.id
subjectNameIdentifierFormat
targetLinkUri
Authentication relyingPartyId
Branding companyName
logo.href
Custom Domain domainName
Email Domains domainName
Gateways bindDN
bindPassword
kerberos.serviceAccountPassword
kerberos.serviceAccountUserPrincipalName
radiusClients.ip
Identity Providers appId
appSecret
authorizationEndpoint
clientEnvironment
clientId
clientSecret
clientSecretSigningKey
discoveryEndpoint
idpEntityId
issuer
jwksEndpoint
keyId
sloEndpoint
spSigning.key.id
ssoEndpoint
teamId
tenantId
tokenEndpoint
userInfoEndpoint
Notification Templates body
content
replyTo.address
replyTo.name
Notifications Phone Delivery Settings authToken
authentication.username
sid
Notifications key
type
Provisioning configuration.Administrator_Password
configuration.Administrator_Username
configuration.BASE_URL
configuration.BASIC_AUTH_PASSWORD
configuration.BASIC_AUTH_USER
configuration.CLIENT_ID
configuration.CLIENT_SECRET
configuration.ClientId
configuration.ClientSecret
configuration.GROUPS_RESOURCE
configuration.OAUTH_ACCESS_TOKEN
configuration.OAUTH_CLIENT_ID
configuration.OAUTH_CLIENT_SECRET
configuration.OAUTH_REFRESH_TOKEN
configuration.SALESFORCE_DOMAIN
configuration.SCIM_URL
configuration.ServiceNow_Url
configuration.TenantDomain
configuration.USERS_RESOURCE
configuration.password
configuration.tenantId
configuration.username
Trusted Email Addresses emailAddress

Variable Resources

Variable Definitions

When promoting a configuration, you need to define any variables you intend to use to substitute for existing property values. Once defined, you'll need to then declare a variable. See Variable Declarations for details.

Variable definitions data model

Property Type Required? Mutable? Description
createdAt Date N/A Read-only The date and time at which the resource was created (ISO 8601 format).
name String Required Mutable The name to use for the variable. This name must be unique in the environment.
updatedAt Date N/A Read-only The date and time at which the resource was last updated (ISO 8601 format).
value Object Required Mutable A JSON object containing the value to assign to the variable. Currently, the object type can be: String, List, or Integer.

Create Variable Definition

Read All Variable Definitions

Read One Variable Definition

Update Variable Definition

Delete Variable Definition

Variable Declarations

Before you can declare a variable (POST {{apiPath}}/environments/{{envID}}/promotionVariableDeclarations), you need to define the variable that you intend to use. See Variable Definitions for details.

Variable declarations data model

Property Type Required? Mutable? Description
createdAt Date N/A Read-only The date and time at which the resource was created (ISO 8601 format).
resourceId String Required Mutable The UUID of the configuration resource.
updatedAt Date N/A Read-only The date and time at which the resource was last updated (ISO 8601 format).
variables Map Required Mutable A mapping of configuration resource properties to the name values of defined variables. For example, for an applications resource, you might map the refreshTokenDuration property to a variable definition having a name value of refreshTokenDurationVar.

Create Variable Declaration

Read Variable Declarations

Update Variable Declaration

Update Variable Declaration

Delete Variable Declaration

Promotion Configuration

The promotionConfiguration endpoint sets and reads default target environment to be used for promotions. When you know that you'll be working with a specific target environment, you can set this environment as the default for the promotions you're doing.

Read Promotion Configuration

Update Promotion Configuration

PingOne Authorize Trust Framework

The PingOne Authorize trust framework service provides endpoints to define the entities and configurations to target policies and rules when making dynamic authorization requests.

The trust framework is based on attributes. These attributes have resolvers which bring contextual data values into the attribute. Resolvers can be conditional using an embedded condition or they can be a reference to a condition entity.

A service resolver references a service that can call out to a third-party HTTP service or the PingOne Protect service. Attributes can transform the value received from resolvers using embedded processors or referenced processors.

To create and manage the attributes, services, conditions, and processors, required by the PingOne Authorize trust framework, see:

If you want to use Postman

You can download or fork the Postman collection for the early access PingOne Authorize Trust Framework APIs, and test them in your Postman environment. If you don't already have a Postman installation, you can install the free version. See Download Postman.

Import or fork the Postman collection PingOne Authorize Trust Framework APIs - Early Access into your Postman installation by clicking the Run in Postman button below:

Run In Postman

Refer to Postman and the PingOne APIs for more information.

Authorization Attributes

Authorization attributes provide contextual information that informs fine-grained dynamic authorization decisions. Attributes have the following characteristics:

  • An attribute has zero or more resolvers that bring the contextual data into the attribute value. The list of ordered resolvers are evaluated sequentially until a successful value is returned.

  • An attribute has zero or more processors that transform the data coming from the resolvers.

  • An attribute has a valueType property value that specifies the final output type of the attribute.

Authorization attributes data model

Property Type? Required? Mutable? Description
defaultValue String Optional Mutable The value to use if no resolvers are defined or if an error occurred with the resolvers or processors.
description String Optional Mutable The attribute resource's description.
fullName String Required Mutable A unique name generated by the system for each attribute resource. It is the concatenation of names in the attribute resource hierarchy.
id String N/A Read only The resource's unique identifier.
managedEntity Object Optional Read only A system-assigned set of restrictions and metadata related to the resource.
name String Required Mutable A user-friendly attribute name.
parent Object Optional Mutable The attribute resource's parent.
parent.id String Optional Mutable The attribute resource's parent ID.
processor Object Optional Mutable The attribute resource's processor.
processor.type String Optional Mutable The attribute resource's processor type. Options are JSON_PATH, SPEL, XPATH, COLLECTION_FILTER, COLLECTION_TRANSFORM, CHAIN, and REFERENCE. See Authorization processors processor type data model for additional properties for each processor type.
processor.name String Optional Mutable A user-friendly authorization processor name. The name value must be unique.
repetitionSource Object Optional Mutable A setting to designate the attribute as multi-valued and repeatable.
resolvers Array Optional Mutable The attribute resource's resolvers.
resolvers.type String Optional Mutable The attribute resource's resolver type. Options are REQUEST, CONSTANT, ATTRIBUTE, SERVICE, SYSTEM, CONFIGURATION, CURRENT_REPETITION_VALUE, CURRENT_USER_ID, and USER.
type String Required Read only The attribute type. Options are ATTRIBUTE.
valueType Object Required Mutable The value type object for the attribute.
valueType.type String Required Mutable The output type for the attribute. Options are BOOLEAN, STRING, NUMBER, XML, JSON, COLLECTION, DATE_TIME, LOCAL_TIME, LOCAL_DATE, LOCAL_DATE_TIME, ZONED_DATE_TIME, TIME_PERIOD, PERIOD, and DURATION.
version String Required Read only A random ID generated by the system for concurrency control purposes.

Authorization attributes resolvers type data model

Resolver type Description
REQUEST The value comes from the decision request.
ATTRIBUTE The value comes from another attribute. Additional properties are:
  • value, the value object.
  • value.id, the ID of the referring attribute.
CONSTANT The value provided is a constant. Additional properties are:
  • value, the constant value.
  • valueType, the output type of the constant. Options are BOOLEAN, STRING, NUMBER, XML, JSON, COLLECTION, DATE_TIME, LOCAL_TIME, LOCAL_DATE, LOCAL_DATE_TIME.
SERVICE The value comes from a service. Additional properties are:
  • value, the value object.
  • value.id, the ID of the referring service.
SYSTEM The value is provided by the system. Additional properties are:
  • value, a value that is set to either NULL or CURRENT_DATE_TIME.
CURRENT_REPETITION_VALUE The value of the repetition if the attribute belongs to a repetition scope.
CURRENT_USER_ID The value comes from the userContext property in the decision request.
USER The value is a PingOne user. Additional properties are:
  • query, a UserQuery object that provides a PingOne userId string.

Event types

The audit reporting events applicable to the authorize attribute service are:

Topic Event
authorize-model AUTHORIZE_ATTRIBUTE.CREATED
authorize-model AUTHORIZE_ATTRIBUTE.UPDATED
authorize-model AUTHORIZE_ATTRIBUTE.DELETED

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create Authorization Attribute

Test Authorization Attribute

Read Authorization Attributes

Read One Authorization Attribute

Update Authorization Attribute

Delete Authorization Attribute

Authorization Services

Authorization services, also referred to as Policy Information Points or PIPs, represent third-party HTTP services or internal PingOne platform services (such as PingOne Protect) that may be called to retrieve data.

These endpoints provide operations to create, read, update, test, and delete authorization services.

Authorization services data model

Property Type? Required? Mutable? Description
cacheSettings Object Optional Mutable The service's cache settings.
cacheSettings.ttlSeconds integer Optional Mutable The service's time to live in seconds.
description String Optional Mutable The authorization service resource's description.
fullName String Required Mutable A unique name generated by the system for each service resource. It is the concatenation of names in the service resource hierarchy.
id String N/A Read only The resource's unique identifier.
name String Required Mutable A user-friendly service name.
parent Object Optional Mutable The service resource's parent.
parent.id String Optional Mutable The service resource's parent ID.
serviceType String Required Mutable The type of service. Options are NONE, HTTP, CONNECTOR. See the "serviceType property data model tables" section for information about the properties associated with each service type.
type String Required Read only The resource type. Options are SERVICE.
version String Required Read only A random ID generated by the system for concurrency control purposes.

The serviceType property supports the following three options: NONE, HTTP, and CONNECTOR. The NONE option does not require additional configuration. The HTTP and CONNECTOR service types require additional configuration property values in the request. The following tables describe the data models for these options.

HTTP serviceType data model properties
Property Type? Required? Mutable? Description
processor Object Optional Mutable The processor to transform the value returned from the resolver. Processor types are JSON_PATH, SPEL, XPATH, COLLECTION_FILTER, COLLECTION_TRANSFORM, CHAIN, and REFERENCE.
valueType Object Required Mutable The final output type of the service. Value types are BOOLEAN, STRING, NUMBER, XML, JSON, COLLECTION, DATE_TIME, LOCAL_TIME, LOCAL_DATE, LOCAL_DATE_TIME, ZONED_DATE_TIME, TIME_PERIOD, PERIOD, and DURATION.
serviceSettings Object Required Mutable The service settings object.
serviceSettings.maximumConcurrentReqests Integer Required Mutable The value must be greater than or equal to 1.
serviceSettings.maximumReqestsPerSecond Decimal Required Mutable The value must be greater than 0.
serviceSettings.timeoutMilliseconds Integer Required Mutable The value must be between 0 and 3000 (inclusive).
serviceSettings.type String Required Mutable The service type. Options are HTTP and CONNECTOR.

If the serviceSettings.type property is HTTP, the service supports the following service settings properties:

HTTP ServiceSettings property data model
Property Type? Required? Mutable? Description
type Object Required Immutable The type object.
url String Required Mutable The HTTP URL.
verb String Required Immutable The HTTP method. Options are GET, POST, PUT, DELETE, and HEAD.
body String Optional Mutable The HTTP request body.
contentType String Optional Mutable The HTTP request content type.
headers[] Array Optional Mutable The HTTP request headers. Each SPECIFIED HTTP header requires key and value properties. The value property input options are ATTRIBUTE or CONSTANT. If the value is an ATTRIBUTE, the input is expressed as a JSON object that specifies an attribute UUID. If the value is a CONSTANT, the input is a string.
authentication Object Required Mutable The authentication object. Authentication optinos are NONE, BASIC, TOKEN, and CLIENT_CREDENTIALS. For information about authentication type properties, see the data model table below.
tlsSettings Object Required Mutable The TLS object.
tlsSettings.tlsValidationType String Required Mutable The TLS validation type. Options are DEFAULT and NONE.
HTTP ServiceSettings authentication property data model

BASIC

Property Type? Required? Mutable? Description
name Object Required Mutable The user object.
name.id UUID Required Mutable The user name of the authenticator.
password Object Required Mutable The user object.
password.id UUID Required Mutable The password of the authenticator.

TOKEN

Property Type? Required? Mutable? Description
token Object Required Mutable The token object.
token.id UUID Required Mutable The token used to authenticate.

CLIENT_CREDENTIALS

Property Type? Required? Mutable? Description
tokenEndpoint String Required Mutable The token endpoint.
clientId String Required Mutable The client ID string.
clientSecret Object Required Mutable The client secret object.
clientSecret.id UUID Required Mutable The client secret string.
scope String Required Mutable The permissions that determine the resources that the application can access.
CONNECTOR data model properties
Property Type? Required? Mutable? Description
processor Object Optional Mutable The processor object, if specified.
valueType Object Required Mutable The value type object.
serviceSettings Object Required Mutable The service settings object for the CONNECTOR service type.
clientSecret.id UUID Required Mutable The client secret string.
scope String Required Mutable The permissions that determine the resources that the application can access.
CONNECTOR ServiceSettings property data model
Property Type? Required? Mutable? Description
type Object Required Immutable The type object.
channel Sting Required Mutable The channel value. Options are AUTHORIZE.
code String Required Mutable The code value. Options are P1_RISK.
capability String Required Mutable The capability associated with connector code and channel.
schemaVersion Integer Required Mutable The schema version in the connector template.
inputMappings[] Array Required Mutable The list of input mappings of matching the connector template.
inputMappings.type String Required Mutable The input mapping type. Options are ATTRIBUTE and INPUT. See the data model tables below for information about ATTRIBUTE and INPUT properties.
CONNECTOR inputMappings.type property data model

ATTRIBUTE

Property Type? Required? Mutable? Description
type Object Required Mutable The input mapping type.
value Object Required Mutable The input mapping value property.
value.id UUID Required Mutable An attribute ID.

INPUT

Property Type? Required? Mutable? Description
type Object Required Mutable The input mapping type.
value string Optional Mutable An input value.

Event types

The audit reporting events applicable to the authorization services service are:

Topic Event
authorize-model AUTHORIZE_SERVICE.CREATED
authorize-model AUTHORIZE_SERVICE.UPDATED
authorize-model AUTHORIZE_SERVICE.DELETED

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create Authorization Service

Test Authorization Service

Read Authorization Services

Read One Authorization Service

Update Authorization Service

Delete Authorization Service

Authorization Conditions

Conditions in PingOne Authorize define authorization logic by comparing one thing to another. Conditions evaluate to either true or false. The authorization conditions service provides endpoints to create, read, update, test, and delete trust framework authorization conditions.

Authorization conditions data model

Property Type? Required? Mutable? Description
condition Object Required Mutable The authorization condition object.
condition.type String Required Mutable The authorization condition type. Options are COMPARISON, AND, OR, EMPTY, NOT, REFERENCE.
condition.conditions[] Object Required Mutable A set of conditions.
condition.conditions.type String Required Mutable The type of condition.
condition.conditions.comparator String Required Mutable The operator used to evaluate the condition.
condition.conditions.left Object Required Mutable An object that defines the left side of the condition statement.
condition.conditions.right Object Required Mutable An object that defines the right side of the condition statement.
description String Optional Mutable The authorization condition resource's description.
fullName String Required Mutable A unique name generated by the system for each authorization condition resource. It is the concatenation of names in the condition resource hierarchy.
id String N/A Read only The resource's unique identifier.
name String Required Mutable A user-friendly authorization condition name.
parent Object Optional Mutable The authorization condition resource's parent.
parent.id String Optional Mutable The authorization condition resource's parent ID.
type String Optional Mutable The condition resource's type. Options are CONDITION.
version String Required Read only A random ID generated by the system for concurrency control purposes.

Authorization conditions condition type data model

Condition type Description
AND The and logical condition. Additional properties are:
  • conditions, the list of conditions that must be met.
OR The or logical condition. Additional properties are:
  • conditions, the list of conditions of which one must be met.
NOT The not logical condition. Additional properties are:
  • condition, the list of conditions.
EMPTY The empty condition, which specifies no conditions to be met.
REFERENCE The reference condition. Additional properties are:
  • reference, the reference object.
  • reference.id, the ID of an authorization condition.
COMPARISON The comparison condition. Additional properties are:
  • left, the value on the left side of the comparison operator.
  • right, the value on the right side of the comparison operator.
  • comparator, the comparison operator. Options are IS_MEMBER_OF, IS_NOT_MEMBER_OF, CONTAINS_GROUP, DOES_NOT_CONTAIN_GROUP, CONTAINS, NOT_CONTAINS, EQUALS, NOT_EQUALS, GREATER_THAN, GREATER_THAN_OR_EQUAL, LESSER_THAN, LESSER_THAN_OR_EQUAL, REGULAR_EXPRESSION, STARTS_WITH, NOT_STARTS_WITH, ENDS_WITH, NOT_ENDS_WITH, MATCHES, NOT_MATCHES, IS_IN, IS_NOT_IN, IN_CIDR_BLOCK, NOT_IN_CIDR_BLOCK

Event types

The audit reporting events applicable to the authorization condition service are:

Topic Event
authorize-model AUTHORIZE_CONDITION.CREATED
authorize-model AUTHORIZE_CONDITION.UPDATED
authorize-model AUTHORIZE_CONDITION.DELETED

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create Authorization Condition

Test Authorization Condition

Read Authorization Conditions

Read One Authorization Condition

Update Authorization Condition

Delete Authorization Condition

Authorization Processors

Authorization processors transform the data coming from the resolvers. Processors manipulate and transform data, including extracting details from structured data, or converting data to different formats. These endpoints provide operations to create, read, update, and delete authorizaton processor resources.

Authorization processors data model

Property Type? Required? Mutable? Description
description String Optional Mutable The authorization processor resource's description.
fullName String Required Mutable A unique name generated by the system for each authorization processor resource. It is the concatenation of names in the processor resource hierarchy.
id String N/A Read only The resource's unique identifier.
name String Required Mutable A user-friendly authorization processor name.
parent Object Optional Mutable The authorization processor resource's parent.
parent.id String Optional Mutable The authorization processor resource's parent ID.
processor Object Optional Mutable The authorization processor resource's processor object.
processor.type String Optional Mutable The authorization processor resource's processor type. Options are JSON_PATH, SPEL, XPATH, COLLECTION_FILTER, COLLECTION_TRANSFORM, CHAIN, REFERENCE. See Authorization processors processor type data model for additional properties for each processor type.
processor.name String Optional Mutable A user-friendly authorization processor name. The name value must be unique.
type String Optional Mutable The processor resource's processor type. Options are PROCESSOR.
version String Required Read only A random ID generated by the system for concurrency control purposes.

Authorization processors processor type data model

Processor type Description
JSON_PATH The JSON path expression processor. Additional properties are:
  • expression, the JSON path expression.
  • valueType, the output type for the value. Options are BOOLEAN, STRING, NUMBER, XML, JSON, COLLECTION, DATE_TIME, LOCAL_TIME, LOCAL_DATE, LOCAL_DATE_TIME.
CHAIN The CHAIN processor. Additional properties are:
  • processors, the list of processors to apply in the given order.
COLLECTION_FILTER The collection filter processor. Additional properties are:
  • predicate, the XPath expression.
COLLECTION_TRANSFORM The collection transform processor. Additional properties are:
  • processors, the list of processors to apply in the given order.
REFERENCE The reference processor. Additional properties are:
  • processor, the processor object.
  • processor.id, the ID of an authorization processor.
SPEL The SpEL expression processor. Additional properties are:
  • expression, the SpEL expression.
  • valueType, the output type for the value. Options are BOOLEAN, STRING, NUMBER, XML, JSON, COLLECTION, DATE_TIME, LOCAL_TIME, LOCAL_DATE, LOCAL_DATE_TIME.
XPATH The XPath expression processor. Additional properties are:
  • expression, the XPath expression.
  • valueType, the output type for the value. Options are BOOLEAN, STRING, NUMBER, XML, JSON, COLLECTION, DATE_TIME, LOCAL_TIME, LOCAL_DATE, LOCAL_DATE_TIME.

Event types

The audit reporting events applicable to the authorize processors service are:

Topic Event
authorize-model AUTHORIZE_PROCESSOR.CREATED
authorize-model AUTHORIZE_PROCESSOR.UPDATED
authorize-model AUTHORIZE_PROCESSOR.DELETED

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create Authorization Processor

Read Authorization Processors

Read One Authorization Processor

Update Authorization Processor

Delete Authorization Processor

Authorization Connector Templates

This endpoint provides an operation to view the authorization connector templates associated with the specified environment.

Connector templates data model

Property Type? Required? Mutable? Description
type String Required Immutable The type of connector template.
channel String Required Mutable The connector template channel.
code String Required Mutable The code associated with the service.
capability String Required Mutable The capability associated with the connector code and channel.
schemaVersion Integer Required Mutable The schema version of the connector template.
inputMappings Array Required mutable The list of input mappings of the connector template.
inputMappings.type String Required mutable The type of input mapping. Options are ATTRIBUTE, INPUT.
inputMappings.property string Required mutable The property associated with the input mapping.
cacheSettings Object Optional Mutable An object that specifies the cache settings.
cacheSettings.ttlSeconds Integer Optional Mutable The time to live setting specified in seconds.

Response codes

Code Message
200 Successful operation.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Read Authorization Connector Templates

PingOne Authorize Editor Policy Management

PingOne Authorize policies model business requirements into authorization logic using elements created in the PingOne Authorize Trust Framework.

Policies are based on application requirements and the regulations that you’re complying with. Your organization imposes many conditions and constraints on access control. Policies capture these constraints in rules that define the circumstances under which users can access certain resources.

The policy management endpoints include:

If you want to use Postman

You can download or fork the Postman collection for the early access PingOne Authorize Editor Policy Management APIs, and test them in your Postman environment. If you don't already have a Postman installation, you can install the free version. See Download Postman.

Import or fork the Postman collection PingOne Authorize Editor Policy Management APIs - Early Access into your Postman installation by clicking the Run in Postman button below:

Run In Postman

Refer to Postman and the PingOne APIs for more information.

Authorization Policies

Authorization policies specify the statements (directives that instruct the policy decision service to perform additional processing in conjunction with an authorization decision), conditions (authorization logic comparing one thing to another), and combining algorithms (the process for combining multiple rules) to determine an authorization decision.

Authorization policies data model

Property Type? Required? Mutable? Description
children Array Optional Mutable The list of child policies or rules. Can be either referenced or embedded.
combiningAlgorithm Object Required Immutable The algorithm that determines how rules are combined to produce an authorization decision. For details, see Authorization Rules.
condition Object Optional Mutable The authorization condition object. For details, see Authorization Conditions.
description String Optional Mutable The authorization policy resource's description.
enabled Boolean Optional Mutable The setting that determines whether the decision node is evaluated. The default value is true.
id String N/A Read only The policy resource's unique identifier.
name String Required Mutable A user-friendly policy name. The name value must be unique.
repetitionSettings Object Optional Mutable Applies the policy to each item of the specific attribute, filtered by decision.
repetitionSettings.source Object Optional Mutable The source associated with this rule.
repetitionSettings.source.id String Optional Mutable The UUID of the repetition source associated with this rule.
repetitionSettings.decision String Optional Mutable The decision filter. Options are PERMIT, DENY, NOT_APPLICABLE, and INDETERMINATE.
statements Object Optional Mutable The authorization statements object. Can be either referenced or embedded. For details, see Authorization Statements.
type String Required Mutable The attribute type. Options are POLICY.
version String Required Read only A random ID generated by the system for concurrency control purposes.

Authorization embedded policies data model

Property Type? Required? Mutable? Description
type String Required Mutable The embedded policy type. Options are POLICY.
value.id String Required Immutable The embedded policy ID.
name String Required Mutable The embedded policy name.
description String Optional Mutable The embedded policy description.
enabled Boolean Optional Mutable Specifies whether the embedded policy is enabled.
statements Object Optional Mutable The statements associated with this embedded policy.
conditions Object Optional Mutable The conditions associated with this embedded policy.
combiningAlgorithm Object Required Mutable The combining algorithm for the embedded policy.
children Array Optional Mutable The list of sub-child policies or rules associated with the embedded policy.
repetitionSettings Object Optional Mutable The repitition settings associated with the embedded policy.

Authorization policies embedded rules data model

Property Type? Required? Mutable? Description
type String Required Mutable The embedded rule type. Options are RULE.
value.id String Required Immutable The embedded rule ID.
name String Optional Mutable The embedded rule name.
description String Optional Mutable The child policy description.
enabled Boolean Optional Mutable Specifies whether the child policy is enabled.
statements Object Optional Mutable The statements associated with this child policy.
conditions Object Optional Mutable The conditions associated with this child policy.
effectSettings Object Required Immutable The settings that determine how the children are combined to produce an outcome for the policy.

Event types

The audit reporting events applicable to the authorize policies service are:

Topic Event
authorize-model AUTHORIZE_POLICIES.CREATED
authorize-model AUTHORIZE_POLICIES.UPDATED
authorize-model AUTHORIZE_POLICIES.DELETED

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create Authorization Policy

Test Authorization Policy

Read Authorization Policies

Read One Authorization Policy

Update Authorization Policy

Delete Authorization Policy

Authorization Statements

Statements instruct the policy decision service to perform additional processing in conjunction with an authorization decision. In addition to allowing or blocking access to a resource, using statements, the decision service can attach information to decision responses and filter and transform API payloads.

Authorization statements data model

Property Type? Required? Mutable? Description
appliesif String Required Mutable Specifies when to attach to a final decision. Options are ANYTHING, FINAL_DECISION_MATCHES, and PATCH_MATCHES.
appliesTo String Required Mutable Specifies what result the statement applies to. Options are ANYTHING, PERMIT, DENY, PERMIT_OR_DENY, and INDETERMINATE.
attributes Object Required Mutable The attributes attached to the statement.
code String Required Mutable The statement code.
description String Optional Mutable The authorization processor resource's description.
value.id String N/A Read only The resource's unique identifier.
name String Required Mutable A user-friendly authorization processor name. The name value must be unique.
obligatory Boolean Optional Mutable Specifies that the statement must be fulfilled as a condition of authorizing the decision request. The defaule is false.
payload String Required Mutable The statement payload.
services Object Required Mutable The services attached to the statement.
version String Required Read only A random ID generated by the system for concurrency control purposes.

Event types

The audit reporting events applicable to the authorize statements service are:

Topic Event
authorize-model AUTHORIZE_STATEMENT.CREATED
authorize-model AUTHORIZE_STATEMENT.UPDATED
authorize-model AUTHORIZE_STATEMENT.DELETED

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create Authorization Statement

Read Authorization Statements

Read One Authorization Statement

Update Authorization Statement

Delete Authorization Statement

Authorization Rules

Rules in PingOne Authorize identify the statements and conditions by which a decision node is evaluated. If the condition is true, the decision node is evaluated. Otherwise, it is not. PingOne Authorize policies can combine multiple rules to produce a Permit, Deny, Indeterminate, or Not Applicable decision.

Authorization rules data model

Property Type? Required? Mutable? Description
condition Object Optional Mutable The authorization condition object. For details, see Authorization Conditions.
description String Optional Mutable The authorization rule resource's description.
effectSettings Object Required Immutable An object that determines how the children are combined to produce an outcome for the policy.
enabled Boolean Optional Mutable The setting that determines whether the decision node is evaluated. The default value is true.
id UUID Required Read only The resource's unique identifier.
name String Required Mutable A user-friendly authorization rule name. The name value must be unique.
statements Object Optional Mutable The authorization statements object. For details, see Authorization Statements.
type String Required Immutable The condition resource's type. Options are CONDITION.
version UUID Required Read only A random ID generated by the system for concurrency control purposes.

Event types

The audit reporting events applicable to the authorization rules service are:

Topic Event
authorize-model AUTHORIZE_RULES.CREATED
authorize-model AUTHORIZE_RULES.UPDATED
authorize-model AUTHORIZE_RULES.DELETED

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create Authorization Rule

Test Authorization Rule

Read Authorization Rules

Read One Authorization Rule

Update Authorization Rule

Delete Authorization Rule