PingOne Platform API Reference - Early Access

PingOne is a cloud-based framework for secure identity access management. The PingOne API gives developers the tools to integrate enterprise and third-party applications with the PingOne platform.

This document describes a number of PingOne services, including the Management API services, the Authentication API services, and the Multi-factor Authentication services. There is also material in this document that refers to the integrations between the PingOne platform and other Ping products that facilitate extended functionality beyond PingOne.

New to PingOne?

If you're new to PingOne, the following topic links will help you learn more and start working with the PingOne API.

  • Getting started with the PingOne APIs

    This collection of topics helps you create your first application connection using the PingOne admin console application and get a JSON Web Token for the application you created. With your admin access token, you can make calls to the Pingone resource server.

  • Download the PingOne Postman collections

    This topic includes downloads for the PingOne Platform API Postman master collection as well as targeted collections the PingOne MFA APIs, and the PingOne Protect APIs.

  • Workflow library

    The PingOne use cases provide workflows for common PingOne configurations and sign-on flows. Each use case includes a Postman collection linked to a Run in Postman button, enabling you to load (and run) the use case collections into your Postman workspace.

  • PingOne authorization and authentication APIs

    These topics provide a deeper dive into PingOne platform authorization and authentication concepts and workflows. It includes detailed information about access tokens, ID tokens, user scopes, platform roles, and sign-on flows.

  • PingOne native SDKs

    You'll find here the documentation for the PingOne mobile SDKs. Currently, this includes the PingOne MFA SDKs, the PingOne Neo SDKs, and the PingOne Protect SDKs.

Beta Topics

Flows and Forms

The beta topics in Flows and Forms document the deprecated Flow Definitions service in PingOne. The Flow Definitions service was replaced by PingOne DaVinci.

External Services Management

The external services API allows you to make outbound HTTP requests from PingOne to an external resource server. It functions like a PingOne HTTP client. By configuring an external service resource in PingOne, you configure how to send an HTTP request at invocation time.

PingOne external services configurations integrate with PingOne flows, which allows for outbound HTTP requests in the context of a flow.

Terminology

  • External Service

    External services are a group of requests and additional configuration information to support the requests. Some configuration properties, such as variables and secrets, can be referenced by any of the external service’s requests.

  • Request

    The HTTP request configuration includes properties such as a URL, headers, and body to define the request to the external resource server. When an external service request is invoked, PingOne uses the defined configuration to create and send an HTTP request.

  • PingOne's expression language

    External service requests use PingOne's expression language, which is based on SPEL, to give you flexibility to define complex configuration attributes. For more information, see PingOne's expression language.

Frequently asked questions

How do I resolve an expression error?

When you invoke an external service request you may get an expression error. The error should provide clues on what went wrong. For more information about PingOne's expression language, see PingOne's expression language. It is also important to remember that all inputs must be strings.

How do I change the request configuration at invocation time?

If you need to have the URL, a header, or body parameter be dynamic per request, then you must use inputs. You can reference an input in the request configuration (inputs.myInputName) and then at invocation time send the input in. For examples of this action, see the “Getting Started” topic.

What happens when I invoke an external service request?

PingOne finds your configuration by environment ID, external service ID, and request name. The configuration is then used to generate and send an HTTP request. As a part of generating an HTTP request, the configuration is scanned for variables, secrets, and input references, and these rferences are resolved to concrete values. The HTTP request is sent and the response is by default mapped to { status: <status>, headers: <responseHeaders>, body: <responseBody> }.

How do I avoid duplicating configuration across multiple external service requests?

If you have requests that need the same information (like a URL or header value) you can use variables or secrets (or both). The difference between the two is that secrets are encrypted and managed through a separate endpoint for stricter administrative control.

How do I protect a sensitive value like an API key or secret?

Configure a secret for the external service and then reference it in your request configuration.

How do I configure authentication on an external service request?

If it is a header-based authentication, you can set a header on the request and use a secret for the value.

How do I fix an error that I’m getting when trying to invoke an external service request?

You may be encountering one of the following error reasons:

  • SSL_HANDSHAKE_FAILED

    When sending the outbound HTTP request the SSL handshake failed. Please check your configuration.

  • NO_HTTP_RESPONSE

    We sent the outbound HTTP request but did not get an HTTP response from the server.

  • TIMEOUT

    We sent the outbound HTTP request but did not get an HTTP response in the time allowed. The timeout is 8 seconds.

  • TOO_MANY_INVOCATIONS

    We did not send the outbound HTTP request because a limit was reached. You are allowed 45 concurrent outbound HTTP requests per environment.

  • MALICIOUS_URL

    The URL targeted a host that we determine to be malicious.

  • INVOCATION_FAILED

    There was an error likely unrelated to your configuration or targeted service. If this error persists please contact support.

  • INVOCATION_ERROR

    We did not send the outbound HTTP request and it is likely because of a reason with your configuration. There may be details on the error giving more details.

Data models

See the following topics for data model property definitions:

Getting Started with External Services

The Getting Started topics show you how to create an external service with four requests:

  • one request that uses static values
  • one request that uses a variable
  • one request that uses a secret
  • one request that uses an input

After creating the external service configuration with these four requests successfully, additional topics show you how to invoke all four external service requests.

Click the Run in Postman button below to download a Postman collection that includes the requests described in this section.

Run in Postman


Create your first external service


Add your first request to the external service


Invoke your first request


Add a variable and use it in a request


Invoke your request that uses a variable


Add a secret and use it in a request


Add requests that use a variable and a secret


Invoke your request that uses a secret


Add invocation inputs in a request


Invoke your request that uses an input

External Services

The external services API provides endpoints to create, read, update, and delete external services resources.

External services data model
Property Description
authSchemes A list of authorization schemes that can be used by a request.
authSchemes.name A string that specifies the name of the authentication scheme. This property is set by the administrator and is unique for each external service. The maximum size is 256 characters. The string can contain unicode letters, combining marks, numeric characters, whitespace, punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$). This is a required property.
authSchemes.type A string that specifies the type of authentication scheme. Options are API_KEY, BEARER, BASIC, and OAUTH_2. This is a required property.
authSchemes.type.{properties} The properties associated with the type of authentication scheme.
  • API_KEY: key (String): required
  • BEARER: token (String): required
  • BASIC:
    • username (String): required
    • password (String): required
  • OAUTH_2:
    • tokenEndpointAuthType (String): Required if type is Oauth. Values can be client_secret_basic or client_secret_post
    • scope (List): optional;
    • tokenEndpoint (String): required
    • clientId (String): required
    • clientSecret (String): required
description A string that specifies the description of the external service. The string can contain unicode letters, combining marks, numeric characters, whitespace, punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$).
id A string that specifies the resource’s unique identifier.
name A string that specifies the name of the external service. The maximum length for a name is 256 charactersand the name must be unique within the environment. The string can contain unicode letters, combining marks, numeric characters, whitespace, and punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$).
requests A list of requests asociated with this external service.
secrets A list of encrypted secret names.
variables A map of variables that can be referenced by requests.
Requests schema data model
Property Description
description A string that specifies the description of the request. The string can contain unicode letters, combining marks, numeric characters, whitespace, punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$).
displayName A string that specifies the display name of the request. The display name defaults to the method name plus the URL. This value can be edited by the administrator. This property can be used in PingOne interface dropdown menus to select the request. It is comprised of unicode letters, combining marks, numeric characters, whitespace, punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$).
inputs A list that specifies auto-generated input references in the request configuration.
name A string that specifies the name of the request. A request is executed by its name, which must be unique per external service. Names are comprised of alphanumeric letters, underscore, hyphen, and period (regex: ^[a-zA-Z0-9_. -]+$). Maximum length of 256 characters. This is a required property.
request An object that defines the request properties. This is a required property.
request.authScheme A string that specifies the name of the configured external service auth scheme to use for the request. Options are API_KEY, BEARER, BASIC, and OAUTH_2.
request.method A string that specifies the HTTP method. This is a required property.
request.url A string (in PingOne's expression language) that specifies the request URL. This is a required property.
request.headers A map of strings that specifies the HTTP request headers to send on invocations of the request. The map of header names to values (in PingOne's expression language).
request.body An object that specifies the request body type.
request.body.type An enumeration that specifies the request Content-Type. Options are JSON. This is a required property.
request.body.template A string (in PingOne's expression language) that specifies the request body template, which is of any JSON type. This is a required property.
request.inputSchema A string that specifies the input schema for any inputs that are referenced in any parts of the request. This is a required property if input is configured.
response An object that defines the response properties.
response.output A string (in PingOne's expression language) that used to generate the response of a request invocation. If this property is not configured, the default value is the following expression (in PingOne's expression language): "{\"status\": + response.status, \"headers\": + response.headers, \"body\": + response.body}".
response.outputSchema A string that that specifies the output schema for any output properties that are returned by the request. This is a required property if output is configured.
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

You need the Environment Admin role to perform operations on external services resources.


CREATE External Service


READ External Services


READ One External Service


UPDATE External Service


DELETE External Service

External Services Secrets

The external services secrets endpoint provides operations to read and update the external service secret. The name property of the external service secret must be unique within the environment. A secret resource is a name-value pair configured by the administrator and applicable to the entire external service. Secret values are encrypted and can be referenced in the external service configuration.

External services secrets data model
Property Description
name A string that specifies the name of the external service secret. This property is set by the administrator and is unique for each external service. This is a required property.
value A string that specifies the value of the external service secret. This is a required property.
Response codes
Code Message
200 Successful operation.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

READ External Service Secrets


UPDATE External Service Secrets

External Services Requests

The external services requests endpoint provides operations to invoke the external service request. The inputs property specifies the inputs required by the request. The request can have several inputs, specified in the following format in the request body:

{
    "inputs": {
        "input1": "input1Value",
        "input2": {
            "aProperty": "aValue"
        },
        "input3": [ { "aProperty": "aValue" } ]
    }
}
External services invocation request data model
Property Description
inputs A JSON map that specifies the input properties required by the request. All input properties needed by the request must be defined in the input JSON. Otherwise, the request will fail. This is a required property if the request requires input properties. If the request does not require any input, this property can be omitted.
External services invocation response data model
Property Description
outputs A JSON map that specifies the response dictated by the external service's response mapped by request's response output configuration. The value could be any JSON type, based on the request's response output configuration. This is a required property.
Response codes
Code Message
200 Successful operation.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Invoke External Service Request

Flow Definitions

Flow definitions define a series of steps that designate the actions of a workflow. The flow execution endpoint references a flow definition resource that specifies an initial step and all additional steps required to complete the flow execution. For more information about flow executions, see Flow Executions.

Flow definitions include step definitions that define an operational step to perform a specific work action, which generates output that is processed by the flow. A flow step can also designate flow-control actions that branch or end the flow. For more information, see Flow Definition Steps.

The flow definitions API provides operations to create, read, update, and delete flow definitions. It also provides endpoints to get and enhance flow definition step schema metadata. For information about flow definition step schema metadata, see Flow Definition Steps.

Flow definitions data model
Property Description
description A string that specifies the description of the flow definition.
enabled A boolean that specifies whether the flow is enabled. Disabled flows cannot be executed. This is a required property.
environment.id A string that specifies the environment ID associated with this flow definition resource.
id A string that specifies the resource’s unique identifier.
name A string that specifies the flow definition name, which must be provided and must be unique within an environment.
trigger A predefined trigger that can initiate the flow definition execution. The trigger marks the step definition from which the flow starts.
trigger.configuration An object that specifies the trigger configuration data.
trigger.inputs An object that specifies the trigger-specific inputs.
trigger.next A string that specifies the first step definition to execute.
trigger.type A string that specifies the type of trigger. Options are EXPERIENCE and SIGN_ON_POLICY. For more information about trigger types, see READ Trigger Type Metadata.
stepDefinitions A map that specifies the step definitions available in the flow definition, differentiated by a human-readable identifier as the key. The key must be a string with unicode letters, numeric characters, underscore, and dash: ^[\p{L}\p{N}_-]+$. This key is used in variable paths to reference outputs from the step at runtime (for example, ${steps.login.outputs.something}).
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

CREATE Flow Definition Basic (EXPERIENCE trigger)


CREATE Flow Definition Basic (SIGN_ON_POLICY trigger)


CREATE Agreement Consent Flow Definition (EXPERIENCE trigger)


CREATE Agreement Consent Flow Definition (SIGN_ON_POLICY trigger)


CREATE Agreement Consent Flow Definition (SIGN_ON_POLICY trigger) Copy


CREATE Agreement Reconsent Flow Definition (EXPERIENCE trigger)


CREATE Agreement Reconsent Flow Definition (EXPERIENCE trigger) Copy


CREATE Agreement Reconsent Flow Definition (SIGN_ON_POLICY trigger)


CREATE Agreement Reconsent Flow Definition (SIGN_ON_POLICY trigger) Copy


CREATE Registration Flow Definition (Experience)


CREATE Registration Flow Definition (Sign-on Policy)


CREATE Registration with Consent Flow Definition (Sign-on Policy)


CREATE MFA Enrollment (EXPERIENCE trigger)


CREATE MFA Enrollment (SIGN_ON_POLICY trigger)


CREATE MFA Challenge (EXPERIENCE trigger)


CREATE MFA Challenge (SIGN_ON_POLICY trigger)


CREATE Sign On (EXPERIENCE trigger)


CREATE Sign On (SIGN_ON_POLICY trigger)


CREATE Identity Provider Sign On (SIGN_ON_POLICY trigger)


CREATE Password Recovery (EXPERIENCE trigger)


CREATE Password Recovery (SIGN_ON_POLICY trigger)


READ Flow Definitions


READ One Flow Definition


UPDATE Flow Definition


DELETE Flow Definition


READ Step Type Metadata


READ Trigger Type Metadata


Enrich Step Type Metadata

Flow Definition Steps

Flow definition steps specify the actions of a workflow. The step definition performs a specific operation, which generates output that is processed by the flow. A flow step can also designate flow-control actions that branch or end the flow.

Step definitions data model
Property Description
configuration An object that specifies the step type specific configuration properties as described and validated by the step type metadata.
description A string that specifies the description of the description for this step type as defined by the administrator.
displayName A string that specifies the display name for this step.
iconURL A string that specifies the icon for this step type as defined in the step type metadata.
input An object that specifies the step type specific input properties as described by the step type metadata. Any use of placeholders are resolved at execution time.
outlets An object that specifies the set of results a step definition can produce.
outlets.result An object that specifies the result to handle. Valid results for the specified step type are defined in the step type metadata. An outlet for the ERROR result may be used with any step definition to handle errors from the step. If an outlet for the ERROR result is not defined, errors from the step result in a failed flow.
outlets.result.displayName A string that specifies the display name for this result as defined in the step type metadata.
outlets.result.description A string that specifies the description for this result as defined in the step type metadata.
outlets.result.next A string that specifies the next step definition key in the sequence. This value must point to an existing step definition instance.
type A string that specifies the step definition type. There are several step definition type options. The supported step definition types are best viewed by running the /flowMetadata/stepTypes endpoint. For more information, see READ Step Type Metadata.
Step type metadata data model
Property Description
configurationSchema A JSON schema object that defines a structure of step definition configuration properties that are expected for a specific type. Step definitions are validated against a submitted step definition. For more information about the JSON Schema specification, see JSON Schema.
configurationUiSchema A JSON schema object that defines the user interface representation of the step configuration.
description A string that specifies the description of the step type.
displayName A string that specifies the display name for this step.
iconUrl A string that specifies the URL for the step icon in the user interface.
inputSchema A JSON schema object that defines the input structure of step definition configuration properties that are expected for a specific type. For more information about the JSON Schema specification, see JSON Schema.
configurationUiSchema A JSON schema object that defines the user interface representation of the step configuration. For more information about the JSON Schema specification, see JSON Schema.
configurationUiSchema A JSON schema object that defines the user interface representation of the step configuration.
resultMetadata An object that lists all the expected results of a step.
resultMetadata.description A string that specifies the description represented in the user interface.
resultMetadata.displayName A string that specifies the display name represented in the user interface.
resultMetadata.outputSchema A JSON schema object that specifies the expected structure of the response that the result can provide.
resultMetadata.typeName A string that specifies the step definition type name. The name cannot be ERROR because this is a reserved type name. For more information about step definition type options, see READ Step Type Metadata.
version A string that specifies the step type version.
Step type metadata enrichment data model
Property Description
configuration An object that specifies a step definition configuration that can be used as part of the enrichment process. This value should match the configurationSchema of the stepType for which the request is submitted.
trigger An object that specifies a source trigger under which the steps should be enriched. This is a required property.
trigger.configuration An object that specifies optional trigger specific properties.
trigger.type A string that specifies a unique trigger type. This is a required property.
Flow and step definition context placeholders
Parameter Description
${flow.*} The current flow execution state. For example, ${flow.inputs.parameters.applicationId}.
${steps.stepName.outputs.*} The current step execution state, where stepName designates the name of the step. For example, ${steps.registrationForm.outputs.formData.user}.

Flow definition step types

The following section documents the supported flow definition step types and the request schema, response schema, the supported results, and the custom content type (if applicable) associated with any step type actions.

For more information about flow definitions and step types, see Flow Definitions.

Agreement Reconsent Form

This step type specifies a request for consent from the user to update the user's consent to an agreement. This step presents a form to the end user to prompt for renewed consent to an agreement. Submitting the form initiates a user.consent action to accept or deny consent to the agreement.

Step properties used with flow definitions
Configuration schema property Description
agreement.id A string that specifies the agreement ID for the agreement that requires user consent.
Input property Description
user.id A string that specifies the user ID associated with the saved consent.
user.preferredLanguage A string that specifies the user's perferred language.

The following properties are returned for the SAVED result.

Output property Description
agreementConsent.status A string that specifies the current status of user's consent in relation to this agreement.
agreementConsent.id A string that specifies the agreement consent ID associated with this agreement.
agreementConsent.agreement.id A string that specifies the agreement ID associated with this agreement consent.
agreementConsent.language.id A string that specifies the language ID associated with the agreement to which the user has given consent.
agreementConsent.revision.id A string that specifies the revision ID associated with the agreement to which the user has given consent.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
user.consent The link to initiate the consent action. The action must provide a value for the accept property and specify application/vnd.pingidentity.user.consent+json as the custom content type in the request.
Parameters Description
accept A boolean that specifies whether the user accepts the agreement.

API Request

This step type makes an API request to a third-party service.

Step properties used with flow definitions
Configuration schema property Description
method A string that specifies the request method type. Options are GET, POST, PUT, PATCH, and DELETE.
Input property Description
url A string that specifies the request URL.
query An object that specifies the query parameters to include on the request.
headers An object that specifies the HTTP headers to include on the request.
body A string that specifies the body of the request.

The following properties are returned for the SUCCEEDED result.

Output property Description
agreementConsent.status A string that specifies the current status of user's consent in relation to this agreement.
agreementConsent.id A string that specifies the agreement consent ID associated with this agreement.
agreementConsent.agreement.id A string that specifies the agreement ID associated with this agreement consent.
agreementConsent.language.id A string that specifies the language ID associated with the agreement to which the user has given consent.
agreementConsent.revision.id A string that specifies the revision ID associated with the agreement to which the user has given consent.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the API_REQUEST step type.
Parameters Description
There are no flow action parameters associated with the API_REQUEST step type.

Branch

This step type branches the flow based on one or more conditions. The step returns a NO_MATCH result if no condition is met. For information about the common policy language used to specify conditions, see Sign-On Policy Actions.

Step properties used with flow definitions
Configuration schema property Description
conditions An array of conditions to be evaluated.
conditions.condition An object that is defined using the common policy language to define a flow condition to match.
conditions.result A string that specifies the result when this specific flow condition is matched.
conditions.displayName A string that specifies the display name for the result.
Input property Description
There are no configuration schema properties for the BRANCH step type.

The following properties are returned for the NO_MATCH result.

Output property Description
There are no output properties for the BRANCH step type.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the BRANCH step type.
Parameters Description
There are no flow action parameters associated with the BRANCH step type.

Complete Flow

This step type completes the flow and returns a result.

Step properties used with flow definitions
Configuration schema property Description
result An object that specifies the result needed to complete the flow. Results are defined by the trigger type used by this flow. Enumerations are dynamically generated at configuration time of conditions to be evaluated.
Input property Description
{{someProperty}} An object that specifies the flow output. Properties are derived dynamically based on the configured result.
Output property Description
There are no output properties for the COMPLETE_FLOW step type.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the COMPLETE_FLOW step type.
Parameters Description
There are no flow action parameters associated with the COMPLETE_FLOW step type.

Create Risk Evaluation

This step type creates a risk evaluation in PingOne.

Step properties used with flow definitions
Configuration schema property Description
riskPolicySet.id A string that specifies the risk policy set to use for risk evaluation.
useDefaultPolicy A boolean that specifies whether to use the environment's default policy set for the risk evaluation. If this property is set to false, a risk policy set ID must be specified in the riskPolicySet.id property.
profileDevice A boolean that specifies whether the device will be profiled during the step execution. If the value of this property is set to true, the step prompts for a device profile action.
Input property Description
riskEvaluation.event.targetResource.id A string that specifies the ID of the target application, which is the application the user attempts to access.
riskEvaluation.event.targetResource.name A string that specifies the name of the target application, which is the application the user attempts to access. The riskEvaluation.event.targetResource is an optional property, but if the riskEvaluation.event.targetResource.name property is specified, then the riskEvaluation.event.targetResource.id property must also be specified.
riskEvaluation.event.ip A string that specifies the origin IP address. This is a required property.
riskEvaluation.event.flow.type A string that specifies the flow type. The default value is AUTHENTICATION.
riskEvaluation.event.user.name A string that specifies the name of the user associated with the risk evaluation.
riskEvaluation.event.user.type A string that specifies the type of user associated with the risk evaluation. Options are EXTERNAL and PING_ONE. This is a required property.
riskEvaluation.event.user.id A string that specifies the user ID associated with the risk evaluation. If the user type is PING_ONE, the user name is filled automatically according to the user ID. If the user does not exist in PING ONE, the step produces an error. If the user type is EXTERNAL, the user name should be added so that it displays in the dashboards; if the user name is not provided, the user ID is shown. This is a required property.
riskEvaluation.event.sharingType A string that specifies associated device sharing type. Options are UNSPECIFIED, SHARED, and PRIVATE.
riskEvaluation.event.browser.userAgent A string that specifies the user agent of the browser that triggered the flow. The placeholder, ${flow.inputs.headers.user-agent}, is recommended for browser-based flows.
riskEvaluation.event.origin A string that specifies the calling service.

The step returns the risk level of the transaction, which can be evaluated as HIGH, MEDIUM, or LOW. The following properties are returned for the HIGH, MEDIUM, or LOW risk levels.

The following properties are always returned in the risk evaluation.

Output property Description
riskEvaluation.id A string that specifies the ID of risk evaluation.
riskEvaluation.riskPolicySet.id A string that specifies the ID of risk policy set used for risk evaluation.
riskEvaluation.riskPolicySet.name A string that specifies the name of risk policy set used for risk evaluation.
riskEvaluation.result.value A string that specifies the risk result custom value.
riskEvaluation.details.ipAddressReputation An object that specifies the risk associated with IP address reputation.
riskEvaluation.details.ipAddressReputation.score An integer that specifies the risk associated with IP address reputation, expressed as a number between 0 and 100.
riskEvaluation.details.ipAddressReputation.level A string that specifies the risk level associated with IP address reputation. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.anonymousNetworkDetected A boolean that specifies whether the IP is associated with an anonymous network.
riskEvaluation.details.country A string that specifies the country where the flow originated, according to the IP address.
riskEvaluation.details.impossibleTravel A boolean that specifies whether the velocity required to move between the user's previous successful location to its current inferred location is too large.

The following properties are returned in the risk evaluation only for environments with data consent enabled.

Output property Description
riskEvaluation.details.ipVelocityByUser.level A string that specifies the risk associated with IP velocity by user. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.ipVelocityByUser.reason A string that specifies the reason for the risk associated with IP velocity by user.
riskEvaluation.details.ipVelocityByUser.threshold An object that provides information about the threshold used to determine the IP velocity level.
riskEvaluation.details.ipVelocityByUser.threshold.source A string that specifies the source used to calculate the threshold.
riskEvaluation.details.ipVelocityByUser.threshold.high A number that specifies whether the user accessed more than this number of IPs during the past hour. If so, the user is flagged as having HIGH IP velocity.
riskEvaluation.details.ipVelocityByUser.threshold.medium A number that specifies whether the user accessed more than this number of IPs during the past hour. If so, the user is flagged as having MEDIUM IP velocity.
riskEvaluation.details.ipVelocityByUser.threshold.calculatedAt A string that specifies date and time at which the threshold was calculated.
riskEvaluation.details.ipVelocityByUser.threshold.expiresAt A string that specifies date and time at which the threshold will expire and be re-calculated.
riskEvaluation.details.ipVelocityByUser.velocity.distinctCount An integer that specifies the distinct count of IPs accessed by the user in the previous seconds specified by the during property.
riskEvaluation.details.ipVelocityByUser.velocity.during An integer that specifies the number of seconds to use in determining the distinctCount value.
riskEvaluation.details.userVelocityByIp.level A string that specifies the risk associated with user velocity by IP. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.userVelocityByIp.reason A string that specifies the reason for the risk associated with user velocity by IP.
riskEvaluation.details.userVelocityByIp.threshold An object that provides information about the threshold used to determine the user velocity level.
riskEvaluation.details.userVelocityByIp.threshold.high A number that specifies whether the IP was accessed by more than this number of users during the past hour. If so, it is flagged as having HIGH user velocity.
riskEvaluation.details.userVelocityByIp.threshold.medium A number that specifies whether the IP was accessed by more than this number of users during the past hour. If so, it is flagged as having MEDIUM user velocity.
riskEvaluation.details.userVelocityByIp.threshold.calculatedAt A string that specifies date and time at which the threshold was calculated.
riskEvaluation.details.userVelocityByIp.threshold.expiresAt A string that specifies date and time at which the threshold will expire and be re-calculated.
riskEvaluation.details.userVelocityByIp.velocity.distinctCount An integer that specifies the distinct count of users that accessed the IP in the previous seconds specified by the during property.
riskEvaluation.details.userVelocityByIp.velocity.during An integer that specifies the number of seconds to use in determining the distinctCount value.
riskEvaluation.details.userRiskBehavior.level A string that specifies the risk associated with user risk behavior. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.userRiskBehavior.reason A string that specifies the reason for the risk associated with user risk behavior.
riskEvaluation.details.userBasedRiskBehavior.level A string that specifies the risk associated with user-based risk behavior. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.userBasedRiskBehavior.reason A string that specifies the reason for the risk associated with user-based risk behavior.
Step properties used with flow executions
Flow state Description
PROFILE_DEVICE A flow status that prompts for a device profile action. The action is initiated only if the value of the profileDevice configuration property is set to true.
Links Description
profile.device The link to initiate an action to set the device profile. The action must provide a value for the browserFingerprint property and specify application/vnd.pingidentity.device.profile+json as the custom content type.
Parameters Description
browserFingerprint An object that specifies the browser fingerprint attributes.

Create User

This step type creates a new user in PingOne.

Step properties used with flow definitions
Configuration schema property Description
population.id A string that specifies the population ID to associate with the new user. This is a required property.
lifecycle.status A string that specifies the account lifecycle of the newly created user. Options are ACCOUNT_OK, and VERIFICATION_REQUIRED. When this step is used in conjunction with the VERIFY_ACCOUNT step, the status value is typically set to the VERIFICATION_REQUIRED flow state without sending a verification code.
Input property Description
user An object that specifies the user to create. The new user's properties are derived dynamically from non read-only attributes of the environment's schema at configuration time.

The following properties are returned for the SUCCEEDED result.

Output property Description
{{userProperties}} An object that specifies the flow output. Properties are dynamically derived from the environment's schema at configuration time.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the CREATE_USER step type.
Parameters Description
There are no flow action parameters associated with the CREATE_USER step type.

Form

This step type prompts the end user to submit a custom form. The step might include additional results for any buttons on the form.

Step properties used with flow definitions
Configuration schema property Description
form.id A string that specifies the form ID for the form to submit to the form manager service. This is a required property.
Input property Description
formData An object that specifies the context data used to render the form and pre-fill fields. Properties are derived from the selected form and retrieved from the form manager service at configuration time.

The following properties are returned for the SUBMITTED result.

Output property Description
form.id A string that specifies the form ID.
form.name A string that specifies the form name.
formData An object that encapsulates the submitted form data. Properties are derived from the selected form and retrieved from the form manager service at configuration time.
Step properties used with flow executions
Flow state Description
FORM_REQUIRED A flow status that requires the user to submit a form.
Flow state response schema property Description
form.id A string that specifies the ID of the form.
{{formDataProperties}} The properties required by the form.
Links Description
form.submit The link to initiate the form submit action. The action must specify application/vnd.pingidentity.form.submit+json as the custom content type.
Parameters Description
{{formDataProperties}} The properties required by the form.
Links Description
form.action The link to specify the form action. The action must specify application/vnd.pingidentity.form.action+json as the custom content type.
Parameters Description
key The key of the form field that was clicked.

Identity Provider

This step type delegates user authentication to an external identity provider.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration schema properties for the IDENTITY_PROVIDER_AUTHENTICATION step type.
Input property Description
identityProvider.id A string that specifies the external identity provider's ID. This is a required property.
identityProvider.loginHint A string that specifies the login identifier to the identity provider.
identityProvider.acrValues An array that designates the names of the authentication policies applicable to the authorization request.

The following properties are returned for the ACCOUNT_LINKED result.

Output property Description
externalAuthentication.id A string that specifies the ID for the external authentication transaction. This is a required property.
externalAuthentication.externalId A string that specifies the unique identifier for the user returned by the external identity provider. This is a required property.
externalAuthentication.identityProvider.id A string that specifies the ID for the external identity provider. This is a required property.
externalAuthentication.attributes An object that specifies the mapped attributes returned by the external identity provider.
linkedUser An object that specifies the user linked to the external account from the extrnal identity provider. Properties are dynamically derived from the environment's schema at configuration time. This is a required property.

The following properties are returned for the ACCOUNT_LINKING_REQUIRED result.

Output property Description
externalAuthentication.id A string that specifies the ID for the external authentication transaction. This is a required property.
externalAuthentication.externalId A string that specifies the unique identifier for the user returned by the external identity provider. This is a required property.
externalAuthentication.identityProvider.id A string that specifies the ID for the external identity provider. This is a required property.
externalAuthentication.attributes An object that specifies the mapped attributes returned by the external identity provider.
mappedUser An object that specifies the user with mapped attribute values that can be used to pre-fill an external identity provider registration form. This is a required property.
matchingUsers An object that specifies the list of existing users that may be candidates for linking to the external account. These users are matched based on mapped attribute values.
user[].{{properties}} An object that specifies the flow output. User properties are dynamically derived from the environment's schema at configuration time.
Step properties used with flow executions
Properties for the EXTERNAL_AUTHENTICATION_REQUIRED flow state
Flow state Description
EXTERNAL_AUTHENTICATION_REQUIRED A flow status that prompts the user to authenticate with an external identity provider to continue the flow.
Flow state response schema property Description
authenticate.href A string that specifies the browser URL redirect to authenticate with the external identity provider.
Flow state embedded resource property Description
identityProvider.name A string that specifies the identity provider's name.
identityProvider.type A string that specifies the identity provider's type. Options are FACEBOOK, GOOGLE, LINKEDIN, OPENID_CONNECT, APPLE, AMAZON, TWITTER, YAHOO, PAYPAL, MICROSOFT, GITHUB, and SAML.
Flow execution actions
externalAuthentication.check action
Links Description
externalAuthentication.check The link to initiate an action to check the external authentication ID. The action must provide a value for the id property and specify application/vnd.pingidentity.externalAuthentication.check+json as the custom content type in the request.
Parameters Description
externalAuthentication.id A string that specifies the external authentication ID. This is a required property.

Invoke External Service

This step type invokes an external service request. Note that the input properties in the request and the output properties in the response are generated dynamically based on the input and output schemas defined in the external service configuration.

Step properties used with flow definitions
Configuration schema property Description
externalService.id A string that specifies the ID of the external service, which is the target of the request.
request.id A string that specifies the request configuration to execute.
Input property Description
{someRequestProperty} The input properties are dynamically generated based on list of inputs on request configuration.

The following properties are returned for the INVOCATION_OUTPUT result.

Output property Description
someOutputProperty The output properties are populated dynamically if if output schema is provided.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the EXTERNAL_SERVICE_INVOKE step type.
Parameters Description
There are no flow action parameters associated with the EXTERNAL_SERVICE_INVOKE step type.

MFA Auto Enrollment

This step type pairs an MFA offline device automatically with the user account during MFA enrollment.

Step properties used with flow definitions
Configuration schema property Description
sms.enabled A boolean that that when set to true auto enrolls an SMS device.
sms.mode A string that specifies the available modes to auto enroll an SMS device. Options are CREATE, OVERRIDE, and REPLACE. The default value is CREATE.
voice.enabled A boolean that that when set to true auto enrolls a voice device.
voice.mode A string that specifies the available modes to auto enroll a voice device. Options are CREATE, OVERRIDE, and REPLACE. The default value is CREATE.
email.enabled A boolean that that when set to true auto enrolls an email device.
email.mode A string that specifies the available modes to auto enroll an email device. Options are CREATE, OVERRIDE, and REPLACE. The default value is CREATE.
Input property Description
user.id A string that specifies the user ID of the user account. This is a required property.
user.sms.mobilePhone A string that specifies the phone number of the SMS device. This is a required property.
user.sms.oldMobilePhone A string that specifies the phone number of the old SMS device. This is a required property.
user.voice.mobilePhone A string that specifies the phone number of the voice device. This is a required property.
user.voice.oldMobilePhone A string that specifies the phone number of the old voice device. This is a required property.
user.email.email A string that specifies the email address of the email device. This is a required property.
user.email.oldEmail A string that specifies the email address of the old email device. This is a required property.

The following properties are returned for the ENROLLED result.

Output property Description
devices.sms.id A string that specifies the ID of the SMS device.
devices.sms.type A string that specifies the device type.
devices.sms.phone A string that specifies the phone number associated with the device.
devices.voice.id A string that specifies the ID of the voice device.
devices.voice.type A string that specifies the device type.
devices.voice.phone A string that specifies the phone number associated with the device.
devices.email.id A string that specifies the ID of the email device.
devices.email.type A string that specifies the device type.
devices.email.email A string that specifies the email address associated with the device.

The following properties are returned for the NOT_APPLICABLE result.

Output property Description
There are no output properties for the NOT_APPLICABLE result.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the MFA_AUTO_ENROLLMENT step type.
Parameters Description
There are no flow action parameters associated with the MFA_AUTO_ENROLLMENT step type.

MFA Challenge

This step type performs a multi-factor authentication in PingOne. The step returns a SUCCEEDED result.

Step properties used with flow definitions
Configuration schema property Description
deviceAuthenticationPolicy.id A string that specifies the device authentication policies to use during authentication. This is a required property.
deviceSelection A string that specifies the device selection mode. Options are DEFAULT_TO_FIRST, and PROMPT_TO_SELECT. The default value is DEFAULT_TO_FIRST. This is a required property.
template.name A string that specifies the name of the notification template used for user notifications. Options are STRONG_AUTHENTICATION, and TRANSACTION. This is a required property.
template.variant A string that specifies the notification template variant.
useDefaultPolicy A boolean that, when set to true, specifies that the default device authentication policy for the environment is used during MFA evaluation.
Input property Description
user.id A string that specifies the user ID. This is a required property.
template.locale A string that specifies the notifications template locale. This is a required property.
template.variables An object that specifies the notifications template variables.
webauthn.compatibility A string that specifies the webauthn compatibility.
mobile.clientContext An object that specifies the mobile client context.
mobile.payload A string that specifies the mobile payload. The default value is ${flow.inputs.parameters.mobilePayload}.
application.id A string that specifies the application ID. The default value is ${flow.inputs.parameters.applicationId}.
session.id A string that specifies the session ID. The default value is ${flow.inputs.parameters.sessionId}.
userAgent A string that specifies the user agent of the browser that triggered the flow. The default value is ${flow.inputs.headers.user-agent}.

The following properties are returned for the SUCCEEDED result.

Output property Description
device.id A string that specifies the device ID.
device.nickname A string that specifies the device nickname.
device.type A string that specifies the device type. Options are MOBILE, EMAIL, SMS, VOICE, TOTP, PLATFORM, and SECURITY_KEY.
amr An array that specifies the authentication methods.
Step properties used with flow executions
Properties for the DEVICE_SELECTION_REQUIRED flow state
Flow state Description
DEVICE_SELECTION_REQUIRED A flow status that prompts the user to select an available device to use for authentication.
Flow state response schema property Description
deviceAuthentication An object that specifies the device authentication parameters.
Properties for the OTP_REQUIRED flow state
Flow state Description
OTP_REQUIRED A flow status that requires the user to complete a multi-factor authentication action using a one-time passcode.
Flow state response schema property Description
devices An object that specifies the user devices available that can be used to complete the multi-factor authentication action.
deviceAuthentication.authSession.type A string that specifies the type of authentication session.
deviceAuthentication.authSession.id A string that specifies the authentication session ID.
deviceAuthentication.selectedDevice.id A string that specifies the ID of the device used for authentication.
deviceAuthentication.user.id A string that specifies the user ID of the authenticating user.
Properties for the ASSERTION_REQUIRED flow state
Flow state Description
ASSERTION_REQUIRED A flow status that prompts the user to activate the WebAuthn device to finalize the authentication process.
Flow state response schema property Description
devices An object that specifies the available devices that can be used for activation.
deviceAuthentication.authSession.type A string that specifies the type of authentication session.
deviceAuthentication.authSession.id A string that specifies the authentication session ID.
deviceAuthentication.selectedDevice.id A string that specifies the ID of the device used for authentication.
deviceAuthentication.user.id A string that specifies the user ID of the authenticating user.
Properties for the PUSH_CONFIRMATION_REQUIRED flow state
Flow state Description
PUSH_CONFIRMATION_REQUIRED A flow status that results when a push was sent to a native device to confirm the authentication.
Flow state response schema property Description
devices An object that specifies the available devices that can be used for activation.
deviceAuthentication.authSession.type A string that specifies the type of authentication session.
deviceAuthentication.authSession.id A string that specifies the authentication session ID.
deviceAuthentication.selectedDevice.id A string that specifies the ID of the device used for authentication.
deviceAuthentication.user.id A string that specifies the user ID of the authenticating user.
Properties for the PUSH_CONFIRMATION_TIMED_OUT flow state
Flow state Description
PUSH_CONFIRMATION_TIMED_OUT A flow status that specifies that a push was sent to a native device, but the native device did not answer the push during the allowed timeframe.
Flow state response schema property Description
devices An object that specifies the available devices that can be used for activation.
deviceAuthentication.authSession.type A string that specifies the type of authentication session.
deviceAuthentication.authSession.id A string that specifies the authentication session ID.
deviceAuthentication.selectedDevice.id A string that specifies the ID of the device used for authentication.
deviceAuthentication.user.id A string that specifies the user ID of the authenticating user.
Flow execution actions
Device device.select action
Links Description
device.select The link to initiate an action to specify an MFA device to associate with the user. The action must provide a value for the type property and specify application/vnd.pingidentity.device.select+json as the custom content type in the request.
Parameters Description
device.id A string that specifies the ID of the selected device. This is a required property.
compatibility A string that specifies the browser WebAuthn compatibility. Options are FULL, SECURITY_KEY_ONLY, and NONE.
Device otp.check action
Links Description
otp.check The link to initiate an action to validate the one-time passcode received by the selected device. The action must specify application/vnd.pingidentity.otp.check+json as the custom content type in the request.
Parameters Description
otp A string that specifies the one-time passcode. This is a required property.
Device assertion.check action
Links Description
assertion.check The link to initiate an action to validate the assertion received by the selected FIDO2 device. The action must specify application/vnd.pingidentity.assertion.check+json as the custom content type in the request.
Parameters Description
assertion A string that specifies the WebAuthn Assertion response. This is a required property.
compatibility A string that specifies the browser WebAuthn compatibility. Options are FULL, SECURITY_KEY_ONLY, and NONE.
origin A string that specifies the full URL of the calling service. This is a required property.

MFA Enrollment

This step type pairs an MFA device with the user account during MFA enrollment. The step returns either the ENROLLED or SKIPPED result.

Step properties used with flow definitions
Configuration schema property Description
useDefaultPolicy A boolean that when set to true specifies that the environment's default device authentication policy is used during MFA evaluation. This is a required property.
deviceAuthenticationPolicy.id A string that specifies the ID device authentication policy to use during authentication. This is a required property only in cases in which the useDefaultPolicy property is set to false.
template.variant A string that specifies the notification template variant.
Input property Description
user.id A string that specifies the user ID of the user account from the identity provider. This is a required property.
user.email A string that specifies the user's email address.
user.mobilePhone A string that specifies the user's mobile phone number.
webauthn.compatibility A string that specifies the webauthn compatibility. Options are FULL, SECURITY_KEY_ONLY, and NONE.
template.locale A string that specifies the notification template locale.
template.variables An object that specifies the notification template variables.

The following properties are returned for the ENROLLED result.

Output property Description
device.id A string that specifies the device ID.
device.type A string that specifies the device type. Options are MOBILE, EMAIL, SMS, VOICE, TOTP, PLATFORM, and SECURITY_KEY.

The following properties are returned for the SKIPPED result.

Output property Description
There are no output properties for the SKIPPED result.
Step properties used with flow executions
Properties for the DEVICE_ENROLLMENT_REQUIRED flow state
Flow state Description
DEVICE_ENROLLMENT_REQUIRED A flow status that prompts the user to either enroll a device or skip the enrollment process.
Flow state response schema property Description
email A string that specifies the user email provided in the step inputs.
mobilePhone A string that specifies the user mobile phone number provided in the step inputs.
allowedtypes An array that specifies the allowed device types for pairing. Options are MOBILE, EMAIL, SMS, VOICE, TOTP, PLATFORM, and SECURITY_KEY.
mfaSettings An object that specifies the environment's MFA settings.
applications An array that specifies the environment applications.
Properties for the ACTIVATION_REQUIRED flow state
Flow state Description
ACTIVATION_REQUIRED A flow status that prompts the user to activate the offline device to finalize the enrollment process.
Flow state response schema property Description
device An object that specifies the user device pending for activation. The device properties shown depend on the device type.
Properties for the PAIRING_REQUIRED flow state
Flow state Description
PAIRING_REQUIRED A flow status that prompts the user to pair the mobile device to finalize the mobile enrollment process. The client will have to poll the HAL self link (/{envID}/flowExecutions/{flowExecutionID}) to verify the pairing.
Flow state response schema property Description
device An object that specifies the user device pending for activation. The device properties shown depend on the device type.
pairingKey.code A string that specifies the mobile pairing key code, used to finalize the mobile enrollment process.
Properties for the MOBILE_PAIRING_FAILURE flow state
Flow state Description
MOBILE_PAIRING_FAILURE A flow status that results when mobile pairing has failed. This status returns the error code and the mobile pairing error details.
Flow state response schema property Description
error An object that specifies the error details.
error.code A string that specifies the error code.
error.message A string that specifies the error message.
Flow execution actions
Device create device.create action
Links Description
device.create The link to initiate an action to specify an MFA device to associate with the user. The action must provide a value for the type property and specify application/vnd.pingidentity.device.create+json as the custom content type in the request.
Parameters Description
type A string that specifies the device type. Options are MOBILE, EMAIL, SMS, VOICE, TOTP, PLATFORM, and SECURITY_KEY. This is a required property.
nickname A string that specifies the device nickname.
email A string that specifies the user's email address.
phone A string that specifies the user's phone number.
application.id A string that specifies the associated application ID, which is required for pairing with devices of type MOBILE.
rp.id A string that specifies an RP ID, which is based on a host's domain name.
rp.name A string that specifies a human-readable name for the user account.
Device activate device.activate action
Links Description
device.activate The link to initiate an action to activate an MFA device. The action must specify application/vnd.pingidentity.device.activate+json as the custom content type in the request.
Parameters Description
otp A string that specifies the one-time passcode.
attestation A string that specifies the FIDO2 attestation.
origin A string that specifies the calling service.
Device skip device.skipEnrollment action
Links Description
device.skipEnrollment The link to skip device enrollment. This action can be used only if device registration is configured to allow skipping. The action must specify the application/vnd.pingidentity.device.skipEnrollment+json as the custom content type in the request.
Parameters Description
There are no parameters required for the device.skipPairing action.
Device delete device.delete action
Links Description
device.delete The link to delete the device registration process. This action must specify the application/vnd.pingidentity.device.delete+json as the custom content type in the request.
Parameters Description
There are no parameters required for the device.delete action.
Resend OTP otp.resend action
Links Description
otp.resend The link to resend the OTP to complere the device registration process for SMS, email, and voice devices. This action must specify the application/vnd.pingidentity.otp.resend+json as the custom content type in the request.
Parameters Description
There are no parameters required for the otp.resend action.

MFA Mobile Auto Enrollment

This step type pairs an MFA mobile device with the user account during MFA enrollment.

Step properties used with flow definitions
Configuration schema property Description
{{properties}} An object that specifies the properties that are dynamically derived at configuration time.
Input property Description
user.id A string that specifies the user ID of the user account. This is a required property.
application.id A string that specifies the application ID. This is a required property.
mobile.payload A string that specifies the mobile payload. This is a required property.

The following properties are returned for the ENROLLMENT_INITIATED result.

Output property Description
enrollment An object that specifies the enrollment data created by the auto enrollment flow.

The following properties are returned for the NOT_APPLICABLE result.

Output property Description
There are no output properties for the NOT_APPLICABLE result.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the MFA_MOBILE_AUTO_ENROLLMENT step type.
Parameters Description
There are no flow action parameters associated with the MFA_MOBILE_AUTO_ENROLLMENT step type.

Password Check

This step type specifies an action to check a PingOne user's password.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration schema properties for the USER_PASSWORD_CHECK step.
Input property Description
user.id A string that specifies the user ID of the user account associated with the password check action. This is a required property.
user.password A string that specifies the user's password to check. This is a required property.

The following properties are returned for the PASSWORD_VALID result.

Output property Description
passwordState.user.id A string that specifies the user's password state.
passwordState.passwordPolicy.id A string that specifies the password policy ID.
passwordState.status A string that specifies the current status of the password.
passwordState.lastChanged The date and time the password was last changed.
passwordState.warnings.expires A string that specifies the date and time the password expires.

The following properties are returned for the PASSWORD_EXPIRED result.

Output property Description
passwordState.user.id A string that specifies the user's password state.
passwordState.passwordPolicy.id A string that specifies the password policy ID.
passwordState.status A string that specifies the current status of the password.
passwordState.lastChangedAt The date and time the password was last changed.
passwordState.warnings.expires A string that specifies the date and time the password expires.

The following properties are returned for the MUST_CHANGE_PASSWORD result.

Output property Description
passwordState.user.id A string that specifies the user's password state.
passwordState.passwordPolicy.id A string that specifies the password policy ID.
passwordState.status A string that specifies the current status of the password.
passwordState.lastChangedAt The date and time the password was last changed.
passwordState.warnings.expires A string that specifies the date and time the password expires.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the USER_PASSWORD_CHECK step type.
Parameters Description
There are no flow action parameters associated with the USER_PASSWORD_CHECK step type.

Password Recover

This step type verifies an account by prompting for a verification code sent to the user through email. The step returns a VERIFIED result after the verification code is submitted successfully by the end user. The step can also return a SKIPPED result if the user chooses to skip the account verification step.

Step properties used with flow definitions
Configuration schema property Description
allowSkip A boolean that specifies whether the user is allowed to skip account verification.
Input property Description
userId A string that specifies the user ID of the user account to verify. This is a required property.

The following properties are returned for the VERIFIED result.

Output property Description
There are no output properties for the VERIFIED result.

The following properties are returned for the SKIPPED result.

Output property Description
There are no output properties for the SKIPPED result.
Step properties used with flow executions
Flow state Description
VERIFICATION_CODE_REQUIRED A flow status prompts the user to complete an account verification action. The user can submit a verification code to verify the account, have another verification code sent, or optionally skip verification if the step is configured to allow skipping.
Account verification user.verify action
Links Description
user.verify The link to initiate an action to send a verification code to the user. The action must provide a value for the verificationCode property and specify application/vnd.pingidentity.user.verify+json as the custom content type.
Parameters Description
verificationCode A string that specifies the verification code sent to the user.
Account verification user.sendVerificationCode action
Links Description
user.sendVerificationCode The link to initiate an action to send a verification code to the user. The action must provide a value for the verificationCode property and specify application/vnd.pingidentity.user.sendVerificationCode+json as the custom content type.
Parameters Description
There are no parameters required for the user.sendVerificationCode action.
Account verification user.skipVerification action
Links Description
user.skipVerification The link to skip account verification. This action can be used only if account verification is configured to allow skipping. The action must specify the application/vnd.pingidentity.user.skipVerification+json as the custom content type.
Parameters Description
There are no parameters required for the user.skipVerification action.

PingID Authentication for Windows Passwordless Login

This step type authenticates users with PingID. It is used for passwordless login on Windows devices.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration schema properties for the PINGID_AUTHENTICATION_FOR_WINDOWS_PASSWORDLESS_LOGIN step type.
Input property Description
user.username A string that specifies the user name as it is defined in PingID.

The following properties are returned for the SUCCEEDED result.

Output property Description
pingIdDevice.id A string that specifies the PingID device ID.
Step properties used with flow executions
Flow state Description
There is no flow status associated with the PINGID_AUTHENTICATION_FOR_WINDOWS_PASSWORDLESS_LOGIN step type.
Links Description
device.select The link to initiate the PingID device select action. The action must specify application/vnd.pingidentity.device.select+json as the custom content type in the request.
Parameters Description
device.id A string that specifies the selected PingID device ID.
Links Description
authentication.poll The link to specify an action to check the current authentication status. The action must specify application/vnd.pingidentity.authentication.poll+json as the custom content type in the request.
Parameters Description
There are no parameters for the authentication.poll action.
Links Description
otp.check The link to initiate an action to validate the one-time passcode. The action must specify application/vnd.pingidentity.otp.check+json as the custom content type in the request.
Parameters Description
otp A string that specifies the offline device one-time passcode.
Links Description
certificate.create The link to initiate an action to create a certificate. The action must specify application/vnd.pingidentity.certificate.create+json as the custom content type in the request.
Parameters Description
csr A string that specifies the certificate signing request, which is Base-64 encoded PEM format that contains information that is included in the certificate.
Links Description
certificate.create The link to initiate an action to create a certificate. The action must specify application/vnd.pingidentity.certificate.create+json as the custom content type in the request.
Parameters Description
csr A string that specifies the certificate signing request, which is Base-64 encoded PEM format that contains information that is included in the certificate.
pin A string that specifies the PIN that protects the certificate's private key.
Links Description
certificate.readPin The link to initiate an action to retrieve the PIN code that protects the certificate's private key. The action must specify application/vnd.pingidentity.certificate.readPin+json as the custom content type in the request.
Parameters Description
certificate.id A string that specifies the certificate ID.
Links Description
authentication.resume The link to initiate an action to complete the authentication. The action must specify application/vnd.pingidentity.authentication.resume+json as the custom content type in the request.
Parameters Description
There are no parameters for the authentication.resume action.

Read User

This step type reads user account data for the user specified by the ID in the input property.

Step properties used with flow definitions
Configuration schema property Description
{{properties}} An object that specifies the user properties. Properties are dynamically derived from the environment's schema at configuration time.
Input property Description
user.id A string that specifies the user ID. This is a required property.

The following properties are returned for the SUCCEEDED result.

Output property Description
{{userProperties}} An object that specifies the flow output. Properties are dynamically derived from the environment's schema at configuration time.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the USER_READ step type.
Parameters Description
There are no flow action parameters associated with the USER_READ step type.

Reset Password

This step type specifies an action to reset a user's password using the current password.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration schema properties for the USER_PASSWORD_RESET step.
Input property Description
user.id A string that specifies the user ID of the user account associated with the password reset action. This is a required property.
currentPassword A string that specifies the user's current password. This is a required property.
newPassword A string that specifies the new password for the user account. This is a required property.

The following properties are returned for the SUCCEEDED result.

Output property Description
passwordState.user.id A string that specifies the user's password state.
passwordState.passwordPolicy.id A string that specifies the password policy ID.
passwordState.status A string that specifies the current status of the password.
passwordState.lastChanged The date and time the password was last changed.
passwordState.warnings.expires A string that specifies the date and time the password expires.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the USER_PASSWORD_RESET step type.
Parameters Description
There are no flow action parameters associated with the USER_PASSWORD_RESET step type.

Send Recovery Code

This step type specifies an action to send a recovery code to recover a forgotten password.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration schema properties for the USER_PASSWORD_SEND_RECOVERY_CODE step.
Input property Description
user.id A string that specifies the user ID of the user account associated with the send recovery code action. This is a required property.

The following properties are returned for the SUCCEEDED result.

Output property Description
passwordState.user.id A string that specifies the user's password state.
passwordState.passwordPolicy.id A string that specifies the password policy ID.
passwordState.status A string that specifies the current status of the password.
passwordState.lastChanged The date and time the password was last changed.
passwordState.warnings.expires A string that specifies the date and time the password expires.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the USER_PASSWORD_SEND_RECOVERY_CODE step type.
Parameters Description
There are no flow action parameters associated with the USER_PASSWORD_SEND_RECOVERY_CODE step type.

Terminate Flow

This step type ends the flow and returns an error message.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration properties for the TERMINATE_FLOW step type.
Input property Description
error.code A string that specifies the unique error code for the error. This is a required property.
error.message A string that specifies the message describing the error. The error message can include HTML formatted text such as links, headings, lists, and line breaks. This is a required property.
Output property Description
There are no output properties for the TERMINATE_FLOW step type.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the TERMINATE_FLOW step type.
Parameters Description
There are no flow action parameters associated with the TERMINATE_FLOW step type.

Update User

This step type specifies an action to update the user record in PingOne.

Step properties used with flow definitions
Configuration schema property Description
There are no configuration schema properties for the USER_PATCH step.
Input property Description
user.id A string that specifies the user ID of the user account associated with the update action. This is a required property.

The following properties are returned for the SUCCEEDED result.

Output property Description
user.{{properties}} The updated user record. User properties are dynamically derived from the environment's schema at configuration time.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this step type.
Links Description
There are no flow actions associated with the USER_PATCH step type.
Parameters Description
There are no flow action parameters associated with the USER_PATCH step type.

User Lookup

This step type that specifies a user lookup action to determine the authentication authority. The response returns either a PING_ONE_USER_MATCHED or IDENTITY_PROVIDER_USER_MATCHED result.

Step properties used with flow definitions
Configuration schema property Description
matchAttributes.[] An array that specifies the attributes to match against the provided identifier when searching for a user in the directory. Only unique attributes can be specified, and the attributes are searched in order, returning the first user that matches. If no match is found, the action returns an error. The default attribute is username. This is a required property.
matchPingOneUsersOnly A boolean that specifies whether to match only users whose authentication authority is PingOne. This property defaults to false if it is not set.
Input property Description
identifier A string that specifies the identifier to use when searching for the user. This is a required property.

The following properties are returned for the PING_ONE_USER_MATCHED result.

Output property Description
user An object that specifies the attributes of the matched user. Properties are dynamically derived from the environment's schema at configuration time.

The following properties are returned for the IDENTITY_PROVIDER_USER_MATCHED result.

Output property Description
user An object that specifies the attributes of the matched user. Properties are dynamically derived from the environment's schema at configuration time.
Step properties used with flow executions
Flow state Description
There is no flow status associated with this action.
Links Description
There are no flow actions associated with the USER_LOOKUP step type.
Parameters Description
There are no flow action parameters associated with the USER_LOOKUP step type.

Verify Email

This step type verifies an account by prompting for a verification code sent to the user through email. The step returns a VERIFIED result after the verification code is submitted successfully by the end user. The step can also return a SKIPPED result if the user chooses to skip the account verification step.

Step properties used with flow definitions
Configuration schema property Description
allowSkip A boolean that specifies whether the user is allowed to skip account verification.
Input property Description
userId A string that specifies the user ID of the user account to verify. This is a required property.

The following properties are returned for the VERIFIED result.

Output property Description
There are no output properties for the VERIFIED result.

The following properties are returned for the SKIPPED result.

Output property Description
There are no output properties for the SKIPPED result.
Step properties used with flow executions
Flow state Description
VERIFICATION_CODE_REQUIRED A flow status prompts the user to complete an account verification action. The user can submit a verification code to verify the account, have another verification code sent, or optionally skip verification if the step is configured to allow skipping.
Account verification user.verify action
Links Description
user.verify The link to initiate an action to send a verification code to the user. The action must provide a value for the verificationCode property and specify application/vnd.pingidentity.user.verify+json as the custom content type.
Parameters Description
verificationCode A string that specifies the verification code sent to the user.
Account verification user.sendVerificationCode action
Links Description
user.sendVerificationCode The link to initiate an action to send a verification code to the user. The action must provide a value for the verificationCode property and specify application/vnd.pingidentity.user.sendVerificationCode+json as the custom content type.
Parameters Description
There are no parameters required for the user.sendVerificationCode action.
Account verification user.skipVerification action
Links Description
user.skipVerification The link to skip account verification. This action can be used only if account verification is configured to allow skipping. The action must specify the application/vnd.pingidentity.user.skipVerification+json as the custom content type.
Parameters Description
There are no parameters required for the user.skipVerification action.

Forms

The forms API, which supports the form builder interface in the PingOne Admin Console, provides tools for administrators to create custom forms presented to users during the authentication workflow. This capability allows administrators to:

  • Define the interactive fields and the corresponding data to be collected during a registration or sign-on flow, which could include text inputs, checkboxes, dropdowns, and radio buttons with the potential for dynamic options or dynamically static options (dropdowns with options saved as part of the form or as input for an argument).

  • Define the user experience that they want to deliver to the customer, such as field ordering, labeling, control over input validation and error feedback, and support for contextual or formatting items such as text (headers, explanatory text) images, and dividers.

The forms API provides endpoints to create, read, update, and delete form builder resources.

Forms category types

The API allows the following form types:

  • REGISTRATION

    A registration form that allows administrators to configure the controls and the information gathered during the registration flow. This form type allows form fields that do not map directly to PingOne user schema properties.

  • SELF_SERVICE

    A self-service form that allows administrators to configure the controls and the information gathered during a self-service flow. All fields in the self-service form must be associated with PingOne user schema properties.

  • PROGRESSIVE_PROFILING

    A custom registration form that prompts the user for additional information during the registration or sign-on flow. All fields in the progressive profiling form must be associated with PingOne user schema properties.

  • CUSTOM

    A custom registration form that allows form fields that do not map directly to PingOne user schema properties. For example, the form could include radio buttons with options of “employee” or “contractor” that the flow manager processes to direct the user to the next relevant form.

Forms data model
Property Description
created The time the resource was created.
category A string that specifies the type of custom-defined form. Options are REGISTRATION, SELF_SERVICE, PROGRESSIVE_PROFILING, and CUSTOM. The CUSTOM and REGISTRATION form types allow the form to be built with fields that do not map specifically to the PingOne directory attributes. This is a required property.
cols An integer that specifies the number of columns in the form.
components An object that specifies the form configuration elements.
description A string that specifies the description of the population.
fieldTypes A read-only that specifies the list of the FormField types in the form. Options are TEXT, SUBMIT_BUTTON, FLOW_LINK, FLOW_BUTTON, and RECAPTCHA_V2.
id A string that specifies the resource’s unique identifier.
markOptional A boolean that specifies whether optional fields are highlighted in the rendered form. This is a required property.
markRequired A boolean that specifies whether required fields are highlighted in the rendered form. This is a required property.
modified The time the resource was last updated.
name A string that specifies the form name, which must be provided and must be unique within an environment. This is a required property.
Form components data model
Property Description
button A form button object that contains the button text. This is a required property.
button.text A string that specifies the form button text. This is a required property.
fields A list of form fields that specifies the form fields that make up the form. Options include text inputs, passwords, radio buttons, checkboxes, dropdowns, headers, and dividers. This is a required property.
FormField data model
  • FormElement represents a FormField of types TEXT, PASSWORD, RADIO, CHECKBOX, DROPDOWN.
  • FormItem represents a FormField of types DIVIDER, PARAGRAPH, EMPTY_FIELD, ERROR_DISPLAY.
  • FormElementPasswordVerify represents a FormField of type PASSWORD_VERIFY.
  • FormSubmit represents a FormField of type SUBMIT_BUTTON.
  • FormFlowLink represents FormField of type FLOW_LINK.
  • FormFlowButton represents a FormField of type FLOW_BUTTON.
  • FormRecaptchaV2 represents a FormField of type RECAPTCHA_V2.
  • FormQrCode represents a FormField of type QR_CODE.
Property Description
position An object containing field position information. This is a required property.
position.col An integer that specifies the column position of the field. This is a required property.
position.row An integer that specifies the row position of the field. This is a required property.
position.width An integer that specifies the width of the field.
type A string that specifies the type of the field. Options are TEXT, PASSWORD, PASSWORD_VERIFY, RADIO, CHECKBOX, DROPDOWN, DIVIDER, EMPTY_FIELD, TEXTBLOB, ERROR_DISPLAY, SUBMIT_BUTTON, FLOW_LINK, FLOW_BUTTON, RECAPTCHA_V2, and QR_CODE.
. This is a required property.
FormElement data model
Property Description
key A string that specifies the field unique key for the HTML name attribute. This is a required property.
label A string that specifies the field label. This is a required property.
layout A string that specifies layout attributes for radio button and checkbox fields. Options are HORIZONTAL or VERTICAL. This is a required property when the type is RADIO or CHECKBOX.
options An array of strings that specifies the unique list of options. This is a required property when the type is RADIO, CHECKBOX, or DROPDOWN.
required A boolean that specifies whether the field is required. This is a required property.
validation An object containing validation data for the field. This is a required property when the type is TEXT.
validation.regex A string that specifies a validation regular expression. The expression must be a valid regular expression string. This is a required property when the validation type is CUSTOM.
validation.type A string that specifies the validation type. Options are NONE and CUSTOM. This is a required property when the field type is TEXT.
validation.errorMessage A string that specifies the error message to be displayed when the field validation fails.
FormElementPasswordVerify data model

The FormElementPasswordVerify object is an extension of FormElement and contains all of the same fields in FormElement as well as those listed below.

Property Description
labelPasswordVerify A string that verifies password field label.
FormItem data model
Property Description
content A string that specifies the field content (for example, HTML when the field type is TEXTBLOB.
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

READ Forms


READ One Form


CREATE Registration Form


CREATE Progressive Profiling Form


CREATE Self Service Form


CREATE Sign On Form


CREATE Identity Provider Sign On Form


CREATE Password Reset Form


CREATE Password Recovery User Lookup Form


CREATE Password Recovery Form


CREATE Custom Form


UPDATE Form


DELETE One Form

Forms: Recaptcha

The Recaptcha configuration API provides support for a Recaptcha V2 field in a form definition. It includes operations to read, update, and delete the environment's Recaptcha configuration.

Recaptcha V2 data model
Property Description
created The time the configuration was created.
environment.id A string that specifies the environment's unique identifier.
modified The time the configuration was last updated.
siteKey A string that specifies the public site key for the Recaptcha configuration provided by Google. This is a required property.
secretKey A string that specifies the confidential secret key for the Recaptcha configuration provided by Google. This is a required property.
Response codes
Code Message
200 Successful operation.
204 No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.

READ Recaptcha Configuration


UPDATE Recaptcha Configuration


DELETE Recaptcha Configuration

Configuration Management

The Configuration Management service gives you a secure and flexible approach to automating (promoting) configurations across multiple environments, enabling the seamless creation, updating, and deletion of resources while supporting dynamic configurations through variable management. Resource dependencies are maintained, ensuring smooth cross-environment transitions and promotions. Robust auditing and reporting enhance oversight and compliance.

To use the Configuration Management service you need to have the Environment Admin role for at least two environments. The general workflow is:

  • Select configurations that you want to promote from one environment to another (generally, through development, testing, and production stages).
  • If desired, use promotion variables to dynamically substitute different property values for a configuration resource included in a promotion operation.
  • Execute the promotion plan returned by the Read One Promotion or Read All Promotions to move the configuration from the source environment to the target environment.

The Configuration Management service is comprised of these sub-services:

Click the Run In Postman button below to download the early access Postman collection for the Configuration Management APIs:

Run In Postman

Resources requiring special handling

Certificates

Certificates are not a promotable resource in PingOne, however special handling of them is required for resources that reference them. Certificate references can be promoted in using either default certificates or through the use of promotion variables:

  • Default certificates

    When a configuration resource is using the default certificate as its signing key (a SAML application, for example), the application can be promoted, and will reference the default signing key existing in the target environment. Certificate rotation for the signing key can be done by setting a new default certificate in the target environment, and then promoting the configuration resource or resources using the default signing key in the source environment.

  • Certificates as promotion variables

    You can handle all certificate references other than default certificates using promotion variables. You'll need to create a promotion variable with the certificate ID in each environment. When the resource or resources referencing the certificate are promoted, the promotion operation will use the variable value to substitute the correct certificate in the target environment or environments. If there are other configuration resources that use the certificate, they will also use the correct certificate when any of these configuration resources are promoted to the same target environment or environments.

Attributes

You can promote individual attributes in the schema. However if you're promoting an application that references a custom attribute, the promotion plan will include all attributes in the schema. In this case, you can then exclude the unnecessary attributes by editing the promotion plan prior to starting the promotion operation.

Snapshots

A snapshot is a point in time representation of any configuration resource in PingOne. A snapshot is triggered when the request POST {{apiPath}}/environments/{{envID}}/snapshots is called. The configuration resource, and optionally all of its dependencies, are then stored by the Snapshot service. The snapshots are stored and indexed using the original identifier (UUID) of the configuration resource. For example, an applications snapshot will be stored using the UUID of the application. Subsequent calls to the request POST {{apiPath}}/environments/{{envID}}/snapshots for the same configuration resource generates a new version of the configuration resource each time the request is called. You can retrieve the version history of any configuration resource using the original UUID of the resource. You'll use the snapshot created for a configuration resource to promote (apply) the configuration resource from the source environment to another environment.

Snapshots data model

Property Type Required? Mutable? Description
baseResourceURL String Required Mutable The URL of the resource to use. The form is: "https://api.pingone.com/v1/environments/{{envId}}/{{resourceName}}/{{resourceId}}", where "resourceName" is the name of the configuration resource to snapshot.
createdAt Date N/A Read-only The date and time at which the resource was created (ISO 8601 format).
completedAt Date N/A Read-only The date and time at which the snapshot creation was completed (ISO 8601 format).
configuration Object N/A Read-only The JSON representation of the configuration resource. If the configuration resource has been deleted, this will be empty (null).
error String N/A Read-only If an error occurs while creating the snapshot, it's returned here.
id String Required Immutable The UUID of the configuration resource.
resourceId String Optional Mutable The UUID of the configuration resource.
resourceUrl String Optional Mutable The URL of the configuration resource.
referencedResources String[] Optional Mutable The list of UUIDs for any dependent or referenced configuration resources. The dependent or referenced resources can be only one level down in the possible tree of such resources.
snapshotId String N/A Read-only The UUID of the snapshot.
startedAt Date N/A Read-only The date and time at which the snapshot creation was started (ISO 8601 format).
status String N/A Read-only The status of the snapshot creation process. This can be any one of: COMPLETE, WAITING, IN_PROGRESS, ERROR.
updatedAt Date N/A Read-only The date and time at which the resource was last updated (ISO 8601 format).
versionedAt Date N/A Read-only The date and time of the updatedAt property on the original resource. For deleted events, this will be the date and time the event was published.

Create Snapshot


Read Latest Snapshot


Read One Snapshot Version


Read All Snapshot Versions

Promotions

A promotion includes, at a minimum, source and target environment references, automatically generated source and target snapshots, the resource or resources to promote to the target environment, and a promotion plan for the promotion operation. You need to have the Environment Admin role for both the source and target environments. You can optionally include a specific source environment snapshot to use, as well as a mapping of the source environment configuration resource or resources to the target environment configuration resource or resources.

A PingOne admin having Environment Admin permissions can review the promotion plan, and update the promotion mapping and variable definitions or declarations as needed. The promotion plan is then regenerated based on the updates. Use the Read One Promotion or Read All Promotions to view the promotion plan.

If you do not set any promotion variables, the configuration resource or resources that you specify for the source or target environment will be used as is, and cannot be changed during the promotion operation. See Promotion Variables for more information.

When you choose to start the promotion operation, the promotion plan supplies the promotion operation instructions to the Promotions service. The Promotions service then:

  • Filters out any configuration resources that haven't changed, and calls the required target environment API using the new or altered resources.
  • Sets the promotion’s started_at and status values.
  • Collects any errors into a JSON array, and returns the errors.
  • Updates the promotion's completedAt and status values when the promotion operation is complete.

Promotions data model

Property Type Required? Mutable? Description
createdAt Date N/A Read-only The date and time the promotion was created.
completedAt Date N/A Read-only The date and time the promotion operation completed.
description String Optional Mutable A description of the promotion to be performed.
errors Object[] N/A Read-only An array of JSON objects correlating the configuration resource IDs in the source environment to the error messages from the target environment.
excludedResources Object[]* Optional Mutable An array of JSON objects. *Optionally, this can be an array of strings. Contains the resource IDs, and resource URLs for the configuration resources to be excluded from promotion.
mapping Map Optional Mutable A mapping of the configuration resource IDs in the source environment to the configuration resource IDs in the target environment.
promotionPlan Object[] N/A Read-only An array of JSON objects containing the promotion plan generated. The promotion plan is generated by the POST operation, but is returned only by either of the GET operations. For a DELETE operation, the payload property in the response will be empty.
promotionPlan.steps Object[] N/A Read-only An array of JSON objects identifying the resource or resources, the configuration of the resource or resources, and the target environment or environments.
promotionPlan.totalDistance Integer N/A Read-only (Internal use only.) A comparison metric the Configuration Management service uses to determine whether there is a comparable resource in the target environment to replace.
selectedResources Object[]* Optional Mutable An array of JSON objects. *Optionally, this can be an array of strings. Contains the resource IDs, and resource URLs for the configuration resources selected for promotion. If this is omitted, the entire current environment is used (the environment ID is injected.)
sourceEnvironment String Optional Immutable A JSON object containing the UUID of the source environment. If not specified, the current source environment for the actor is used.
sourceSnapshotId String Optional Mutable The UUID of the snapshot to use as the promotion source.
startedAt Date N/A Read-only The date and time the promotion operation started.
status String N/A Read-only An enumeration indicating the status of the promotion. This can be: NEW, PREPARING, READY, IN_PROGRESS, COMPLETED, VALIDATION_FAILED, or ERROR.
targetEnvironment Object Required Immutable A JSON object containing the UUID of the target environment.
targetSnapshotId String Optional Mutable The UUID of the snapshot to use as the promotion target.

Excluded Resources

Currently, not all resources, services, or products can be used in a promotion operation.

Excluded products or services
  • PingOne DaVinci
  • PingOne Authorize
  • PingOne Protect
Excluded resources
  • Active Identity Counts
  • Activities
  • Adaptive Trust Policies
  • Admin Config
  • API Servers
  • Application Entitlements
  • Application Permissions
  • Application Resources
  • Application Roles
  • Applications Role Assignments
  • Applications Secret
  • Application Signons
  • Application Signons Statistics
  • Authorization Attributes
  • Authorization Changes
  • Authorization Conditions
  • Authorization Connector Templates
  • Authorization Policies
  • Authorization Processors
  • Authorization Rules
  • Authorization Services
  • Authorization Statements
  • Branding
  • Branding Settings
  • Certificates
  • Connector Instances
  • Connectors
  • Credential Counts
  • Credential Issuer Profile
  • Credential Types
  • Custom Domains
  • Dashboards
  • Data Exploration Batches
  • Data Explorations
  • Data Exploration Templates
  • Davinci Applications
  • Decision Endpoints
  • Delegated Admins
  • Device Authentications
  • Digital Wallet Applications
  • External Services
  • Fido Devices Metadata
  • Flow Definitions
  • Flow Metadata
  • Flow Policies
  • Flows
  • Forms
  • Fraud Evaluations
  • Fraud Events Details
  • Fraud Feedbacks
  • Fraud Sessions
  • Identity Cloud
  • Identity Cloud Orchestrations
  • Images
  • Integrations
  • Languages
  • Legacy
  • Locales
  • Metrics
  • Migrate
  • Notification Callback
  • Notification Callback AWS email
  • Notification Callback Syniverse
  • Notification Callback Twilio
  • Notification Callback Whatsapp
  • Notifications
  • Notifications Quota
  • OAuth Jobs
  • OAuth Tokens
  • Password Storage Scheme Config
  • Pingid
  • Pingid Mobile App Versions
  • Pingid Mobile Display Names
  • Pingid Mobile Os Versions
  • Portal
  • Presentation Sessions
  • Promotions
  • Promotion Variable Declarations
  • Propagation
  • Propagation Mappings
  • Propagation Plans
  • Propagation Provisioning Syncs
  • Propagation Revisions ID
  • Propagation Revisions ID Latest
  • Propagation Rules
  • Propagation Store Metadata
  • Propagation Stores
  • QS Dashboards
  • Rate Limit IP Configs
  • Recaptcha V2 Config
  • Resources Secret
  • Risk Evaluations
  • Risk Feedback
  • Risk Policy Sets
  • Risk Predictors
  • Roles
  • Seen Devices
  • Sessions
  • Snapshots
  • Solutions
  • Subscriptions
  • Tiles
  • Total Identities
  • Translations
  • Users
  • Variables
  • Voice Phrases
  • Licenses
  • Licenses Expires At
  • Licenses Metrics Active Identity Counts
  • Licenses Name
  • Organization Quota
  • Ping Enterprise Orchestrations
  • Ping Enterprise Orchestrations Callback

Create Promotion


Start Promotion


Read All Promotions


Read One Promotion


Read Promotion Status


Update Promotion


Delete Promotion

Promotion Variables

Use promotion variables to to account for environment-specific differences, such as 3rd party integrations or URLs. You can specify configuration resource property values for either the source or target environment to be substituted for existing property values by the promotion operation. Only the promotion variables you set can change property values for use by the promotion operation. If you do not set any promotion variables, the configuration resource or resources that you specify for the source or target environment will be used as is, and cannot be changed during the promotion operation.

To use promotion variables, you need to:

  1. Specify the configuration resource to be promoted in a snapshot.
  2. Define the variable or variables to be used for a source or target environment configuration resource property. See Variable Definitions.
  3. Declare the variables to be used by the promotion operation. See Variable Declarations.

A few things to be aware of:

  • The variables are scoped only to the specified configuration resources, and are not applied to any dependent resources.
  • Variables are not versioned with a snapshot, so for each promotion operation, you need to ensure the variable settings for a configuration resource are correct.
  • Any configuration resources that you change directly without updating the variables will be overwritten by a subsequent promotion operation. This is because the promotion operation will use the existing variable set.

Configuration Resource Properties

Not all configuration resources or properties can be used as promotion variables. Here's the listing of configuration resources, and the associated properties that are supported as promotion variables:

Resource Properties
Applications acsUrls
corsSettings
defaultTargetUrl
devicePathId
homePageUrl
idpSigning.key.id
initiateLoginUri
jwks
jwksUrl
kerberos.key.id
mobile.bundleId
mobile.huaweiAppId
mobile.huaweiPackageName
mobile.integrityDetection.googlePlay.serviceAccountCredentials
mobile.packageName
mobile.uriPrefix
postLogoutRedirectUris
redirectUris
sloEndpoint
sloResponseEndpoint
spEncryption.certificate.id
spEntityId
spVerification.cert.id
targetLinkUri
Authentication relyingPartyId
Branding companyName
logo.href
Custom Domain domainName
Email Domains domainName
Gateways bindDN
bindPassword
kerberos.serviceAccountPassword
kerberos.serviceAccountUserPrincipalName
radiusClients.ip
Identity Providers authorizationEndpoint
clientEnvironment
clientId
clientSecret
discoveryEndpoint
idpEntityId
issuer
jwksEndpoint
keyId
sloEndpoint
spSigning.key.id
ssoEndpoint
teamId
tokenEndpoint
userInfoEndpoint
Notification Templates body
content
replyTo.address
replyTo.name
Notifications Phone Delivery Settings authToken
authentication.username
sid
Notifications key
type
Provisioning configuration.Administrator_Password
configuration.Administrator_Username
configuration.BASE_URL
configuration.BASIC_AUTH_PASSWORD
configuration.BASIC_AUTH_USER
configuration.CLIENT_ID
configuration.CLIENT_SECRET
configuration.ClientId
configuration.ClientSecret
configuration.GROUPS_RESOURCE
configuration.OAUTH_ACCESS_TOKEN
configuration.OAUTH_CLIENT_ID
configuration.OAUTH_CLIENT_SECRET
configuration.OAUTH_REFRESH_TOKEN
configuration.SALESFORCE_DOMAIN
configuration.SCIM_URL
configuration.ServiceNow_Url
configuration.TenantDomain
configuration.USERS_RESOURCE
configuration.password
configuration.tenantId
configuration.username
Trusted Email Addresses emailAddress

Variable Definitions

When promoting a configuration, you need to define any variables you intend to use to substitute for existing property values. Once defined, you'll need to then declare a variable. See Variable Declarations for details.

Variable definitions data model

Property Type Required? Mutable? Description
createdAt Date N/A Read-only The date and time at which the resource was created (ISO 8601 format).
name String Required Mutable The name to use for the variable. This name must be unique in the environment.
updatedAt Date N/A Read-only The date and time at which the resource was last updated (ISO 8601 format).
value Object Required Mutable A JSON object containing the value to assign to the variable. Currently, the object type can be: String, List, or Integer.

Create Variable Definition


Read All Variable Definitions


Read One Variable Definition


Update Variable Definition


Delete Variable Definition

Variable Declarations

Before you can declare a variable (POST {{apiPath}}/environments/{{envID}}/promotionVariableDeclarations), you need to define the variable that you intend to use. See Variable Definitions for details.

Variable declarations data model

Property Type Required? Mutable? Description
createdAt Date N/A Read-only The date and time at which the resource was created (ISO 8601 format).
resourceId String Required Mutable The UUID of the configuration resource.
updatedAt Date N/A Read-only The date and time at which the resource was last updated (ISO 8601 format).
variables Map Required Mutable A mapping of configuration resource properties to the name values of defined variables. For example, for an applications resource, you might map the refreshTokenDuration property to a variable definition having a name value of refreshTokenDurationVar.

Create Variable Declaration


Read Variable Declarations


Update Variable Declaration


Update Variable Declaration


Delete Variable Declaration

DaVinci Admin APIs

The PingOne DaVinci Admin APIs provide access to DaVinci operations through the PingOne API resource server. These services are called using the api.pingone.com domain (or api.pingone.ca, api.pingone.eu, api.pingone.asia, and api.pingone.com.au for other geographic regions) to manage DaVinci workflow configuration.

At this time, the following services are supported on the PingOne API resource server:

Click the Run in Postman button below to download the Postman collection for these endpoints.

Run In Postman

DaVinci Admin Variables

PingOne DaVinci Admin Variables service provides endpoints to create, read, update, and delete DaVinci variables. Variables are values that can be read and modified during a flow. Every variable has a context, which determines how widely its value is shared.

The options for the variable's context types are:

  • flow

    The variable is tied to a specific flow and has a single, persistent value until that value is changed.

  • flowInstance

    The variable can be used in multiple flows.

    • If the variable's value is set within a flow, the variable instance in that flow gets the value set by the flow's execution.

    • If the variable's value is not set within a flow, the variable instance in that flow inherits the value.

  • user

    The variable has a separate value for each user. If you use a variable with this context in a flow, the user must be identified.

  • company

    The variable has a single value for the company. This value is used in all flows and for all users.

DaVinci Admin variable data model properties

Property Type? Required? Mutable? Description
createdAt Date N/A Read only The time when the variable was created.
context String Required Immutable The context or type of the variable. Options are flow, flowInstance, user, or company.
dataType String Required Mutable Data type of the variable. Can be STRING, BOOLEAN, NUMBER, or OBJECT.
displayName String Optional Mutable A human-readable variable name set in the request.
environment Object N/A Read only The DaVinci company ID (environment ID) object.
environment.id String N/A Read only The DaVinci company ID, which is the PingOne environment ID.
flowId String Immutable Optional The flow ID of the DaVinci flow associated with the variable.
id String N/A Read only The variable ID.
max Integer Optional Mutable The maximum value of the variable.
min Integer Optional Mutable The minimum value of the variable.
mutable Boolean Optional Mutable Specifies whether the variable is mutable, which allows nodes within a flow to change the value of the variable. If the value property is null, this property is required.
name String Required Mutable The variable name.
updatedAt Date N/A Read only The time when the variable was modified.
value String/Number/Boolean/Object Optional Mutable An internally stored value that is part of a HashMap/Object. If the mutable property is set to false, this property is required. If mutable is not set on the request, it defaults to true.

Limiting and filtering data

These SCIM operators can be applied to the following attributes:

  • eq (equals)

    Supports attributes of type STRING and BOOLEAN.

  • sw (starts with)

    Supports attributes of type STRING.

  • ew (ends with)

    Supports attributes of type STRING.

  • co (contains)

    Supports attributes of type STRING.

  • and (logical AND)

    Logical AND for building compound expressions in which both expressions are true.

  • or (logical OR)

    Logical OR for building compound expressions if either expression is true.

Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create DaVinci Variable


Read All DaVinci Variables


Read One DaVinci Variable


Update DaVinci Variable


Delete DaVinci Variable

DaVinci Admin Connectors

PingOne DaVinci Admin Connector service provides endpoints to read DaVinci connector resources. Connectors give DaVinci the ability to integrate third party technologies, HTML pages, and other tools to create a sign-on flow. They define the capabilities that you can use as nodes in a flow. For example, an HTTP connector provides the capability to present an HTML form to collect and submit user information or make REST API calls.

DaVinci admin connector data model properties

Property Type? Required? Mutable? Description
description String Optional Mutable The connector description.
environment Object N/A Read only The DaVinci company ID (environment ID) object.
environment.id String N/A Read only The DaVinci company ID, which is the PingOne environment ID.
id String N/A Read only The connector ID (for example, httpConnector).
metadata Object N/A Read only Represents the metadata information about the connector, such as type, color, and logo.
metadata.type String N/A Read only The type of connector. Options are core, ping, or service.
metadata.vendor String N/A Read only The ID of a vendor (for example,microsoft or amazon).
metadata.colors Object N/A Read only An object that specifies the colors on the canvas.
metadata.colors.canvas String N/A Read only A hexadecimal representation of the canvas color.
metadata.colors.canvasText String N/A Read only A hexadecimal representation of the canvas text color.
metadata.colors.dark String N/A Read only A hexadecimal representation of the shade of darkness.
metadata.logos String N/A Read only The image name of the connector logo file.
metadata.logos.canvas Object N/A Read only An object that specifies the canvas.
metadata.logos.imageFileName String N/A Read only The name of the connector logo image.
name String Required Mutable The connector name (for example, HTTP).
version String N/A Read only The version number of the connector.

DaVinci admin connectors details data model properties

Property Type? Required? Mutable? Description
accountConfigView Object[] Optional Mutable Represents the account configuration of the connector. For details, see Core connectors.
accountConfigView.componentViewSize String Optional Mutable The size of the configuration window.
accountConfigView.items Array Optional Mutable An array of configurable properties.
accountConfigView.items.propertyName String Optional Mutable The name of the configurable property.
accountConfigView.items.items Array Optional Mutable An array of sub-property names under the top level property.
accountConfigView.items.items.propertyName Array Optional Mutable The name of the sub-property under the top level property.
capabilities Object[] Optional Mutable A list of all connector capabilities and their input properties. For more information, see Core connectors.
createdAt Date N/A Read only The time when the connector was created.
credentialsView Object Optional Mutable Represents the credentials view of the connector.
credentialsView Object Optional Mutable The fields that will be part of the connector configuration specific to credentials.
credentialsView.items Array Optional Mutable An array of configurable properties.
credentialsView.items.propertyName String Optional Mutable The name of the property.
flowSections Object[] Optional Mutable Represents the flow section to which the connector can be categorized.
flowSections.name String Optional Mutable The name of the section being shown.
flowSections.value String Optional Mutable A pointer to the flow section name referenced by other sections in the manifest.
properties Object Optional Mutable A list of properties that will be used by the capabilities. For more information, see Core connectors.
sections Object[] Optional Mutable An array of sections shown in Connector Configuration. For more information, see Core connectors.
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Read All DaVinci Connectors


Read One DaVinci Connector


Read DaVinci Connector Details

DaVinci Admin Connector Instances

PingOne DaVinci Admin Connector Instances service provides endpoints to create, read, update, and delete DaVinci connector instances. A DaVinci connector instance is one instance of a DaVinci connector (the connection configuration specifies a connector by name). You can then use the capabilities provided by the connector inside a flow, and launch the flow through an application.

This service also includes an action to clone connector instance resources.

DaVinci admin connector instances data model properties

Property Type? Required? Mutable? Description
connector Object Required Immutable The connector object.
connector.id String Required Immutable The connector object name (for example, httpConnector).
createdAt Date N/A Read only The time when the connection was created.
environment Object N/A Read only The DaVinci company ID (environment ID) object.
environment.id String N/A Read only The DaVinci company ID, which is the PingOne environment ID.
id String N/A Read only The connector instance resource ID.
name String Required Mutable The connector instance name.
properties Object Optional Mutable The configuration of the connector object. This field is not applicable to all connectors and is omitted in the output if empty or null. If the specified connector requires configuration, see the Connector configuration section of the connector documentation for the connector specified in connector.id.
updatedAt Date N/A Read only The time when the connector instance was updated.

DaVinci admin connector enrichment data model properties

Property Type? Required? Mutable? Description
connectorInstance Object N/A Read only The connector instance object.
connectorInstance.id String N/A Read only The connector instance ID for the enrichment call.
environment Object N/A Read only The DaVinci company ID (environment ID) object.
environment.id String N/A Read only The DaVinci company ID, which is the PingOne environment ID.
id String N/A Read only The user ID.
capabilityName String N/A Read only The name of the capability for which the enrichment call was made.
output Object N/A Read only The enrichment output data object.
output.data String N/A Read only The data object.
output.data.type String N/A Read only The type of capability. Options are action and trigger.
output.data.title String N/A Read only The title of the capability.
output.data.subtitle String N/A Read only The subtitle of the capability.
output.data.respondToUser Boolean N/A Read only Specifies whether the capability returns response back to the client.
output.data.capabilityType String[] N/A Read only A capability type array of strings.
output.data.inputs String[] N/A Read only An array of inputs.
output.data.enrich Boolean N/A Read only Specifies whether enrichment is enabled.
output.data.localizedErrors Object N/A Read only An object that specifies localized error messages.
output.data.localizedErrors.en Object N/A Read only An object that specifies localized error message keys.
output.data.localizedErrors.en.errorKey String[] N/A Read only The mapping of the error key to a message.
output.data.flowConfigView Object N/A Read only An object that specifies the flow configuration view.
output.data.flowConfigView.items Array N/A Read only An array of strings that specifies the flow configuration properties.
output.data.flowConfigView.items.propertyName String N/A Read only The flow configuration property name.
output.data.flowConfigView.items.fields Object N/A Read only The flow configuration fields object.
output.data.flowConfigView.items.fields.value Any N/A Read only A value to override the property.
output.data.flowConfigView.items.fields.options Array N/A Read only The list of options if the property is a drop-down menu.
output.data.flowConfigView.items.fields.options.name String N/A Read only The name of the drop-down option.
output.data.flowConfigView.items.fields.options.value String N/A Read only The value of the drop-down option.
output.userViews Object N/A Read only The user views object.
output.userViews.screenTemplateName String N/A Read only The name of the screen template.
output.userViews.items Object N/A Read only The items object.
output.userViews.items.propertyName String N/A Read only The name of the property used for the screen template.
output.userViews.payloadInputSchema Object N/A Read only The payload input schema object.
output.userViews.payloadInputSchema.default Object N/A Read only The payload input schema default config object.
output.userViews.payloadInputSchema.default.type String N/A Read only The type of properties.
output.userViews.payloadInputSchema.default.properies Object N/A Read only The properties object.
output.userViews.payloadInputSchema.default.properies.propertyName Object N/A Read only The property name.
output.userViews.payloadInputSchema.default.properies.type String N/A Read only The data type for the property.
output.userViews.payloadInputSchema.default.properies.minLength Number N/A Read only The minimum length of the property value.
output.userViews.payloadInputSchema.default.properies.maxLength Number N/A Read only The maximum length of the property value.
output.userViews.payloadInputSchema.default.properies.description String N/A Read only The description of the property value.
output.userViews.payloadInputSchema.default.properies.pattern String N/A Read only The regular expression pattern to match the property value.
output.userViews.localOutputSchema.default Object N/A Read only The payload output schema default configuration.
output.userViews.localOutputSchema Object N/A Read only The local output schema.
output.userViews.localOutputSchema.output Object N/A Read only The output schema for the capability.
output.userViews.localOutputSchema.type String N/A Read only The data type of properties in the local output schema.
output.userViews.localOutputSchema.example Object N/A Read only The key-value pair of the example in the local output schema.
output.userViews.localOutputSchema.properties Object N/A Read only The JSON-schema-based properties that the capability returns in the output.
output.userViews.localOutputSchema.properties.propertyName Object N/A Read only The name of the property.
output.userViews.localOutputSchema.properties.propertyName.type Object N/A Read only The data type of the property.
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create DaVinci Connector Instance


Clone DaVinci Connector Instance


Connector Enrichment


Read All DaVinci Connector Instances


Read One DaVinci Connector Instance


Update DaVinci Connector Instance


Delete DaVinci Connector Instance

DaVinci Admin Flows

DaVinci flows are constructed, logical paths that specify the workflow for the user's authorization and authentication experiences.

Flows consist of one or more nodes joined together. Each node performs a specific task, using one of the capabilities of your connectors. After completing the task, the flow determines which task to perform next until the flow is complete.

The PingOne DaVinci Admin Flows service provides endpoints to create, read, update, and delete DaVinci flows. This service also includes endpoints to enable, deploy, import, and clone flows.

DaVinci admin flow data model properties

Property Type? Required? Mutable? Description
color String Optional Mutable The color of the flow.
connectors Array[object] Optional Mutable An array of connectors that apply to the flow. An optional query parameter can toggle behavior, either the names of the connectors are returned or the connection objects themselves are returned as embedded objects.
createdAt Time N/A Read only The timestamp when the flow was created.
currentVersion Integer Optional Immutable The saved version of the flow.
deployedAt Time N/A Read only The stamp when the flow was last deployed.
description String Optional Mutable The description of the flow.
enabled Boolean Optional Immutable The state of the flow. This can be stored as its own value in the database or it can reflect an existing flowStatus.
environment Object N/A Read only The DaVinci company ID (environment ID) object.
environment.id String N/A Read only The DaVinci company ID, which is the PingOne environment ID.
graphData Object Optional Mutable The graph-based representation of the flow depicted in the UI.
id String N/A Read only The flow ID.
inputSchema Array[object] Optional Mutable The flow input parameters in an array of JSONschema objects. If the trigger.type property is AUTHENTICATION, then the flow is a PingOne flow, and the input schema properties are listed in this table. If the trigger.type property is not AUTHENTICATION, then the flow is not a PingOne flow and the input schema properties are described in Input schema for non-PingOne flows data model properties.
inputSchema.propertyName String Required Mutable An input schema property name.
inputSchema.description String Optional Mutable The description for an input schema property.
inputSchema.isExpanded Boolean Optional Mutable Specifies whether the input schema is expanded in the response.
inputSchema.preferredDataType String Required Mutable The data type of the input schema property. Options are string, number, integer, boolean, array, and object.
inputSchema.preferredControlType String Optional Mutable The control type of the input schema property. Options are textField.
inputSchema.required Boolean Optional Mutable Specifies whether the input schema property is required for the flow.
name String Required Mutable The name of the flow.
outputSchema Object Required Mutable The JSONschema output object of the flow.
outputSchema.output Object Required Mutable The output object of the output schema.
outputSchema.output.type String Required Mutable The output type.
outputSchema.output.additionalProperties Boolean Required Mutable Specifies whether the output has additional properties.
outputSchema.output.properties Object Required Mutable A JSON object that specifies the output schema's properties.
outputSchema.output.properties.{{propName}} Object Required Mutable An output schema property definition.
outputSchema.output.properties.{{propName}}.type Object Required Mutable An output schema property's data type.
publishedVersion Integer Optional Immutable The currently deployed version of the flow.
settings Object Optional Mutable Flow settings saved by the user. See the Settings property data model table for details.
trigger Object Optional Mutable The flow trigger object.
trigger.type String Optional Mutable If the trigger type is set to AUTHENTICATION, you invoke the flow through PingOne OpenID Connect or SAML endpoints. The AUTHENTICATION trigger type overwrites the inputSchema values with the default authentication schema.
trigger.configuration Object Optional Mutable The configuration object for session reuse.
trigger.configuration.pwd Object Optional Mutable The configuration object for password session reuse.
trigger.configuration.pwd.enabled Boolean Optional Mutable Specifies whether this configuration must be used to check for existing sessions.
trigger.configuration.pwd.lastSignOn Integer Optional Mutable An integer that specifies the duration (in seconds) that an active session can be reused.
trigger.configuration.mfa Object Optional Mutable The configuration object for MFA session reuse.
trigger.configuration.mfa.enabled Boolean Optional Mutable Specifies whether this configuration must be used to check for existing sessions.
trigger.configuration.mfa.lastSignOn Integer Optional Mutable An integer that specifies the duration (in seconds) that an active session can be reused.
updatedAt Date N/A Read only The timestamp when the flow was updated or saved.
Settings property data model

The following table lists the supported flow settings properties that can be used in the settings property.

Property Type? Required? Mutable? Description
csp String Optional Mutable Content Security Policy content to which a Content-Security-Policy meta tag will be added. If you use a custom Javascript flow player, it is required.
css String Optional Mutable The CSS styling rules to be applied to the flow version.
cssLinks Array Optional Mutable A list of URL locations of CSS files to apply to the flow version.
customErrorScreenBrandLogoUrl String Optional Mutable The URL of the logo to use for the error page, such as “https://example.com/logo.png".
customErrorShowFooter Boolean Optional Mutable Show footer in the error screen.
customFaviconLink String Optional Mutable The URL of the favicon image to use for the page. This image is displayed in the title bar of the browser and in saved bookmarks.
customLogoUrlSelection String Optional Mutable The URL location of the logo to show on error pages.
customTitle String Optional Mutable The title of the page. This title is displayed in the title bar of the browser and used for the page title in search engine results.
doNotSubstituteUnreplacedFields Boolean Optional Mutable By default, unreplaced parameterized fields will be substituted with an empty string. This parameter overrides that behavior if set to true.
flowHttpTimeoutInSeconds Number Optional Mutable Timeout period for every node's execution time. A response must be returned by a node before this timeout. The default value is 15 seconds. If set to 0, the default timeout value is used.
flowTimeoutInSeconds Number Optional Mutable The period after which a particular flow execution becomes inactive. The default value is 300 seconds. If set to 0, the default timeout value is used.
intermediateLoadingScreenCss String Optional Mutable The CSS rules to use for the intermediate page. This setting applies only when the show intermediate page setting is enabled (useIntermediateLoadingScreen).
intermediateLoadingScreenHtml String Optional Mutable The HTML content of the intermediate page. Applies only when the show intermediate page is enabled (useIntermediateLoadingScreen).
jsLinks Array Optional Mutable The location of JavaScript files to apply to the flow.
logLevel String Optional Mutable The log level for flow analytics. Options are None, Info, or Debug.
pingOneFlow Boolean Optional Mutable PingOne runs this flow for OIDC or SAML authentication. When a flow is invoked, PingOne sends input parameters to be made available for any node in the flow.
requireAuthenticationToInitiate Boolean Optional Mutable Flow invocation via OpenID requires authentication. Use the /sdktoken endpoint to retrieve the accessToken value, which can be sent in the query parameter &accessToken=<accessToken>.
scrubSensitiveInfo Boolean Optional Mutable Remove sensitive information from analytics.
sensitiveInfoFields Array Optional Mutable These fields will be masked with ****** in Flow analytics.
useCsp Boolean Optional Mutable Enable and add a content security policy if you are adding additional scripts.
useCustomCss Boolean Optional Mutable When enabled, DaVinci uses the CSS rules in the custom CSS field.
useCustomScript Boolean Optional Mutable When enabled, DaVinci uses the JavaScript files in the JavaScript files field.
useIntermediateLoadingScreen Boolean Optional Mutable When enabled, DaVinci shows a custom user-facing page between each node in the flow.
Input schema for non-PingOne flows data model properties
Property Type? Required? Mutable? Description
inputSchema.propertyName String Required Mutable An input schema property name.
inputSchema.description String Optional Mutable The description for an input schema property.
inputSchema.isExpanded Boolean Optional Mutable Specifies whether the input schema is expanded in the response.
inputSchema.preferredDataType String Required Mutable The data type of the input schema property. Options are string, number, integer, boolean, array, and object.
inputSchema.preferredControlType String Optional Mutable The control type of the input schema property. Options are textField.
inputSchema.required Boolean Optional Mutable Specifies whether the input schema property is required for the flow.

Limiting and filtering data

You can limit the number of results returned on the Read DaVinci Flows and Read One DaVinci Flow requests with the attributes parameter. This parameter filters the response data returned by the request. The query accepts top-level DaVinci admin flow data model properties as a list of comma separated values. The query returns only the specified property values; it removes all other properties from the response. For example, the following request uses the attributes query parameter:

/environments/{{envID}}/flows/{{davinciFlowID}}?attributes=name,description

The response returns the following flow data:

{
   "_links": {...},
   "id": "{{resourceID}}",
   "name": "SomeFlow, 
   "description": "A brief description"
}

SCIM operators

These SCIM operators can be applied to the following attributes:

  • eq (equals)

    Supports attributes of type STRING, DATE, NUMBER, and BOOLEAN.

  • gt (greater than)

    Supports attributes of type DATE and NUMBER.

  • ge (greater than or equal to)

    Supports attributes of type DATE and NUMBER.

  • lt (less than)

    Supports attributes of type DATE and NUMBER.

  • le (less than or equal to)

    Supports attributes of type DATE and NUMBER.

  • sw (starts with)

    Supports attributes of type STRING.

  • ew (ends with)

    Supports attributes of type STRING.

  • co (contains)

    Supports attributes of type STRING.

  • within (within a specified date)

    Supports attributes of type DATE.

  • and (logical AND)

    Logical AND for building compound expressions in which both expressions are true.

  • or (logical OR)

    Logical OR for building compound expressions if either expression is true.

Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create DaVinci Flow


Deploy a DaVinci Flow


Clone a DaVinci Flow


Import DaVinci Flow


Import DaVinci Legacy Flow


Read One DaVinci Flow


Read All DaVinci Flows


Enable a DaVinci Flow


Update DaVinci Flow


Delete DaVinci Flow

DaVinci Admin Flow Versions

The PingOne DaVinci Admin Flow Versions service provides endpoints to read, update, and delete DaVinci flow versions. This service also includes endpoints to export, revert, and see details about a flow version.

DaVinci admin flow versions data model properties

Property Type? Required? Mutable? Description
createdAt Time N/A Read only The timestamp when the flow was created.
alias String Optional Mutable The user defined flow version alias.
clonedFrom Number Optional Immutable The version number from which this flow version was cloned or created.
deployedAt Time N/A Read only The stamp when the flow was last deployed.
description String Optional Mutable The description of the flow.
enabled Boolean Optional Immutable Specifies the state of the flow. This can be stored as its own value in the database or it can reflect an existing flowStatus.
environment Object N/A Read only The DaVinci company ID (environment ID) object.
environment.id String N/A Read only The DaVinci company ID, which is the PingOne environment ID.
graphData Object Optional Mutable The graph-based representation of the flow depicted in the UI.
flow Object Required Immutable The flow object associated with this flow version.
flow.id String Required Immutable The flow ID of the flow associated with this flow version.
flow.name String Required Immutable The name of the flow associated with this flow version.
outputSchema Object Required Mutable The JSONschema output object of the flow.
updatedAt Date N/A Read only The timestamp when the flow was updated or saved.
version Number Required Mutable The version number of the flow instance represented by this object.
Flow versions details property data model

The following table lists the supported flow versions details settings properties.

Property Type? Required? Mutable? Description
color String Optional Mutable The color of the flow.
connectors Array[object] Optional Mutable An array of connectors that apply to the flow.
connectors.id String Optional Mutable The connector ID associated with the flow.
description String Optional Mutable The description of the flow.
enabled Boolean Optional Immutable Specifies the state of the flow.
graphData Object Optional Mutable The graph-based representation of the flow depicted in the UI.
inputSchema Array[object] Optional Mutable The flow input parameters in an array of JSONschema objects.
name String Required Mutable The name of the flow.
outputSchema Object Required Mutable The JSONschema output object of the flow.
settings Object Optional Mutable Flow settings saved by the user. See the Settings property data model table for details.
trigger Object Optional Mutable The flow trigger object.
trigger.type String Optional Mutable If the trigger type is set to AUTHENTICATION, you invoke the flow through PingOne OpenID Connect or SAML endpoints.
trigger.configuration Object Optional Mutable The configuration object for session reuse.
trigger.configuration.pwd Object Optional Mutable The configuration object for password session reuse.
trigger.configuration.pwd.enabled Boolean Optional Mutable Specifies whether this configuration must be used to check for existing sessions.
trigger.configuration.pwd.lastSignOn Integer Optional Mutable An integer that specifies the duration (in seconds) that an active session can be reused.
trigger.configuration.mfa Object Optional Mutable The configuration object for MFA session reuse.
trigger.configuration.mfa.enabled Boolean Optional Mutable Specifies whether this configuration must be used to check for existing sessions.
trigger.configuration.mfa.lastSignOn Integer Optional Mutable An integer that specifies the duration (in seconds) that an active session can be reused.
updates Array N/A Read only String of actions taken to generate this version from the previous version.
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Read All DaVinci Flow Versions


Read One DaVinci Flow Version


Read DaVinci Flow Version Details


Revert DaVinci Flow Version


Export a DaVinci Flow Version


Add a DaVinci Flow Version Alias


Delete DaVinci Flow Version

DaVinci Admin Flow Interactions

The PingOne DaVinci Admin Flow Interactions service provides endpoints to read DaVinci flow interactions and flow interaction events.

Flow interactions data model properties

Property Type? Required? Mutable? Description
id String N/A Read only The flow interaction execution ID.
environment Object N/A Read only The DaVinci company ID (environment ID) object.
environment.id String N/A Read only The DaVinci company ID, which is the PingOne environment ID.
events Object N/A Read only The list of events in this flow interaction.
flow Object N/A Read only The flow object associated with this flow interaction.
flow.id String N/A Read only The flow ID of the flow associated with this flow interaction.
flow.name String N/A Read only The name of the flow associated with this flow interaction.
flow.version String N/A Read only The version number of the flow associated with this flow interaction.
logLevel Number N/A Read only The log level of the flow.
isSubflow Boolean N/A Read only Specifies whether the current flow is a subflow.
timestamp Boolean N/A Read only A UTC timestamp that specifies when the event was triggered.
Flow interaction events detail data model properties
Property Type? Required? Mutable? Description
capabilityName String N/A Read only The capability that triggered the event.
connector Object N/A Read only The connector object.
connector.id String N/A Read only The connector ID.
connector.name String N/A Read only The connector name.
connectorInstance Object N/A Read only The connector instance object.
connectorInstance.id String N/A Read only The connector instance ID.
connectorInstance.name String N/A Read only The connector instance name.
environment Object N/A Read only The DaVinci company ID (environment ID) object.
environment.id String N/A Read only The DaVinci company ID, which is the PingOne environment ID.
executionTime Number N/A Read only The time taken to execute the node in milliseconds.
flow Object N/A Read only The flow object.
flow.id String N/A Read only The ID of the executed flow.
flow.name String N/A Read only The name of the executed flow.
flow.version Number N/A Read only The version number of the executed flow.
id String N/A Read only The flow interaction ID.
isSubflow Boolean N/A Read only Specifies whether the current flow is a subflow.
logLevel Number N/A Read only The log level defined in the flow settings. Options are 1 (None), 2 (Info), and 3 (Debug).
message String N/A Read only The event message (the name of the event).
nodeId String N/A Read only The ID of the node that triggered the event.
nodeTitle String N/A Read only The title of the node that triggered the event.
nextEvent String N/A Read only Specifies the next DaVinci event triggered by this event.
properties Object N/A Read only The key-value pairs for the properties defined in the capability.
requestContext Object N/A Read only An object that contains details about the request.
requestContext.ip String N/A Read only The IP address of the client that triggered the request.
requestContext.userAgent String N/A Read only The user agent address of the client that triggered the request.
requestContext.cookies Object N/A Read only The cookies attached to the request, listed as key-value pairs.
requestContext.headers Object N/A Read only The headers attached to the request, listed as key-value pairs.
response Object N/A Read only The key-value pairs for the capability response.
success Boolean N/A Read only Specifies whether node execution was successful.
timestamp Boolean N/A Read only A UTC timestamp that specifies when the event was triggered.
usageTransactionType String N/A Read only Specifies whether the connector usage is counted. Values are COUNTED and UNCOUNTED.
Flow interaction events minimal data model properties
Property Type? Required? Mutable? Description
id String N/A Read only The flow interaction event ID.
environment Object N/A Read only The DaVinci company ID (environment ID) object.
environment.id String N/A Read only The DaVinci company ID, which is the PingOne environment ID.
capabilityName String N/A Read only The capability that triggered the event.
connector Object N/A Read only The connector object.
connector.id String N/A Read only The connector ID.
connector.name String N/A Read only The connector name.
connectorInstance Object N/A Read only The connector instance object.
connectorInstance.id String N/A Read only The connector instance ID.
connectorInstance.name String N/A Read only The connector instance name.
executionTime Number N/A Read only The time taken to execute the node in milliseconds.
flow Object N/A Read only The flow object.
flow.id String N/A Read only The ID of the executed flow.
flow.name String N/A Read only The name of the executed flow.
flow.version Number N/A Read only The version number of the executed flow.
isSubflow Boolean N/A Read only Specifies whether the current flow is a subflow.
message String N/A Read only The event message.
nodeId String N/A Read only The ID of the node that triggered the event.
nodeTitle String N/A Read only The title of the node that triggered the event.
success Boolean N/A Read only Specifies whether node execution was successful.
timestamp Boolean N/A Read only A UTC timestamp that specifies when the event was triggered.
usageTransactionType String N/A Read only Specifies whether the connector usage is counted. Values are COUNTED and UNCOUNTED.

Limiting and filtering data

You can limit the number of results returned on the Read DaVinci Flow Interactions and Read DaVinci Flow Interaction Events requests with the limit parameter. See Pagination for more information about use of the limit parameter, as well as other methods of controlling pagination.

You can filter response data by applying a SCIM filtering expression to the Read DaVinci Flow Interactions and Read DaVinci Flow Interaction Events requests. These SCIM operators can be applied to the following attributes:

  • ge (greater than or equal to)

    Supported attributes: timestamp

  • le (less than or equal to)

    Supported attributes: Supported attributes: timestamp

Response codes
Code Message
200 Successful operation.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Read DaVinci Flow Interactions


Read One DaVinci Flow Interaction


Read DaVinci Flow Interaction Events


Read One DaVinci Flow Interaction Event

DaVinci Admin Applications

PingOne DaVinci Admin Applications service provides endpoints to create, read, update, and delete DaVinci applications. This service also includes endpoints to rotate the application key and application secret values.

A DaVinci application configuration is the link between your site and the sign-on flows you have created in DaVinci. The application configuration contains settings to determine how external sites can send requests for flows, what flows can be requested, and how users and resources from other sites are managed.

DaVinci Admin applications data model properties

Property Type? Required? Mutable? Description
apiKey Object Optional Mutable The collection of API keys associated with this application resource.
apiKey.enabled Boolean Optional Mutable Specifies whether the API key for this appliction is enabled.
apiKey.value String Optional Mutable The value of the API key.
createdAt Date N/A Read only The time when the variable was created.
environment Object N/A Read only The DaVinci company ID (environment ID) object.
environment.id String N/A Read only The DaVinci company ID, which is the PingOne environment ID.
id String N/A Read only The variable ID.
name String Required Mutable The variable name.
oauth Object Optional Immutable The OAuth configuration for this application resource.
oauth.clientSecret String Optional Immutable The client secret used by this application resource.
oauth.redirectUris Array Optional Immutable The list of redirect URIs configured for this application resource.
oauth.logoutURIs Array Optional Immutable The list of logout URIs configured for this application resource.
oauth.scopes Array Optional Immutable The list of OAuth scopes configured for this application resource.
oauth.grantTypes Array Optional Immutable The list of OAuth grant types configured for this application resource.
oauth.spjwksUrl Array Optional Mutable A URL to retrieve JWKS keys to verify the authorization request signature. This option takes precedence over spjwksOpenid property if both are set.
oauth.spjwksOpenid Array Optional Mutable A set of JWKS keys to verify the authorization request signature. This property is ignored if spjwksUrl is set.
updatedAt Date N/A Read only The time when the variable was modified.
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create DaVinci Application


Rotate DaVinci Application Key


Rotate DaVinci Application Secret


Read DaVinci Applications


Read One DaVinci Application


Update DaVinci Application


Delete DaVinci Application

DaVinci Admin Application Flow Policies

PingOne DaVinci Admin Application Flow Policies service provides endpoints to create, read, update, and delete DaVinci application flow policies. Application flow policies specify which flows are run through the application. A flow policy is an entity that points to one or more flows or versions of flows.

DaVinci Admin application flow policies data model properties

Property Type? Required? Mutable? Description
createdAt Date N/A Read only The time when the flow policy was created.
environment Object N/A Read only The DaVinci company ID (environment ID) object.
environment.id String N/A Read only The DaVinci company ID, which is the PingOne environment ID.
id String N/A Read only The flow policy ID.
name String Required Mutable The flow policy name.
flowDistributions Array Optional Immutable An array of flow distribution properties that are a part of this flow policy.
flowDistributions.id String Optional Immutable The flow ID associated with this flow policy.
flowDistributions.weight Number Optional Mutable The weight that is assigned to the current flow in the flow policy.
flowDistributions.version String Optional Mutable The version of the flow to be used in the flow policy.
flowDistributions.successNodes Array Optional Mutable An array of node IDs in the flow that indicate a successful execution of the flow policy.
flowDistributions.successNodes.id Array Optional Mutable The node ID.
flowDistributions.ip Array Optional Mutable An array of IP addresses to create a whitelist of IP addresses from which flow executions can be performed.
status String Optional Mutable The status of the flow policy. Options are Enabled and Disabled.
trigger Object Optional Immutable The trigger associated with the flow.
trigger.type String Optional Immutable If the trigger type is set to AUTHENTICATION, you invoke the flow through PingOne OpenID Connect or SAML endpoints.
updatedAt Date N/A Read only The time when the flow policy was modified.

DaVinci Admin application flow policy event data model properties

Property Type? Required? Mutable? Description
environment Object N/A Read only The environment object.
environment.id String N/A Read only The DaVinci company ID, which is the PingOne environment ID.
events Object N/A Read only The DaVinci event object.
events.id String N/A Read only The DaVinci event ID.
events.timestamp Date N/A Read only A UTC timestamp that specifies when the event was logged.
flow Object N/A Read only The DaVinci flow object.
flow.id String N/A Read only The DaVinci flow ID.
flow.version Number N/A Read only The DaVinci flow version number.
totalCount Number N/A Read only The total number of flow executions.
successCount Number N/A Read only The total count of success nodes reached in flow executions.
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create DaVinci Application Flow Policies


Read DaVinci Application Flow Policies


Read DaVinci Application Flow Policy Events


Read One DaVinci Application Flow Policy


Update DaVinci Application Flow Policy


Delete DaVinci Application Flow Policy

DaVinci Admin UI Templates

You can create user interface (UI) templates that match your company style and branding, which you can include in flows using an HTTP connector. The PingOne DaVinci Admin UI Templates service provides endpoints to create, read, and delete DaVinci UI templates.

DaVinci Admin UI templates data model properties

Property Type? Required? Mutable? Description
createdAt Date N/A Read only A UTC string that specifies the time when the DaVinci UI template was created.
description String Optional Mutable The UI template description.
environment Object N/A Read only The DaVinci company ID (environment ID) object.
environment.id String N/A Read only The DaVinci company ID, which is the PingOne environment ID.
id String N/A Read only The DaVinci UI template ID.
name String Required Mutable The UI template name.
inputSchema String Optional Mutable A JSON representation of the input schema defined in this template.
outputSchema String Optional Mutable A JSON representation of the output schema defined in this template.
script String Optional Mutable Javascript code utilized by this template.
style String Optional Mutable The CSS used in flows that are associated with this template.
template String Optional Mutable The HTML template to me rendered.
updatedAt Date N/A Read only A UTC string that specifies the time when the UI template was last modified.
validationRules Array Optional Mutable The validation rules object.
validationRules.propertyName String Required Mutable The name of the property to which the validation rule applies.
validationRules.rules Array Required Mutable The rules object in which the validation rules elements are defined.
validationRules.rules.ruleName String Required Mutable The name of the rule. Options are presence, email, length, format, and equality.
validationRules.rules.message String Optional Mutable The rule message that displays if the required property is not present or if the property is not a valid email. For length rules, enter a minimum, maximum, or exact value for the property and a validation message that is displayed for each length restriction that is not met. For format rules, enter the regex that defines the required format and the validation message that displays if the property does not match the format. For equality rules, enter the other property that this property must match, and the validation message that displays if the properties do not match.
validationRules.rules.attribute String Optional Mutable The property to check when applying the equality rule.
validationRules.rules.pattern String Optional Mutable The pattern to match when applying the format rule.
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create DaVinci UI Template


Read DaVinci UI Templates


Read One DaVinci UI Template


Delete DaVinci UI Template

Changelog

The following changes have been made to the PingOne APIs or the associated SDKs.

Release Date Description
Aug 19, 2024 PingOne Protect now has a risk predictor called Traffic Anomaly intended to detect traffic anomalies in terms of variables such as users, devices, and sessions. The Traffic Anomaly predictor will eventually include a variety of rules, some of which you can select to enable or disable. Currently, the predictor detects situations where there are a large number of risk evaluations requested for a single user within a short period of time, and optionally can also detect situations where the number of users per device during a given period is suspicious. When a risk level of High is calculated for a Traffic Anomaly predictor, the recommendedAction field in the risk evaluation response has the value DENY, indicating that you should probably deny access. To create a Traffic Anomaly predictor, set the type parameter to the new value TRAFFIC_ANOMALY. If you want to also check the number of users per device, use the objects described in the traffic anomaly risk predictor data model. For details, see Risk Predictors and Risk evaluations.
Aug 5, 2024 When creating composite predictors, you can now include conditions that check what PingOne user groups the user belongs to. For details, see the Composite Risk Predictors section in Risk Predictors and the relevant example.
Aug 5, 2024 The Bot Detection predictor now has an option that you can enable to expand the range of bot activity that PingOne Protect can detect. For details, see the new field includeRepeatedEventsWithoutSdk under Risk Predictors.
Jul 22, 2024 For MFA, there is now an option to use dynamic linking to attach a unique identifier to the registration of a FIDO device. For details, see MFA devices.
Jul 15, 2024 MFA is now enforced for environment administrators during registration. You can read and update admin sign-on settings using the new Administrator Security endpoints. For details, see Administrator Security.
Jul 3, 2024 The Suspicious Device predictor now includes an option to specify that any risk policies that include the predictor will require that the Signals SDK payload be provided as a signed JWT whose signature will be verified before proceeding with risk evaluation. For details, see Risk Predictors.
Jun 27, 2024 We've added the new role "Application Owner", enabling you to restrict administrator access to specific applications. Use this role to assign application developers permissions only to the applications they manage. For details, see Roles.
Jun 18, 2024 When creating risk evaluations, you can now provide additional detail about the context of the flow by providing a value for flow.subtype in addition to flow.type. For details, see Risk evaluations.
Jun 17, 2024 A new endpoint, riskFeedback, has been added to allow you to provide feedback on the accuracy of specific risk evaluations that were carried out. Each such call can include feedback for up to 100 risk evaluations, and for each you can specify a feedback category and a reason for including the evaluation in that category, For details, see Providing feedback for risk evaluations.
Jun 4, 2024 For MFA, there is now an option to use dynamic linking to attach a unique identifier to a FIDO transaction. For details, see Create a request property JWT and Device authentications data model.
Jun 3, 2024 When creating or updating MFA policies, you can now include a field called promptForNicknameOnPairing to allow users to provide nicknames for devices during pairing. For details, see Device Authentication Policies.
May 28, 2024 The Forms service now supports a social login button as a field type option. For details, see Forms.
May 6, 2024 The platform now supports the AU (Australia/Asia Pacific) region. The platform continues to support the AP (Asia Pacific) region. However, if your environments use the AP region designation (api.pingone.asia domain) for Asia-Pacific countries, be aware that this region does not support the migration of PingID customers (or the PingID product) to the PingOne platform. To get PingID platform support for your Asia-Pacific environments, use the AU region designation (api.pingone.com.au domain) when creating your new environments. For details, see Working with PingOne APIs.
Apr 24, 2024 The Resources service now provides a property to add application permissions to access tokens. For details, see Resources.
Apr 8, 2024 Simplify changing your PingOne regional domain with an environment variable, tld, in the public PingOne environment template that represents the top level domain (TLD) for your PingOne domain, such as com or eu. All the {{...Path}} variables, such as {{apiPath}} and {{authPath}}, reference {{tld}}. To change your region's top level domain, merely change the value of {{tld}}. See PingOne API domains for more information.
Apr 4, 2024 With Managed Credential Issuance, client applications can issue and update credentials using Create Credential Type (managed) rather than an Issuance Rule.
Apr 3, 2024 You can submit a redirect URL and redirect message, used and seen by users when submitting verification documents, in the body of Create Verify Transaction.
Apr 3, 2024 You can issue and update user credentials via a Create a User Credential or Update a User Credential call rather than an Issuance Rule.
Apr 3, 2024 When you create a trusted email domain, PingOne now prepares an additional text record that reflects the association of the domain with the specific PingOne environment. If you add this new record to your DNS, any "sender" email address belonging to the domain is set to active status as soon as you create it, with no need for a verification email. For details, see Trusted Email Domains.
Apr 2, 2024 FIDO policies now include an option called aggregateDevices that you can use to specify that the displayed list of available authentication methods should include only a single generic entry for FIDO2 devices, even if the user has multiple paired FIDO2 devices. For details, see FIDO Policies. With the introduction of this feature, responses to requests that use the deviceAuthentications and flows endpoints may now include a field called aggregateFido2Devices, indicating whether the available authentication method list should include only a single generic FIDO2 option.
Mar 12, 2024 We've added the new LDAP Gateway attribute userTypes.updateUserOnSuccessfulAuthentication. When enabled, on user sign on, user attributes are updated based on responses from the LDAP server. For details, see Gateway LDAP data model.
Mar 4, 2024 The external IdP service now supports PKCE. A new pkceMethod property has been added to the base IdP data model. For details, see Identity Provider Management.
Mar 4, 2024 PingOne Protect now has a new risk predictor called Email Reputation to detect the use of disposable email addresses during registration. The value of the type parameter for this predictor is EMAIL_REPUTATION. For details, see Risk Predictors. For risk evaluations based on policies that include an email reputation predictor, the response may include a value of TEMP_EMAIL_MITIGATION for the result.recommendedAction field. For details, see Risk evaluations.
Mar 4, 2024 For risk evaluations that use a risk policy with the New Device predictor, the response now includes the field details.device.lastSeen, which represents the date and time that the device was last seen. If an externally-maintained device ID was provided in the risk evaluation request, the response will include externalLastSeen for the date and time that the device was last seen. For details, see Risk evaluations.
Feb 28, 2024 For situations where a user did not receive the one-time passcode (OTP) that was sent for pairing a device, you can now use the devices endpoint to resend the OTP. For details, see Resend Pairing Code.
Feb 21, 2024 The platform now supports the device_code device authorization grant type on an application configuration, and it also provides endpoints to initiate and manage a device authorization flow. For details, see Device Authorization Grant.
Feb 20, 2024 A new field, fidoUserVerification, was added to the information that can be included in MFA device reports generated with the dataExplorations endpoint. For details, see Reporting.
Feb 14, 2024 PingOne now supports the CLIENT_SECRET_JWT and PRIVATE_KEY_JWT token endpoint authentication methods for OIDC applications. For details, see the jwks and jwksUrl properties in Application Operations, the client_assertion and client_assertion_type properties in OpenID Connect/OAuth 2, Token (authorization_code) (CLIENT_SECRET_JWT), Token (authorization_code) (PRIVATE_KEY_JWT), and Configure CLIENT_SECRET_JWT as the Token Auth Method.
Feb 12, 2024 PingOne Protect now has a new risk predictor to prevent Adversary-in-the-Middle (AitM) attacks. To create an AitM predictor, set the type parameter to the new value ADVERSARY_IN_THE_MIDDLE and use the whiteList parameter to specify the legitimate domains that your users will access for your restricted resources. For details, see Risk Predictors.
Feb 5, 2024 PingOne Verify no longer reads or uses verifyStatus on the user. The PingOne Neo Verify Verify Status endpoint, /environments/{{envID}}/users/{{userID}}/verifyStatus and its two operations, Read User Verification Status and Update User Verification Status at the same URL, are deprecated. The endpoint and requests will be removed February 2025.
Jan 19, 2024 We've added the icon property to the Environments service, enabling you to assign an icon to a PingOne environment. See the Environments data model for details.
Jan 16, 2024 The platform's client secret configuration now supports optional parameters to designate the replaced secret as a "previous" secret that remains valid for a specified period, up to 30 days. For details, see Update Application Secret and Create Resource Client Secret.
Jan 11, 2024 The platform supports the PingOne Authorize application resources and roles services, which provide endpoints to define custom resources, roles, and permissions to protect external application resources. For details, see PingOne Authorize Application Resources and Roles.
Jan 8, 2024 The platform supports reduced self-service scopes when the mfa authentication method is not included as an amr claim value in the token. For details, see PingOne self-management scopes.
Jan 7, 2024 Changes have been made to the steps required to retrieve MFA device reports generated as files. This is reflected in the responses to the relevant requests. For details, see Reporting. Note that the .zip file containing the report is now password-protected and cannot be opened without the password that is returned.
Jan 4, 2024 A field called device.externalId has been added to the Event data model for risk evaluations. You can use this field to send an externally-maintained device ID to the risk evaluation. If you provide such an ID, that is the device ID that will be used rather than the device ID provided by the Signals SDK. For details, see Risk evaluations.
Jan 3, 2024 We've added a corsSettings object to support applications using cross-origin resource sharing (CORS). See Cross-origin resource sharing, and the corsSettings properties in the Applications data models for OIDC, SAML, and WS-Federation.
Dec 15, 2023 You can now set and get the default identity provider (IdP) for a population. See Update Population Default IdP and Read One Population Default IdP for details.
Dec 8, 2023 PingOne Platform API collections in the PingOne public workspace now use Postman Collection-Level Authorization of type bearer. All requests that use bearer token authorization are now set to Inherit authorization from parent.
Dec 4, 2023 The PingOne Neo Verify User Data endpoint, /environments/{{envID}}/users/{{userID}}/verifyTransactions/{{transactionID}}/userData and its only operation, Read User Verification Data at the same URL, are deprecated. The endpoint and request will be removed December 2024.
Dec 4, 2023 The New Device Paired notification template now has an optional variable called report.fraud. If you include this variable, the notification will include a link for reporting fraudulent pairing attempts. For details, see Notifications Templates.
Nov 16, 2023 We've added documentation for the supported password encoding schemes. See Password encoding for more information.
Oct 24, 2023 You can now assign admin roles to user groups. See Group Role Assignments.
Oct 12, 2023 PingOne now supports outbound mutual TLS (mTLS) authentication with webhooks. You can upload a key with a usageType of OUTBOUND_MTLS and pass the ID to the tlsClientAuthKeyPair.id property when creating or updating a webhook. For more information, see Subscriptions (webhooks).
Oct 4, 2023 Added the displayName, sourceId, and sourceType parameters to allow querying of external user groups. See Groups.
Sep 19, 2023 When creating composite predictors, it is now possible to create additional sets of conditions to form an if / else if structure. To facilitate this, the composition object has been replaced with an array called compositions. To ensure backward compatibility, requests that contain the single composition object are still supported. For details, see Risk Predictors.
Sep 18, 2023 When providing the flow type as input for a risk evaluation, you can now use other types in addition to AUTHENTICATION. The new flow types supported are: REGISTRATION, ACCESS, AUTHORIZATION, and TRANSACTION. See Risk Evaluations.
Sep 18, 2023 In the MFA Settings for an environment, you can now specify whether MFA should be enabled by default for a user when their account is created. For details, see users.mfaEnabled in MFA settings.
Sep 14, 2023 If you create a pairing key that is shared by multiple applications, but define different pairing key lifetimes for the different applications, all the applications using the pairing key now use the most strict setting that you specified for key lifetime (shortest time).
Sep 7, 2023 We've added a Correlation-Id setting in the header of Phone Delivery Settings requests to the custom provider enabling you to track notifications sent by the custom provider using the Correlation-Id value. See Phone Delivery Settings.
Sep 5, 2023 We've added information regarding how to handle client secret updates for external identity providers. See Update Identity Provider.
Sep 5, 2023 You can now specify Elliptical Curve Digital Signature Algorithm (ECDSA) signing certificate algorithms for your SAML identity providers and applications. See Create Identity Provider (SAML) and SAML Application Settings Data Model.
Aug 10, 2023 You can now use the RequestedAuthnContext parameter to specify lower-priority application flow policies for SAML applications. See Application Flow Policy Assignments.
Jul 31, 2023 Added a new endpoint to PingOne Authorize to manage API service deployment. See API Service Deployment.
Jul 26, 2023 We've added the new roles DaVinci Admin and DaVinci Read-Only Admin. Currently, you cannot assign these roles to a Worker app. For details, see Roles.
Jul 5, 2023 A new field called newDeviceNotification has been added for MFA policies to allow you to specify that users should receive an SMS or email notification when a new device is added to their account. For details, see Device Authentication Policies.
Jul 5, 2023 New fields were added to the information that can be included in MFA device reports generated with the dataExplorations endpoint: deviceIntegrityStateCompromised, deviceIntegrityStateReason, deviceIntegrityStateTimestamp, deviceIntegrityStateAdvice, extension, fidoBackupEligibility, fidoBackupState, lastDeviceTrxTime. For details, see Reporting.
Jun 30, 2023 Two new risk predictors - Bot Detection and Suspicious Device - have been added. For details, see Risk Predictors and Risk Evaluations.
Jun 30, 2023 For including data from the Signals SDK in risk evaluations, the data in now sent using the sdk.signals.data property rather than sending the data in the header of the request. For details, see Risk Evaluations.
Jun 20, 2023 In MFA policies, you can now disable pairing for specific authentication methods. You can use this option if you want to phase out an existing authentication method but want to allow users to continue using the method for authentication for existing devices. See pairingDisabled in Device Authentication Policies.
Jun 19, 2023 To provide support for passkeys, Fido policies have been expanded significantly. For details, see FIDO Policies. Note that FIDO policy requests now use the endpoint environments/{{envID}}/fido2Policies and not environments/{{envID}}/fidoPolicies. In the framework of these changes, support was added for a new MFA device type called FIDO2. For details, see MFA Devices.
Jun 15, 2023 Requests that use the flows endpoint and the deviceAuthentications endpoint now include additional device status information in the response: usableStatus, pushStatus, and otpStatus. For details, see Flows and MFA Device Authentications.
Jun 12, 2023 PingOne MFA has moved to Firebase Cloud Messaging for sending push messages. This impacts the credentials you must enter when enabling push notifications for Google Play-based mobile applications. For details, see Application MFA Push Credentials.
Jun 1, 2023 We've fixed an issue with the Try a Request feature in the documentation. We've re-enabled this feature for all endpoints except the authorization endpoints (identified by the {{authPath}} variable). The Try a Request feature has always been blocked for these endpoints, due to a CORS constraint.
May 18, 2023 You can now choose to include the IP address of an actor and the user-agent HTTP header of an event in the source section of a subsciption audit event. See Create Subscriptions.
May 8, 2023 It is now possible to have one-time passwords delivered via voice to phone numbers that include extensions. For details on enabling support for phone numbers with extensions, see MFA Settings.
Apr 28, 2023 PingOne now supports a Language Translations service, which provides operations to view the custom string translations for a specified language and to update localized strings for specified user interface elements. For details, see Language Translations.
Apr 25, 2023 DaVinci no longer ignores the pi.flow OAuth property. For details about pi.flow, see the OpenID Connect/OAuth2 data model.
Apr 23, 2023 When creating notification policies, you can now use the quotas array to limit the use of email messages for pairing and authentication. For details, see Notification Policies.
Apr 19, 2023 For integrity checking on Android devices, PingOne MFA now uses Google's Play Integrity API. This requires you to provide additional information from your Google service account if you want to create or update an application that uses integrity checking. For the details of the new mandatory fields, see the Applications OIDC settings data model table in Application Operations and the Create Application (OIDC Protocol - Native App) sample.
Apr 14, 2023 PingOne now supports the Forms service, which provides tools for administrators to create custom forms presented to users during the authentication workflow. For details, see Forms and Forms Recaptcha.
Apr 3, 2023 When creating notification policies, you can now use the countryLimit object to limit the countries where you can use SMS and voice notifications. For details, see Notification Policies.
Mar 27, 2023 PingOne now supports the SCIM 2.0 identity management standard for provisioning users into PingOne Directory. Currently we support the /Users endpoint with basic SCIM to PingOne Directory attribute mapping. For details, see SCIM.
Mar 27, 2023 When creating or updating New Device risk predictors, you can now use the activationAt parameter to specify a date on which the learning process for the predictor should be restarted. This can be used in conjunction with the fallback setting (default.result.level) to force strong authentication when moving the predictor to production. For details, see Risk Predictors.
Mar 26, 2023 In addition to combining existing predictors, you can now include the following risk factors in your composite predictors: country, state, IP range, IP domain organization, ISP, target resource (application). For details, see Risk Predictors.
Mar 16, 2023 We've added new Sessions endpoints to Reset the Authentication Session by Session ID or Reset the Authentication Session by Session Token.
Mar 13, 2023 When defining the settings for mobile applications in an MFA policy, you can now use the new pairingKeyLifetime object to specify how long an issued pairing key can be used until it expires. For details, see Device Authentication Policies.
Mar 13, 2023 You can now define the number of consecutive push notifications that can be ignored or rejected by a user within a defined period before push notifications are blocked for an application. Use this setting to prevent attacks based on repeated push notifications that may lead users to eventually accept the authentication request. For details, see the documentation for the pushLimit object in Device Authentication Policies.
Feb 01, 2023 The platform now supports properties for enumerated values and regular expression validation in the schema data model. For details, see Schemas.
Jan 10, 2023 You can now configure Android applications to use Huawei Mobile Services. For details, see Application Operations and Application MFA Push Credentials.
Jan 10, 2023 You can now use the dataExplorations endpoint to generate reports of MFA devices. For details, see Reporting.
Jan 10, 2023 For notification templates of type "Push", it is now possible to specify a push category to control the type of banner that is displayed to the user. For details, see Notification Templates.
Jan 3, 2023 You can now use the riskPredictors endpoint to create New Device predictors, which allow your risk policy to take into account the risk associated with users trying to access applications from unknown devices or devices that have not been used in the recent past. For details, see Risk Predictors.
Jan 3, 2023 In MFA policies, it is now possible to specify how much time users have to respond to a push notification before it expires. This period can be defined separately for each mobile application included in the MFA policy. For details, see Device Authentication Policies.
Jan 3, 2023 The default method to use for MFA is now set at the MFA policy level rather than at the environment level. For details, see Device Authentication Policies.
Jan 3, 2023 It is now possible to block a user's MFA device, and to unblock a device that is currently blocked. For details, see MFA Devices.
Dec 15, 2022 It is now possible to use the API to unlock a device that was locked-out due to too many failed MFA attempts, even if the defined waiting period has not yet elapsed. For details, see MFA Devices.
Dec 15, 2022 It is now possible to use the gateways endpoint to create a RADIUS gateway. For details, see Gateway Management.
Dec 8, 2022 We've added properties to support applications using WS-Federation. See the Applications base data model and the Applications WS-Federation settings data model for more information.
Dec 2, 2022 We've added an email verification endpoint to verify a user's email through a verification code. See User Email Verification.
Nov 22, 2022 You can now use the hiddenFromAppPortal property to hide an application in the application portal, overriding your configured group membership access policy. See Applications base data model.
Oct 26, 2022 You can now use the nameFormat property to define the naming format for attributes other than Subject. See Applications attribute mapping data model.
Oct 26, 2022 We've added the initiateLoginUri and targetLinkUri properties to the Applications OIDC data model.
Oct 25, 2022 The Token Introspection Endpoint now supports authentication with a Resource ID and Secret. See POST Token Introspection (Resource ID and Secret) and Resource Secret.
Oct 21, 2022 You can now allow a wildcard character in the Redirect URI for OIDC applications. See Applications OIDC settings data model.
Oct 19, 2022 PingOne Risk now includes an SDK that allows you to obtain additional risk-related data and pass the data to the risk evaluation, resulting in improved detection. The riskEvaluations endpoint can now take the data provided by the SDK in a header called X-SDK-DATA-PAYLOAD. For details, see the documentation for creating risk evaluations.
Sep 28, 2022 To simplify automated testing of your applications, you can now create dedicated testing devices. When you use the API to send authentication requests to such a device, the OTP is not sent to the actual device, but instead is returned as part of the body of the response. See MFA Devices.
Sep 15, 2022 We've added support for the WS-Federation protocol to the Application Management service. This supports Microsoft's Office365 and Azure integration with PingOne. See Create Application (WS-Federation Protocol) for more information.
Aug 31, 2022 When using the mfaSettings endpoint to update MFA settings, you can now use pairing.pairingKeyFormat to specify the type of pairing keys that should be used - 12-digit numeric keys or 16-character alphanumeric keys. Existing environments will continue to use the 12-digit numeric keys unless changed. New environments will use the 16-character keys by default.
Aug 31, 2022 It is now possible to create composite predictors - for situations where you are interested in combining a number of risk predictors into a single predictor. See Risk Predictors.
Aug 26, 2022 The platform now supports adding custom claims to an OpenID Connect scope. See Resource Scopes.
Aug 18, 2022 We've added a default property to the Populations endpoint, enabling you to assign a default population to an environment. See Populations.
Aug 14, 2022 When creating or editing an MFA policy, you can now use the field mobile.applications[].integrityDetection to specify how registration and authentication attempts should be handled if a response is not received for device integrity: continue with the flow or block the user. For details, see Device Authentication Policies.
Aug 14, 2022 When defining a mobile application, you can now use mobile.integrityDetection.excludedPlatforms in conjuction with mobile.integrityDetection.mode to enable device integrity checking only for Android or only for iOS. For details, see Application Operations.
Aug 2, 2022 You can now use Kerberos to sign-on users. See Gateway LDAP data model in Gateway Management and the Sign On with Kerberos request.
Aug 2, 2022 You can now force a reset of the password identified by the user ID and environment ID without the administrator supplying a password. See Force Change Password request.
Aug 2, 2022 It is now possible to use the API to create and manage FIDO policies, which can then be included in device authentication policies. For details, see FIDO Policies and Device Authentication Policies.
Aug 1, 2022 It is now possible to use the riskPolicySets endpoint with conditions of type AGGREGATED_SCORES to create score-based policies. See Risk Policies.
Jul 18, 2022 For sign-on policies in PingOne, MFA steps are added now by referencing an existing MFA policy rather than having to define the specific authentication methods that are allowed for the policy. For details, see Sign-On Policy Actions.
Jul 14, 2022 The platform now includes PingFederate admin roles, allowing admins to SSO from PingOne into PingFederate with the appropriate permissions for their role. See Roles.
Jul 10, 2022 For organizations that prefer to maintain their own user device information, it is now possible to initiate authentication while providing the information necessary for contacting the user. See the documentation for the selectedDevice object in MFA Device Authentications.
Jul 7, 2022 It is now possible to create passwordless authentication flows that require only FIDO2 authentication with no need for the user to provide their username. To use this feature, use the rp.id property in the request body for deviceAuthentications. For details, see MFA Device Authentications.
Jun 6, 2022 You can now define notification policies to limit the use of SMS and voice messages for pairing and authentication. For details, see Notification Policies.
Apr 28, 2022 The platform now includes the PingOne Authorize API access management service, which provides tools to externalize the management and evaluation of access control policies for HTTP-based APIs. See PingOneAuthorize API Access Management.
Apr 25, 2022 MFA Native SDK v1.7.0 now supports authentication code flows for Android and iOS operating systems. See Authentication code flow. SDK v1.7.0 also supports elliptic-curve cryptography (ECC) for signing and verifying mobile requests. This feature uses iOS secure enclave capabilities.
Apr 25, 2022 The platform now includes endpoints that initiate an authentication code flow. See MFA Authentication Code. The platform includes a new uriPrefix property on the application's mobile object that specifies a valid app/universal link or app schema to enable direct triggering of the mobile application when scanning a QR code. See Application Operations.
Mar 11, 2022 The platform now requires a minimum password length of 8 - 32 characters. For more information, see Password Policies.
Mar 07, 2022 The platform now supports a hybrid flow authorization request, in which some tokens are returned from the authorization endpoint, and others are returned from the token endpoint. For more information, see GET Authorize (hybrid) and POST Authorize (hybrid).
Feb 09, 2022 The platform now supports a policy.id property for MFA devices that specifies the device authentication policy ID associated with the device resource. For more information, see MFA Devices and MFA Pairing Keys.
Feb 04, 2022 The platform now supports a PingFederate-SSO platform application, which is created automatically if the PingOne environment includes PingFederate. For more information, see Application Management.
Jan 13, 2022 Custom risk predictors cannot be referenced as an attribute in a placeholder details list (${details.<attribute>}). See Custom risk predictor conditions in Risk Predictors for more information.
Dec 27, 2021 The platform now supports configuring the whiteList property on a per risk predictor basis. For information about risk predictors that support the whiteList property, see Risk Predictors.
Dec 27, 2021 The platform now supports the User Location Anomaly risk predictor. See Risk Predictors.
Dec 23, 2021 For authorization requests that return an invalid request object error, the error message now includes additional details about the INVALID_VALUE. For example, the old detail message stated this: "The request parameter contains an invalid Request Object". The new detail message provides specific information about the validation error: "The request parameter contains an invalid Request Object: The token signature is invalid.".
Dec 17, 2021 The Integration Catalog has been updated to easily retrieve application integration information and assets.
Dec 17, 2021 The image service API now returns a regionalized URL for any new images uploaded. For example, if you are in the EU and use pingone.eu, then uploaded images will now be in this format "https://uploads.pingone.eu/environments/..." instead of "https://uploads.pingone.com/environments/..." . This regionalization is also applicable to uploaded images in the .asia and .ca regions. Old image URLs will still work as expected. For more information, see Images.
Dec 16, 2021 The platform now supports configuration of policies for MFA enrollment and authentication transactions in PingOne Flows.
The apiPath/environments/envID/deviceAuthenticationPolicy endpoint is deprecated, but still supported. No immediate code change are required, but it's recommended to change to the new apiPath/environments/envID/deviceAuthenticationPolicies endpoint.
See Device authentication policies that now supports the following operations:
Dec 15, 2021 The platform now includes endpoints that initiate and complete an MFA action without requiring a call to the PingOne authorize service. For more information, see MFA Device Authentications.
Dec 15, 2021 The platform now supports the ability to configure short codes and toll-free origination numbers to send SMS and voice notifications to recipients in multiple countries.
See the supportedCountries property in the Custom provider phone number properties table.
Dec 12, 2021 The platform now supports configuration of untrusted sender email addresses at the email notification template content level, when using a custom email sender.
See Content properties.
Dec 08, 2021 The platform now provides easier integration with custom providers' remote gateways, including support for dispatching voice notifications.
This implementation uses the GET and POST operations and customizable body and headers.
Basic and bearer authentication methods are supported.
See Phone delivery settings.
Dec 07, 2021 The platform now includes decision endpoints that allow efficient evaluation of policies developed in the PingOneAuthorize Policy Editor Service. For more information, see PingOneAuthorize Policy Decision Service.
Nov 08, 2021 The platform now supports a JSON array PATCH action to update targeted elements on a user object. For more information, see Update User (Patch JSON Array).
Oct 25, 2021 The notifications settings property, notificationsSettings.defaultLanguage, has been removed from the platform. When required, notifications use the environment's default language, which is set using the /environments/{{envID}}/languages endpoint. For information about notification content and language selection, see Runtime logic for content selection. For information about an environment's default language, see Language Management.
Oct 04, 2021 Ping Identity has added a Canada regional data center, that will provide enhanced performance and response on services for Canadian customers accounts hosted on this data center.
Canada data center domains: