PingOne Platform API Reference - Early Access
PingOne is a cloud-based framework for secure identity access management. The PingOne API gives developers the tools to integrate enterprise and third-party applications with the PingOne platform.
This document describes a number of PingOne services, including the Management API services, the Authentication API services, and the Multi-factor Authentication services. There is also material in this document that refers to the integrations between the PingOne platform and other Ping products that facilitate extended functionality beyond PingOne.
New to PingOne?
If you're new to PingOne, the following topic links will help you learn more and start working with the PingOne API.
-
Getting started with the PingOne APIs
This collection of topics helps you create your first application connection using the PingOne admin console application and get a JSON Web Token for the application you created. With your admin access token, you can make calls to the Pingone resource server.
-
Download the PingOne Postman collections
This topic includes downloads for the PingOne Platform API Postman master collection as well as targeted collections the PingOne MFA APIs, and the PingOne Protect APIs.
-
The PingOne use cases provide workflows for common PingOne configurations and sign-on flows. Each use case includes a Postman collection linked to a Run in Postman button, enabling you to load (and run) the use case collections into your Postman workspace.
-
PingOne authorization and authentication APIs
These topics provide a deeper dive into PingOne platform authorization and authentication concepts and workflows. It includes detailed information about access tokens, ID tokens, user scopes, platform roles, and sign-on flows.
-
You'll find here the documentation for the PingOne mobile SDKs. Currently, this includes the PingOne MFA SDKs, the PingOne Neo SDKs, and the PingOne Protect SDKs.
Beta Topics
Flows and Forms
The beta topics in Flows and Forms document the deprecated Flow Definitions service in PingOne. The Flow Definitions service was replaced by PingOne DaVinci.
External Services Management
The external services API allows you to make outbound HTTP requests from PingOne to an external resource server. It functions like a PingOne HTTP client. By configuring an external service resource in PingOne, you configure how to send an HTTP request at invocation time.
PingOne external services configurations integrate with PingOne flows, which allows for outbound HTTP requests in the context of a flow.
Terminology
-
External Service
External services are a group of requests and additional configuration information to support the requests. Some configuration properties, such as variables and secrets, can be referenced by any of the external service’s requests.
-
Request
The HTTP request configuration includes properties such as a URL, headers, and body to define the request to the external resource server. When an external service request is invoked, PingOne uses the defined configuration to create and send an HTTP request.
-
PingOne's expression language
External service requests use PingOne's expression language, which is based on SPEL, to give you flexibility to define complex configuration attributes. For more information, see PingOne's expression language.
Frequently asked questions
How do I resolve an expression error?
When you invoke an external service request you may get an expression error. The error should provide clues on what went wrong. For more information about PingOne's expression language, see PingOne's expression language. It is also important to remember that all inputs must be strings.
How do I change the request configuration at invocation time?
If you need to have the URL, a header, or body parameter be dynamic per request, then you must use inputs. You can reference an input in the request configuration (inputs.myInputName
) and then at invocation time send the input in. For examples of this action, see the “Getting Started” topic.
What happens when I invoke an external service request?
PingOne finds your configuration by environment ID, external service ID, and request
name. The configuration is then used to generate and send an HTTP request. As a part of generating an HTTP request, the configuration is scanned for variables, secrets, and input references, and these rferences are resolved to concrete values. The HTTP request is sent and the response is by default mapped to { status: <status>, headers: <responseHeaders>, body: <responseBody> }
.
How do I avoid duplicating configuration across multiple external service requests?
If you have requests that need the same information (like a URL or header value) you can use variables or secrets (or both). The difference between the two is that secrets are encrypted and managed through a separate endpoint for stricter administrative control.
How do I protect a sensitive value like an API key or secret?
Configure a secret for the external service and then reference it in your request configuration.
How do I configure authentication on an external service request?
If it is a header-based authentication, you can set a header on the request and use a secret for the value.
How do I fix an error that I’m getting when trying to invoke an external service request?
You may be encountering one of the following error reasons:
-
SSL_HANDSHAKE_FAILED
When sending the outbound HTTP request the SSL handshake failed. Please check your configuration.
-
NO_HTTP_RESPONSE
We sent the outbound HTTP request but did not get an HTTP response from the server.
-
TIMEOUT
We sent the outbound HTTP request but did not get an HTTP response in the time allowed. The timeout is 8 seconds.
-
TOO_MANY_INVOCATIONS
We did not send the outbound HTTP request because a limit was reached. You are allowed 45 concurrent outbound HTTP requests per environment.
-
MALICIOUS_URL
The URL targeted a host that we determine to be malicious.
-
INVOCATION_FAILED
There was an error likely unrelated to your configuration or targeted service. If this error persists please contact support.
-
INVOCATION_ERROR
We did not send the outbound HTTP request and it is likely because of a reason with your configuration. There may be details on the error giving more details.
Data models
See the following topics for data model property definitions:
-
For external services base data model properties, see External Services.
-
For external services secrets data model properties, see External Services Secrets.
-
For external services invoke data model properties, see External Services Requests.
Getting Started with External Services
The Getting Started topics show you how to create an external service with four requests:
- one request that uses static values
- one request that uses a variable
- one request that uses a secret
- one request that uses an input
After creating the external service configuration with these four requests successfully, additional topics show you how to invoke all four external service requests.
Click the Run in Postman button below to download a Postman collection that includes the requests described in this section.
Create your first external service
Add your first request to the external service
Invoke your first request
Add a variable and use it in a request
Invoke your request that uses a variable
Add a secret and use it in a request
Add requests that use a variable and a secret
Invoke your request that uses a secret
Add invocation inputs in a request
Invoke your request that uses an input
External Services
The external services API provides endpoints to create, read, update, and delete external services resources.
External services data model
Property | Description |
---|---|
authSchemes |
A list of authorization schemes that can be used by a request. |
authSchemes.name |
A string that specifies the name of the authentication scheme. This property is set by the administrator and is unique for each external service. The maximum size is 256 characters. The string can contain unicode letters, combining marks, numeric characters, whitespace, punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$ ). This is a required property. |
authSchemes.type |
A string that specifies the type of authentication scheme. Options are API_KEY , BEARER , BASIC , and OAUTH_2 . This is a required property. |
authSchemes.type.{properties} |
The properties associated with the type of authentication scheme.
|
description |
A string that specifies the description of the external service. The string can contain unicode letters, combining marks, numeric characters, whitespace, punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$ ). |
id |
A string that specifies the resource’s unique identifier. |
name |
A string that specifies the name of the external service. The maximum length for a name is 256 charactersand the name must be unique within the environment. The string can contain unicode letters, combining marks, numeric characters, whitespace, and punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$ ). |
requests |
A list of requests asociated with this external service. |
secrets |
A list of encrypted secret names. |
variables |
A map of variables that can be referenced by requests. |
Requests schema data model
Property | Description |
---|---|
description |
A string that specifies the description of the request. The string can contain unicode letters, combining marks, numeric characters, whitespace, punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$ ). |
displayName |
A string that specifies the display name of the request. The display name defaults to the method name plus the URL. This value can be edited by the administrator. This property can be used in PingOne interface dropdown menus to select the request. It is comprised of unicode letters, combining marks, numeric characters, whitespace, punctuation characters (regex: ^[\p{L}\p{M}\p{N}\p{Zs}\p{P}]+$ ). |
inputs |
A list that specifies auto-generated input references in the request configuration. |
name |
A string that specifies the name of the request. A request is executed by its name, which must be unique per external service. Names are comprised of alphanumeric letters, underscore, hyphen, and period (regex: ^[a-zA-Z0-9_. -]+$ ). Maximum length of 256 characters. This is a required property. |
request |
An object that defines the request properties. This is a required property. |
request.authScheme |
A string that specifies the name of the configured external service auth scheme to use for the request. Options are API_KEY , BEARER , BASIC , and OAUTH_2 . |
request.method |
A string that specifies the HTTP method. This is a required property. |
request.url |
A string (in PingOne's expression language) that specifies the request URL. This is a required property. |
request.headers |
A map of strings that specifies the HTTP request headers to send on invocations of the request. The map of header names to values (in PingOne's expression language). |
request.body |
An object that specifies the request body type. |
request.body.type |
An enumeration that specifies the request Content-Type. Options are JSON . This is a required property. |
request.body.template |
A string (in PingOne's expression language) that specifies the request body template, which is of any JSON type. This is a required property. |
request.inputSchema |
A string that specifies the input schema for any inputs that are referenced in any parts of the request. This is a required property if input is configured. |
response |
An object that defines the response properties. |
response.output |
A string (in PingOne's expression language) that used to generate the response of a request invocation. If this property is not configured, the default value is the following expression (in PingOne's expression language): "{\"status\": + response.status, \"headers\": + response.headers, \"body\": + response.body}" . |
response.outputSchema |
A string that that specifies the output schema for any output properties that are returned by the request. This is a required property if output is configured. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
You need the Environment Admin role to perform operations on external services resources.
CREATE External Service
READ External Services
READ One External Service
UPDATE External Service
DELETE External Service
External Services Secrets
The external services secrets endpoint provides operations to read and update the external service secret. The name
property of the external service secret must be unique within the environment. A secret resource is a name-value pair configured by the administrator and applicable to the entire external service. Secret values are encrypted and can be referenced in the external service configuration.
External services secrets data model
Property | Description |
---|---|
name |
A string that specifies the name of the external service secret. This property is set by the administrator and is unique for each external service. This is a required property. |
value |
A string that specifies the value of the external service secret. This is a required property. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
READ External Service Secrets
UPDATE External Service Secrets
External Services Requests
The external services requests endpoint provides operations to invoke the external service request. The inputs
property specifies the inputs required by the request. The request can have several inputs, specified in the following format in the request body:
{
"inputs": {
"input1": "input1Value",
"input2": {
"aProperty": "aValue"
},
"input3": [ { "aProperty": "aValue" } ]
}
}
External services invocation request data model
Property | Description |
---|---|
inputs |
A JSON map that specifies the input properties required by the request. All input properties needed by the request must be defined in the input JSON. Otherwise, the request will fail. This is a required property if the request requires input properties. If the request does not require any input, this property can be omitted. |
External services invocation response data model
Property | Description |
---|---|
outputs |
A JSON map that specifies the response dictated by the external service's response mapped by request's response output configuration. The value could be any JSON type, based on the request's response output configuration. This is a required property. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Invoke External Service Request
Flow Definitions
Flow definitions define a series of steps that designate the actions of a workflow. The flow execution endpoint references a flow definition resource that specifies an initial step and all additional steps required to complete the flow execution. For more information about flow executions, see Flow Executions.
Flow definitions include step definitions that define an operational step to perform a specific work action, which generates output that is processed by the flow. A flow step can also designate flow-control actions that branch or end the flow. For more information, see Flow Definition Steps.
The flow definitions API provides operations to create, read, update, and delete flow definitions. It also provides endpoints to get and enhance flow definition step schema metadata. For information about flow definition step schema metadata, see Flow Definition Steps.
Flow definitions data model
Property | Description |
---|---|
description |
A string that specifies the description of the flow definition. |
enabled |
A boolean that specifies whether the flow is enabled. Disabled flows cannot be executed. This is a required property. |
environment.id |
A string that specifies the environment ID associated with this flow definition resource. |
id |
A string that specifies the resource’s unique identifier. |
name |
A string that specifies the flow definition name, which must be provided and must be unique within an environment. |
trigger |
A predefined trigger that can initiate the flow definition execution. The trigger marks the step definition from which the flow starts. |
trigger.configuration |
An object that specifies the trigger configuration data. |
trigger.inputs |
An object that specifies the trigger-specific inputs. |
trigger.next |
A string that specifies the first step definition to execute. |
trigger.type |
A string that specifies the type of trigger. Options are EXPERIENCE and SIGN_ON_POLICY . For more information about trigger types, see READ Trigger Type Metadata. |
stepDefinitions |
A map that specifies the step definitions available in the flow definition, differentiated by a human-readable identifier as the key. The key must be a string with unicode letters, numeric characters, underscore, and dash: ^[\p{L}\p{N}_-]+$ . This key is used in variable paths to reference outputs from the step at runtime (for example, ${steps.login.outputs.something} ). |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
CREATE Flow Definition Basic (EXPERIENCE trigger)
CREATE Flow Definition Basic (SIGN_ON_POLICY trigger)
CREATE Agreement Consent Flow Definition (EXPERIENCE trigger)
CREATE Agreement Consent Flow Definition (SIGN_ON_POLICY trigger)
CREATE Agreement Consent Flow Definition (SIGN_ON_POLICY trigger) Copy
CREATE Agreement Reconsent Flow Definition (EXPERIENCE trigger)
CREATE Agreement Reconsent Flow Definition (EXPERIENCE trigger) Copy
CREATE Agreement Reconsent Flow Definition (SIGN_ON_POLICY trigger)
CREATE Agreement Reconsent Flow Definition (SIGN_ON_POLICY trigger) Copy
CREATE Registration Flow Definition (Experience)
CREATE Registration Flow Definition (Sign-on Policy)
CREATE Registration with Consent Flow Definition (Sign-on Policy)
CREATE MFA Enrollment (EXPERIENCE trigger)
CREATE MFA Enrollment (SIGN_ON_POLICY trigger)
CREATE MFA Challenge (EXPERIENCE trigger)
CREATE MFA Challenge (SIGN_ON_POLICY trigger)
CREATE Sign On (EXPERIENCE trigger)
CREATE Sign On (SIGN_ON_POLICY trigger)
CREATE Identity Provider Sign On (SIGN_ON_POLICY trigger)
CREATE Password Recovery (EXPERIENCE trigger)
CREATE Password Recovery (SIGN_ON_POLICY trigger)
READ Flow Definitions
READ One Flow Definition
UPDATE Flow Definition
DELETE Flow Definition
READ Step Type Metadata
READ Trigger Type Metadata
Enrich Step Type Metadata
Flow Definition Steps
Flow definition steps specify the actions of a workflow. The step definition performs a specific operation, which generates output that is processed by the flow. A flow step can also designate flow-control actions that branch or end the flow.
Step definitions data model
Property | Description |
---|---|
configuration |
An object that specifies the step type specific configuration properties as described and validated by the step type metadata. |
description |
A string that specifies the description of the description for this step type as defined by the administrator. |
displayName |
A string that specifies the display name for this step. |
iconURL |
A string that specifies the icon for this step type as defined in the step type metadata. |
input |
An object that specifies the step type specific input properties as described by the step type metadata. Any use of placeholders are resolved at execution time. |
outlets |
An object that specifies the set of results a step definition can produce. |
outlets.result |
An object that specifies the result to handle. Valid results for the specified step type are defined in the step type metadata. An outlet for the ERROR result may be used with any step definition to handle errors from the step. If an outlet for the ERROR result is not defined, errors from the step result in a failed flow. |
outlets.result.displayName |
A string that specifies the display name for this result as defined in the step type metadata. |
outlets.result.description |
A string that specifies the description for this result as defined in the step type metadata. |
outlets.result.next |
A string that specifies the next step definition key in the sequence. This value must point to an existing step definition instance. |
type |
A string that specifies the step definition type. There are several step definition type options. The supported step definition types are best viewed by running the /flowMetadata/stepTypes endpoint. For more information, see READ Step Type Metadata. |
Step type metadata data model
Property | Description |
---|---|
configurationSchema |
A JSON schema object that defines a structure of step definition configuration properties that are expected for a specific type. Step definitions are validated against a submitted step definition. For more information about the JSON Schema specification, see JSON Schema. |
configurationUiSchema |
A JSON schema object that defines the user interface representation of the step configuration. |
description |
A string that specifies the description of the step type. |
displayName |
A string that specifies the display name for this step. |
iconUrl |
A string that specifies the URL for the step icon in the user interface. |
inputSchema |
A JSON schema object that defines the input structure of step definition configuration properties that are expected for a specific type. For more information about the JSON Schema specification, see JSON Schema. |
configurationUiSchema |
A JSON schema object that defines the user interface representation of the step configuration. For more information about the JSON Schema specification, see JSON Schema. |
configurationUiSchema |
A JSON schema object that defines the user interface representation of the step configuration. |
resultMetadata |
An object that lists all the expected results of a step. |
resultMetadata.description |
A string that specifies the description represented in the user interface. |
resultMetadata.displayName |
A string that specifies the display name represented in the user interface. |
resultMetadata.outputSchema |
A JSON schema object that specifies the expected structure of the response that the result can provide. |
resultMetadata.typeName |
A string that specifies the step definition type name. The name cannot be ERROR because this is a reserved type name. For more information about step definition type options, see READ Step Type Metadata. |
version |
A string that specifies the step type version. |
Step type metadata enrichment data model
Property | Description |
---|---|
configuration |
An object that specifies a step definition configuration that can be used as part of the enrichment process. This value should match the configurationSchema of the stepType for which the request is submitted. |
trigger |
An object that specifies a source trigger under which the steps should be enriched. This is a required property. |
trigger.configuration |
An object that specifies optional trigger specific properties. |
trigger.type |
A string that specifies a unique trigger type. This is a required property. |
Flow and step definition context placeholders
Parameter | Description |
---|---|
${flow.*} |
The current flow execution state. For example, ${flow.inputs.parameters.applicationId} . |
${steps.stepName.outputs.*} |
The current step execution state, where stepName designates the name of the step. For example, ${steps.registrationForm.outputs.formData.user} . |
Flow definition step types
The following section documents the supported flow definition step types and the request schema, response schema, the supported results, and the custom content type (if applicable) associated with any step type actions.
For more information about flow definitions and step types, see Flow Definitions.
Agreement Consent Accept
This step type specifies a user's consent to an agreement. The result reflects the user's decision to consent to an agreement and saves the user's consent.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
There are no configuration schema properties for the AGREEMENT_CONSENT_ACCEPT step type. |
Input property | Description |
---|---|
user.id |
A string that specifies the user ID associated with the saved consent. |
agreementConsent.agreement.id |
A string that specifies the agreement ID associated with the saved consent. This resource provides details containing user information and the agreement information to which the user has provided consent. |
agreementConsent.consentedAt |
The date and time when the consent decision was made. |
agreementConsent.language.id |
A string that specifies the language ID associated with the agreement to which the user has given consent. |
agreementConsent.revision.id |
A string that specifies the revision ID associated with the agreement to which the user has given consent. |
The following properties are returned for the SAVED
result.
Output property | Description |
---|---|
agreementConsent.status |
A string that specifies the current status of user's consent in relation to this agreement. |
agreementConsent.id |
A string that specifies the agreement consent ID associated with this agreement. |
agreementConsent.agreement.id |
A string that specifies the agreement ID associated with this agreement consent. |
agreementConsent.language.id |
A string that specifies the language ID associated with the agreement to which the user has given consent. |
agreementConsent.revision.id |
A string that specifies the revision ID associated with the agreement to which the user has given consent. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
There are no flow actions associated with the AGREEMENT_CONSENT_ACCEPT step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the AGREEMENT_CONSENT_ACCEPT step type. |
Agreement Consent Form
This step type specifies a request for consent from the user. Submitting the form initiates a user.consent
action to accept or deny consent to the agreement. The following step type definition properties are used with flow definition and flow execution resources.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
agreement.id |
A string that specifies the agreement ID for the agreement that requires user consent. |
Input property | Description |
---|---|
There are no input properties for the AGREEMENT_CONSENT_FORM step type. |
The following properties are returned for the ACCEPTED
result.
Output property | Description |
---|---|
agreementConsent.status |
A string that specifies the current status of user's consent in relation to this agreement. |
agreementConsent.agreement.id |
A string that specifies the agreement ID associated with this agreement consent. |
agreementConsent.consentedAt |
The date and time when the consent decision was made. |
agreementConsent.language.id |
A string that specifies the language ID associated with the agreement to which the user has given consent. |
agreementConsent.revision.id |
A string that specifies the revision ID associated with the agreement to which the user has given consent. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
user.consent |
The link to initiate the consent action. The action must provide a value for the accept property and specify application/vnd.pingidentity.user.consent+json as the custom content type in the request. |
Parameters | Description |
---|---|
accept |
A boolean that specifies whether the user accepts the agreement. |
Agreement Reconsent Form
This step type specifies a request for consent from the user to update the user's consent to an agreement. This step presents a form to the end user to prompt for renewed consent to an agreement. Submitting the form initiates a user.consent
action to accept or deny consent to the agreement.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
agreement.id |
A string that specifies the agreement ID for the agreement that requires user consent. |
Input property | Description |
---|---|
user.id |
A string that specifies the user ID associated with the saved consent. |
user.preferredLanguage |
A string that specifies the user's perferred language. |
The following properties are returned for the SAVED
result.
Output property | Description |
---|---|
agreementConsent.status |
A string that specifies the current status of user's consent in relation to this agreement. |
agreementConsent.id |
A string that specifies the agreement consent ID associated with this agreement. |
agreementConsent.agreement.id |
A string that specifies the agreement ID associated with this agreement consent. |
agreementConsent.language.id |
A string that specifies the language ID associated with the agreement to which the user has given consent. |
agreementConsent.revision.id |
A string that specifies the revision ID associated with the agreement to which the user has given consent. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
user.consent |
The link to initiate the consent action. The action must provide a value for the accept property and specify application/vnd.pingidentity.user.consent+json as the custom content type in the request. |
Parameters | Description |
---|---|
accept |
A boolean that specifies whether the user accepts the agreement. |
API Request
This step type makes an API request to a third-party service.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
method |
A string that specifies the request method type. Options are GET , POST , PUT , PATCH , and DELETE . |
Input property | Description |
---|---|
url |
A string that specifies the request URL. |
query |
An object that specifies the query parameters to include on the request. |
headers |
An object that specifies the HTTP headers to include on the request. |
body |
A string that specifies the body of the request. |
The following properties are returned for the SUCCEEDED
result.
Output property | Description |
---|---|
agreementConsent.status |
A string that specifies the current status of user's consent in relation to this agreement. |
agreementConsent.id |
A string that specifies the agreement consent ID associated with this agreement. |
agreementConsent.agreement.id |
A string that specifies the agreement ID associated with this agreement consent. |
agreementConsent.language.id |
A string that specifies the language ID associated with the agreement to which the user has given consent. |
agreementConsent.revision.id |
A string that specifies the revision ID associated with the agreement to which the user has given consent. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
There are no flow actions associated with the API_REQUEST step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the API_REQUEST step type. |
Branch
This step type branches the flow based on one or more conditions. The step returns a NO_MATCH
result if no condition is met. For information about the common policy language used to specify conditions, see Sign-On Policy Actions.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
conditions |
An array of conditions to be evaluated. |
conditions.condition |
An object that is defined using the common policy language to define a flow condition to match. |
conditions.result |
A string that specifies the result when this specific flow condition is matched. |
conditions.displayName |
A string that specifies the display name for the result. |
Input property | Description |
---|---|
There are no configuration schema properties for the BRANCH step type. |
The following properties are returned for the NO_MATCH
result.
Output property | Description |
---|---|
There are no output properties for the BRANCH step type. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
There are no flow actions associated with the BRANCH step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the BRANCH step type. |
Complete Flow
This step type completes the flow and returns a result.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
result |
An object that specifies the result needed to complete the flow. Results are defined by the trigger type used by this flow. Enumerations are dynamically generated at configuration time of conditions to be evaluated. |
Input property | Description |
---|---|
{{someProperty}} |
An object that specifies the flow output. Properties are derived dynamically based on the configured result. |
Output property | Description |
---|---|
There are no output properties for the COMPLETE_FLOW step type. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
There are no flow actions associated with the COMPLETE_FLOW step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the COMPLETE_FLOW step type. |
Create Risk Evaluation
This step type creates a risk evaluation in PingOne.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
riskPolicySet.id |
A string that specifies the risk policy set to use for risk evaluation. |
useDefaultPolicy |
A boolean that specifies whether to use the environment's default policy set for the risk evaluation. If this property is set to false , a risk policy set ID must be specified in the riskPolicySet.id property. |
profileDevice |
A boolean that specifies whether the device will be profiled during the step execution. If the value of this property is set to true , the step prompts for a device profile action. |
Input property | Description |
---|---|
riskEvaluation.event.targetResource.id |
A string that specifies the ID of the target application, which is the application the user attempts to access. |
riskEvaluation.event.targetResource.name |
A string that specifies the name of the target application, which is the application the user attempts to access. The riskEvaluation.event.targetResource is an optional property, but if the riskEvaluation.event.targetResource.name property is specified, then the riskEvaluation.event.targetResource.id property must also be specified. |
riskEvaluation.event.ip |
A string that specifies the origin IP address. This is a required property. |
riskEvaluation.event.flow.type |
A string that specifies the flow type. The default value is AUTHENTICATION . |
riskEvaluation.event.user.name |
A string that specifies the name of the user associated with the risk evaluation. |
riskEvaluation.event.user.type |
A string that specifies the type of user associated with the risk evaluation. Options are EXTERNAL and PING_ONE . This is a required property. |
riskEvaluation.event.user.id |
A string that specifies the user ID associated with the risk evaluation. If the user type is PING_ONE , the user name is filled automatically according to the user ID. If the user does not exist in PING ONE , the step produces an error. If the user type is EXTERNAL , the user name should be added so that it displays in the dashboards; if the user name is not provided, the user ID is shown. This is a required property. |
riskEvaluation.event.sharingType |
A string that specifies associated device sharing type. Options are UNSPECIFIED , SHARED , and PRIVATE . |
riskEvaluation.event.browser.userAgent |
A string that specifies the user agent of the browser that triggered the flow. The placeholder, ${flow.inputs.headers.user-agent} , is recommended for browser-based flows. |
riskEvaluation.event.origin |
A string that specifies the calling service. |
The step returns the risk level of the transaction, which can be evaluated as HIGH
, MEDIUM
, or LOW
. The following properties are returned for the HIGH
, MEDIUM
, or LOW
risk levels.
The following properties are always returned in the risk evaluation.
Output property | Description |
---|---|
riskEvaluation.id |
A string that specifies the ID of risk evaluation. |
riskEvaluation.riskPolicySet.id |
A string that specifies the ID of risk policy set used for risk evaluation. |
riskEvaluation.riskPolicySet.name |
A string that specifies the name of risk policy set used for risk evaluation. |
riskEvaluation.result.value |
A string that specifies the risk result custom value. |
riskEvaluation.details.ipAddressReputation |
An object that specifies the risk associated with IP address reputation. |
riskEvaluation.details.ipAddressReputation.score |
An integer that specifies the risk associated with IP address reputation, expressed as a number between 0 and 100. |
riskEvaluation.details.ipAddressReputation.level |
A string that specifies the risk level associated with IP address reputation. Options are HIGH , MEDIUM , or LOW . |
riskEvaluation.details.anonymousNetworkDetected |
A boolean that specifies whether the IP is associated with an anonymous network. |
riskEvaluation.details.country |
A string that specifies the country where the flow originated, according to the IP address. |
riskEvaluation.details.impossibleTravel |
A boolean that specifies whether the velocity required to move between the user's previous successful location to its current inferred location is too large. |
The following properties are returned in the risk evaluation only for environments with data consent enabled.
Output property | Description |
---|---|
riskEvaluation.details.ipVelocityByUser.level |
A string that specifies the risk associated with IP velocity by user. Options are HIGH , MEDIUM , or LOW . |
riskEvaluation.details.ipVelocityByUser.reason |
A string that specifies the reason for the risk associated with IP velocity by user. |
riskEvaluation.details.ipVelocityByUser.threshold |
An object that provides information about the threshold used to determine the IP velocity level. |
riskEvaluation.details.ipVelocityByUser.threshold.source |
A string that specifies the source used to calculate the threshold. |
riskEvaluation.details.ipVelocityByUser.threshold.high |
A number that specifies whether the user accessed more than this number of IPs during the past hour. If so, the user is flagged as having HIGH IP velocity. |
riskEvaluation.details.ipVelocityByUser.threshold.medium |
A number that specifies whether the user accessed more than this number of IPs during the past hour. If so, the user is flagged as having MEDIUM IP velocity. |
riskEvaluation.details.ipVelocityByUser.threshold.calculatedAt |
A string that specifies date and time at which the threshold was calculated. |
riskEvaluation.details.ipVelocityByUser.threshold.expiresAt |
A string that specifies date and time at which the threshold will expire and be re-calculated. |
riskEvaluation.details.ipVelocityByUser.velocity.distinctCount |
An integer that specifies the distinct count of IPs accessed by the user in the previous seconds specified by the during property. |
riskEvaluation.details.ipVelocityByUser.velocity.during |
An integer that specifies the number of seconds to use in determining the distinctCount value. |
riskEvaluation.details.userVelocityByIp.level |
A string that specifies the risk associated with user velocity by IP. Options are HIGH , MEDIUM , or LOW . |
riskEvaluation.details.userVelocityByIp.reason |
A string that specifies the reason for the risk associated with user velocity by IP. |
riskEvaluation.details.userVelocityByIp.threshold |
An object that provides information about the threshold used to determine the user velocity level. |
riskEvaluation.details.userVelocityByIp.threshold.high |
A number that specifies whether the IP was accessed by more than this number of users during the past hour. If so, it is flagged as having HIGH user velocity. |
riskEvaluation.details.userVelocityByIp.threshold.medium |
A number that specifies whether the IP was accessed by more than this number of users during the past hour. If so, it is flagged as having MEDIUM user velocity. |
riskEvaluation.details.userVelocityByIp.threshold.calculatedAt |
A string that specifies date and time at which the threshold was calculated. |
riskEvaluation.details.userVelocityByIp.threshold.expiresAt |
A string that specifies date and time at which the threshold will expire and be re-calculated. |
riskEvaluation.details.userVelocityByIp.velocity.distinctCount |
An integer that specifies the distinct count of users that accessed the IP in the previous seconds specified by the during property. |
riskEvaluation.details.userVelocityByIp.velocity.during |
An integer that specifies the number of seconds to use in determining the distinctCount value. |
riskEvaluation.details.userRiskBehavior.level |
A string that specifies the risk associated with user risk behavior. Options are HIGH , MEDIUM , or LOW . |
riskEvaluation.details.userRiskBehavior.reason |
A string that specifies the reason for the risk associated with user risk behavior. |
riskEvaluation.details.userBasedRiskBehavior.level |
A string that specifies the risk associated with user-based risk behavior. Options are HIGH , MEDIUM , or LOW . |
riskEvaluation.details.userBasedRiskBehavior.reason |
A string that specifies the reason for the risk associated with user-based risk behavior. |
Step properties used with flow executions
Flow state | Description |
---|---|
PROFILE_DEVICE |
A flow status that prompts for a device profile action. The action is initiated only if the value of the profileDevice configuration property is set to true . |
Links | Description |
---|---|
profile.device |
The link to initiate an action to set the device profile. The action must provide a value for the browserFingerprint property and specify application/vnd.pingidentity.device.profile+json as the custom content type. |
Parameters | Description |
---|---|
browserFingerprint |
An object that specifies the browser fingerprint attributes. |
Create User
This step type creates a new user in PingOne.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
population.id |
A string that specifies the population ID to associate with the new user. This is a required property. |
lifecycle.status |
A string that specifies the account lifecycle of the newly created user. Options are ACCOUNT_OK , and VERIFICATION_REQUIRED . When this step is used in conjunction with the VERIFY_ACCOUNT step, the status value is typically set to the VERIFICATION_REQUIRED flow state without sending a verification code. |
Input property | Description |
---|---|
user |
An object that specifies the user to create. The new user's properties are derived dynamically from non read-only attributes of the environment's schema at configuration time. |
The following properties are returned for the SUCCEEDED
result.
Output property | Description |
---|---|
{{userProperties}} |
An object that specifies the flow output. Properties are dynamically derived from the environment's schema at configuration time. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
There are no flow actions associated with the CREATE_USER step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the CREATE_USER step type. |
Form
This step type prompts the end user to submit a custom form. The step might include additional results for any buttons on the form.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
form.id |
A string that specifies the form ID for the form to submit to the form manager service. This is a required property. |
Input property | Description |
---|---|
formData |
An object that specifies the context data used to render the form and pre-fill fields. Properties are derived from the selected form and retrieved from the form manager service at configuration time. |
The following properties are returned for the SUBMITTED
result.
Output property | Description |
---|---|
form.id |
A string that specifies the form ID. |
form.name |
A string that specifies the form name. |
formData |
An object that encapsulates the submitted form data. Properties are derived from the selected form and retrieved from the form manager service at configuration time. |
Step properties used with flow executions
Flow state | Description |
---|---|
FORM_REQUIRED |
A flow status that requires the user to submit a form. |
Flow state response schema property | Description |
---|---|
form.id |
A string that specifies the ID of the form. |
{{formDataProperties}} |
The properties required by the form. |
Links | Description |
---|---|
form.submit |
The link to initiate the form submit action. The action must specify application/vnd.pingidentity.form.submit+json as the custom content type. |
Parameters | Description |
---|---|
{{formDataProperties}} |
The properties required by the form. |
Links | Description |
---|---|
form.action |
The link to specify the form action. The action must specify application/vnd.pingidentity.form.action+json as the custom content type. |
Parameters | Description |
---|---|
key |
The key of the form field that was clicked. |
Identity Provider
This step type delegates user authentication to an external identity provider.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
There are no configuration schema properties for the IDENTITY_PROVIDER_AUTHENTICATION step type. |
Input property | Description |
---|---|
identityProvider.id |
A string that specifies the external identity provider's ID. This is a required property. |
identityProvider.loginHint |
A string that specifies the login identifier to the identity provider. |
identityProvider.acrValues |
An array that designates the names of the authentication policies applicable to the authorization request. |
The following properties are returned for the ACCOUNT_LINKED
result.
Output property | Description |
---|---|
externalAuthentication.id |
A string that specifies the ID for the external authentication transaction. This is a required property. |
externalAuthentication.externalId |
A string that specifies the unique identifier for the user returned by the external identity provider. This is a required property. |
externalAuthentication.identityProvider.id |
A string that specifies the ID for the external identity provider. This is a required property. |
externalAuthentication.attributes |
An object that specifies the mapped attributes returned by the external identity provider. |
linkedUser |
An object that specifies the user linked to the external account from the extrnal identity provider. Properties are dynamically derived from the environment's schema at configuration time. This is a required property. |
The following properties are returned for the ACCOUNT_LINKING_REQUIRED
result.
Output property | Description |
---|---|
externalAuthentication.id |
A string that specifies the ID for the external authentication transaction. This is a required property. |
externalAuthentication.externalId |
A string that specifies the unique identifier for the user returned by the external identity provider. This is a required property. |
externalAuthentication.identityProvider.id |
A string that specifies the ID for the external identity provider. This is a required property. |
externalAuthentication.attributes |
An object that specifies the mapped attributes returned by the external identity provider. |
mappedUser |
An object that specifies the user with mapped attribute values that can be used to pre-fill an external identity provider registration form. This is a required property. |
matchingUsers |
An object that specifies the list of existing users that may be candidates for linking to the external account. These users are matched based on mapped attribute values. |
user[].{{properties}} |
An object that specifies the flow output. User properties are dynamically derived from the environment's schema at configuration time. |
Step properties used with flow executions
Properties for the EXTERNAL_AUTHENTICATION_REQUIRED
flow state
Flow state | Description |
---|---|
EXTERNAL_AUTHENTICATION_REQUIRED |
A flow status that prompts the user to authenticate with an external identity provider to continue the flow. |
Flow state response schema property | Description |
---|---|
authenticate.href |
A string that specifies the browser URL redirect to authenticate with the external identity provider. |
Flow state embedded resource property | Description |
---|---|
identityProvider.name |
A string that specifies the identity provider's name. |
identityProvider.type |
A string that specifies the identity provider's type. Options are FACEBOOK , GOOGLE , LINKEDIN , OPENID_CONNECT , APPLE , AMAZON , TWITTER , YAHOO , PAYPAL , MICROSOFT , GITHUB , and SAML . |
Flow execution actions
externalAuthentication.check
action
Links | Description |
---|---|
externalAuthentication.check |
The link to initiate an action to check the external authentication ID. The action must provide a value for the id property and specify application/vnd.pingidentity.externalAuthentication.check+json as the custom content type in the request. |
Parameters | Description |
---|---|
externalAuthentication.id |
A string that specifies the external authentication ID. This is a required property. |
Invoke External Service
This step type invokes an external service request. Note that the input properties in the request and the output properties in the response are generated dynamically based on the input and output schemas defined in the external service configuration.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
externalService.id |
A string that specifies the ID of the external service, which is the target of the request. |
request.id |
A string that specifies the request configuration to execute. |
Input property | Description |
---|---|
{someRequestProperty} |
The input properties are dynamically generated based on list of inputs on request configuration. |
The following properties are returned for the INVOCATION_OUTPUT
result.
Output property | Description |
---|---|
someOutputProperty |
The output properties are populated dynamically if if output schema is provided. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
There are no flow actions associated with the EXTERNAL_SERVICE_INVOKE step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the EXTERNAL_SERVICE_INVOKE step type. |
MFA Auto Enrollment
This step type pairs an MFA offline device automatically with the user account during MFA enrollment.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
sms.enabled |
A boolean that that when set to true auto enrolls an SMS device. |
sms.mode |
A string that specifies the available modes to auto enroll an SMS device. Options are CREATE , OVERRIDE , and REPLACE . The default value is CREATE . |
voice.enabled |
A boolean that that when set to true auto enrolls a voice device. |
voice.mode |
A string that specifies the available modes to auto enroll a voice device. Options are CREATE , OVERRIDE , and REPLACE . The default value is CREATE . |
email.enabled |
A boolean that that when set to true auto enrolls an email device. |
email.mode |
A string that specifies the available modes to auto enroll an email device. Options are CREATE , OVERRIDE , and REPLACE . The default value is CREATE . |
Input property | Description |
---|---|
user.id |
A string that specifies the user ID of the user account. This is a required property. |
user.sms.mobilePhone |
A string that specifies the phone number of the SMS device. This is a required property. |
user.sms.oldMobilePhone |
A string that specifies the phone number of the old SMS device. This is a required property. |
user.voice.mobilePhone |
A string that specifies the phone number of the voice device. This is a required property. |
user.voice.oldMobilePhone |
A string that specifies the phone number of the old voice device. This is a required property. |
user.email.email |
A string that specifies the email address of the email device. This is a required property. |
user.email.oldEmail |
A string that specifies the email address of the old email device. This is a required property. |
The following properties are returned for the ENROLLED
result.
Output property | Description |
---|---|
devices.sms.id |
A string that specifies the ID of the SMS device. |
devices.sms.type |
A string that specifies the device type. |
devices.sms.phone |
A string that specifies the phone number associated with the device. |
devices.voice.id |
A string that specifies the ID of the voice device. |
devices.voice.type |
A string that specifies the device type. |
devices.voice.phone |
A string that specifies the phone number associated with the device. |
devices.email.id |
A string that specifies the ID of the email device. |
devices.email.type |
A string that specifies the device type. |
devices.email.email |
A string that specifies the email address associated with the device. |
The following properties are returned for the NOT_APPLICABLE
result.
Output property | Description |
---|---|
There are no output properties for the NOT_APPLICABLE result. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
There are no flow actions associated with the MFA_AUTO_ENROLLMENT step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the MFA_AUTO_ENROLLMENT step type. |
MFA Challenge
This step type performs a multi-factor authentication in PingOne. The step returns a SUCCEEDED
result.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
deviceAuthenticationPolicy.id |
A string that specifies the device authentication policies to use during authentication. This is a required property. |
deviceSelection |
A string that specifies the device selection mode. Options are DEFAULT_TO_FIRST , and PROMPT_TO_SELECT . The default value is DEFAULT_TO_FIRST . This is a required property. |
template.name |
A string that specifies the name of the notification template used for user notifications. Options are STRONG_AUTHENTICATION , and TRANSACTION . This is a required property. |
template.variant |
A string that specifies the notification template variant. |
useDefaultPolicy |
A boolean that, when set to true, specifies that the default device authentication policy for the environment is used during MFA evaluation. |
Input property | Description |
---|---|
user.id |
A string that specifies the user ID. This is a required property. |
template.locale |
A string that specifies the notifications template locale. This is a required property. |
template.variables |
An object that specifies the notifications template variables. |
webauthn.compatibility |
A string that specifies the webauthn compatibility. |
mobile.clientContext |
An object that specifies the mobile client context. |
mobile.payload |
A string that specifies the mobile payload. The default value is ${flow.inputs.parameters.mobilePayload} . |
application.id |
A string that specifies the application ID. The default value is ${flow.inputs.parameters.applicationId} . |
session.id |
A string that specifies the session ID. The default value is ${flow.inputs.parameters.sessionId} . |
userAgent |
A string that specifies the user agent of the browser that triggered the flow. The default value is ${flow.inputs.headers.user-agent} . |
The following properties are returned for the SUCCEEDED
result.
Output property | Description |
---|---|
device.id |
A string that specifies the device ID. |
device.nickname |
A string that specifies the device nickname. |
device.type |
A string that specifies the device type. Options are MOBILE , EMAIL , SMS , VOICE , TOTP , PLATFORM , and SECURITY_KEY . |
amr |
An array that specifies the authentication methods. |
Step properties used with flow executions
Properties for the DEVICE_SELECTION_REQUIRED
flow state
Flow state | Description |
---|---|
DEVICE_SELECTION_REQUIRED |
A flow status that prompts the user to select an available device to use for authentication. |
Flow state response schema property | Description |
---|---|
deviceAuthentication |
An object that specifies the device authentication parameters. |
Properties for the OTP_REQUIRED
flow state
Flow state | Description |
---|---|
OTP_REQUIRED |
A flow status that requires the user to complete a multi-factor authentication action using a one-time passcode. |
Flow state response schema property | Description |
---|---|
devices |
An object that specifies the user devices available that can be used to complete the multi-factor authentication action. |
deviceAuthentication.authSession.type |
A string that specifies the type of authentication session. |
deviceAuthentication.authSession.id |
A string that specifies the authentication session ID. |
deviceAuthentication.selectedDevice.id |
A string that specifies the ID of the device used for authentication. |
deviceAuthentication.user.id |
A string that specifies the user ID of the authenticating user. |
Properties for the ASSERTION_REQUIRED
flow state
Flow state | Description |
---|---|
ASSERTION_REQUIRED |
A flow status that prompts the user to activate the WebAuthn device to finalize the authentication process. |
Flow state response schema property | Description |
---|---|
devices |
An object that specifies the available devices that can be used for activation. |
deviceAuthentication.authSession.type |
A string that specifies the type of authentication session. |
deviceAuthentication.authSession.id |
A string that specifies the authentication session ID. |
deviceAuthentication.selectedDevice.id |
A string that specifies the ID of the device used for authentication. |
deviceAuthentication.user.id |
A string that specifies the user ID of the authenticating user. |
Properties for the PUSH_CONFIRMATION_REQUIRED
flow state
Flow state | Description |
---|---|
PUSH_CONFIRMATION_REQUIRED |
A flow status that results when a push was sent to a native device to confirm the authentication. |
Flow state response schema property | Description |
---|---|
devices |
An object that specifies the available devices that can be used for activation. |
deviceAuthentication.authSession.type |
A string that specifies the type of authentication session. |
deviceAuthentication.authSession.id |
A string that specifies the authentication session ID. |
deviceAuthentication.selectedDevice.id |
A string that specifies the ID of the device used for authentication. |
deviceAuthentication.user.id |
A string that specifies the user ID of the authenticating user. |
Properties for the PUSH_CONFIRMATION_TIMED_OUT
flow state
Flow state | Description |
---|---|
PUSH_CONFIRMATION_TIMED_OUT |
A flow status that specifies that a push was sent to a native device, but the native device did not answer the push during the allowed timeframe. |
Flow state response schema property | Description |
---|---|
devices |
An object that specifies the available devices that can be used for activation. |
deviceAuthentication.authSession.type |
A string that specifies the type of authentication session. |
deviceAuthentication.authSession.id |
A string that specifies the authentication session ID. |
deviceAuthentication.selectedDevice.id |
A string that specifies the ID of the device used for authentication. |
deviceAuthentication.user.id |
A string that specifies the user ID of the authenticating user. |
Flow execution actions
Device device.select
action
Links | Description |
---|---|
device.select |
The link to initiate an action to specify an MFA device to associate with the user. The action must provide a value for the type property and specify application/vnd.pingidentity.device.select+json as the custom content type in the request. |
Parameters | Description |
---|---|
device.id |
A string that specifies the ID of the selected device. This is a required property. |
compatibility |
A string that specifies the browser WebAuthn compatibility. Options are FULL , SECURITY_KEY_ONLY , and NONE . |
Device otp.check
action
Links | Description |
---|---|
otp.check |
The link to initiate an action to validate the one-time passcode received by the selected device. The action must specify application/vnd.pingidentity.otp.check+json as the custom content type in the request. |
Parameters | Description |
---|---|
otp |
A string that specifies the one-time passcode. This is a required property. |
Device assertion.check
action
Links | Description |
---|---|
assertion.check |
The link to initiate an action to validate the assertion received by the selected FIDO2 device. The action must specify application/vnd.pingidentity.assertion.check+json as the custom content type in the request. |
Parameters | Description |
---|---|
assertion |
A string that specifies the WebAuthn Assertion response. This is a required property. |
compatibility |
A string that specifies the browser WebAuthn compatibility. Options are FULL , SECURITY_KEY_ONLY , and NONE . |
origin |
A string that specifies the full URL of the calling service. This is a required property. |
MFA Enrollment
This step type pairs an MFA device with the user account during MFA enrollment. The step returns either the ENROLLED
or SKIPPED
result.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
useDefaultPolicy |
A boolean that when set to true specifies that the environment's default device authentication policy is used during MFA evaluation. This is a required property. |
deviceAuthenticationPolicy.id |
A string that specifies the ID device authentication policy to use during authentication. This is a required property only in cases in which the useDefaultPolicy property is set to false . |
template.variant |
A string that specifies the notification template variant. |
Input property | Description |
---|---|
user.id |
A string that specifies the user ID of the user account from the identity provider. This is a required property. |
user.email |
A string that specifies the user's email address. |
user.mobilePhone |
A string that specifies the user's mobile phone number. |
webauthn.compatibility |
A string that specifies the webauthn compatibility. Options are FULL , SECURITY_KEY_ONLY , and NONE . |
template.locale |
A string that specifies the notification template locale. |
template.variables |
An object that specifies the notification template variables. |
The following properties are returned for the ENROLLED
result.
Output property | Description |
---|---|
device.id |
A string that specifies the device ID. |
device.type |
A string that specifies the device type. Options are MOBILE , EMAIL , SMS , VOICE , TOTP , PLATFORM , and SECURITY_KEY . |
The following properties are returned for the SKIPPED
result.
Output property | Description |
---|---|
There are no output properties for the SKIPPED result. |
Step properties used with flow executions
Properties for the DEVICE_ENROLLMENT_REQUIRED
flow state
Flow state | Description |
---|---|
DEVICE_ENROLLMENT_REQUIRED |
A flow status that prompts the user to either enroll a device or skip the enrollment process. |
Flow state response schema property | Description |
---|---|
email |
A string that specifies the user email provided in the step inputs. |
mobilePhone |
A string that specifies the user mobile phone number provided in the step inputs. |
allowedtypes |
An array that specifies the allowed device types for pairing. Options are MOBILE , EMAIL , SMS , VOICE , TOTP , PLATFORM , and SECURITY_KEY . |
mfaSettings |
An object that specifies the environment's MFA settings. |
applications |
An array that specifies the environment applications. |
Properties for the ACTIVATION_REQUIRED
flow state
Flow state | Description |
---|---|
ACTIVATION_REQUIRED |
A flow status that prompts the user to activate the offline device to finalize the enrollment process. |
Flow state response schema property | Description |
---|---|
device |
An object that specifies the user device pending for activation. The device properties shown depend on the device type. |
Properties for the PAIRING_REQUIRED
flow state
Flow state | Description |
---|---|
PAIRING_REQUIRED |
A flow status that prompts the user to pair the mobile device to finalize the mobile enrollment process. The client will have to poll the HAL self link (/{envID}/flowExecutions/{flowExecutionID} ) to verify the pairing. |
Flow state response schema property | Description |
---|---|
device |
An object that specifies the user device pending for activation. The device properties shown depend on the device type. |
pairingKey.code |
A string that specifies the mobile pairing key code, used to finalize the mobile enrollment process. |
Properties for the MOBILE_PAIRING_FAILURE
flow state
Flow state | Description |
---|---|
MOBILE_PAIRING_FAILURE |
A flow status that results when mobile pairing has failed. This status returns the error code and the mobile pairing error details. |
Flow state response schema property | Description |
---|---|
error |
An object that specifies the error details. |
error.code |
A string that specifies the error code. |
error.message |
A string that specifies the error message. |
Flow execution actions
Device create device.create
action
Links | Description |
---|---|
device.create |
The link to initiate an action to specify an MFA device to associate with the user. The action must provide a value for the type property and specify application/vnd.pingidentity.device.create+json as the custom content type in the request. |
Parameters | Description |
---|---|
type |
A string that specifies the device type. Options are MOBILE , EMAIL , SMS , VOICE , TOTP , PLATFORM , and SECURITY_KEY . This is a required property. |
nickname |
A string that specifies the device nickname. |
email |
A string that specifies the user's email address. |
phone |
A string that specifies the user's phone number. |
application.id |
A string that specifies the associated application ID, which is required for pairing with devices of type MOBILE . |
rp.id |
A string that specifies an RP ID, which is based on a host's domain name. |
rp.name |
A string that specifies a human-readable name for the user account. |
Device activate device.activate
action
Links | Description |
---|---|
device.activate |
The link to initiate an action to activate an MFA device. The action must specify application/vnd.pingidentity.device.activate+json as the custom content type in the request. |
Parameters | Description |
---|---|
otp |
A string that specifies the one-time passcode. |
attestation |
A string that specifies the FIDO2 attestation. |
origin |
A string that specifies the calling service. |
Device skip device.skipEnrollment
action
Links | Description |
---|---|
device.skipEnrollment |
The link to skip device enrollment. This action can be used only if device registration is configured to allow skipping. The action must specify the application/vnd.pingidentity.device.skipEnrollment+json as the custom content type in the request. |
Parameters | Description |
---|---|
There are no parameters required for the device.skipPairing action. |
Device delete device.delete
action
Links | Description |
---|---|
device.delete |
The link to delete the device registration process. This action must specify the application/vnd.pingidentity.device.delete+json as the custom content type in the request. |
Parameters | Description |
---|---|
There are no parameters required for the device.delete action. |
Resend OTP otp.resend
action
Links | Description |
---|---|
otp.resend |
The link to resend the OTP to complere the device registration process for SMS, email, and voice devices. This action must specify the application/vnd.pingidentity.otp.resend+json as the custom content type in the request. |
Parameters | Description |
---|---|
There are no parameters required for the otp.resend action. |
MFA Mobile Auto Enrollment
This step type pairs an MFA mobile device with the user account during MFA enrollment.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
{{properties}} |
An object that specifies the properties that are dynamically derived at configuration time. |
Input property | Description |
---|---|
user.id |
A string that specifies the user ID of the user account. This is a required property. |
application.id |
A string that specifies the application ID. This is a required property. |
mobile.payload |
A string that specifies the mobile payload. This is a required property. |
The following properties are returned for the ENROLLMENT_INITIATED
result.
Output property | Description |
---|---|
enrollment |
An object that specifies the enrollment data created by the auto enrollment flow. |
The following properties are returned for the NOT_APPLICABLE
result.
Output property | Description |
---|---|
There are no output properties for the NOT_APPLICABLE result. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
There are no flow actions associated with the MFA_MOBILE_AUTO_ENROLLMENT step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the MFA_MOBILE_AUTO_ENROLLMENT step type. |
Password Check
This step type specifies an action to check a PingOne user's password.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
There are no configuration schema properties for the USER_PASSWORD_CHECK step. |
Input property | Description |
---|---|
user.id |
A string that specifies the user ID of the user account associated with the password check action. This is a required property. |
user.password |
A string that specifies the user's password to check. This is a required property. |
The following properties are returned for the PASSWORD_VALID
result.
Output property | Description |
---|---|
passwordState.user.id |
A string that specifies the user's password state. |
passwordState.passwordPolicy.id |
A string that specifies the password policy ID. |
passwordState.status |
A string that specifies the current status of the password. |
passwordState.lastChanged |
The date and time the password was last changed. |
passwordState.warnings.expires |
A string that specifies the date and time the password expires. |
The following properties are returned for the PASSWORD_EXPIRED
result.
Output property | Description |
---|---|
passwordState.user.id |
A string that specifies the user's password state. |
passwordState.passwordPolicy.id |
A string that specifies the password policy ID. |
passwordState.status |
A string that specifies the current status of the password. |
passwordState.lastChangedAt |
The date and time the password was last changed. |
passwordState.warnings.expires |
A string that specifies the date and time the password expires. |
The following properties are returned for the MUST_CHANGE_PASSWORD
result.
Output property | Description |
---|---|
passwordState.user.id |
A string that specifies the user's password state. |
passwordState.passwordPolicy.id |
A string that specifies the password policy ID. |
passwordState.status |
A string that specifies the current status of the password. |
passwordState.lastChangedAt |
The date and time the password was last changed. |
passwordState.warnings.expires |
A string that specifies the date and time the password expires. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
There are no flow actions associated with the USER_PASSWORD_CHECK step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the USER_PASSWORD_CHECK step type. |
Password Recover
This step type verifies an account by prompting for a verification code sent to the user through email. The step returns a VERIFIED
result after the verification code is submitted successfully by the end user. The step can also return a SKIPPED
result if the user chooses to skip the account verification step.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
allowSkip |
A boolean that specifies whether the user is allowed to skip account verification. |
Input property | Description |
---|---|
userId |
A string that specifies the user ID of the user account to verify. This is a required property. |
The following properties are returned for the VERIFIED
result.
Output property | Description |
---|---|
There are no output properties for the VERIFIED result. |
The following properties are returned for the SKIPPED
result.
Output property | Description |
---|---|
There are no output properties for the SKIPPED result. |
Step properties used with flow executions
Flow state | Description |
---|---|
VERIFICATION_CODE_REQUIRED |
A flow status prompts the user to complete an account verification action. The user can submit a verification code to verify the account, have another verification code sent, or optionally skip verification if the step is configured to allow skipping. |
Account verification user.verify
action
Links | Description |
---|---|
user.verify |
The link to initiate an action to send a verification code to the user. The action must provide a value for the verificationCode property and specify application/vnd.pingidentity.user.verify+json as the custom content type. |
Parameters | Description |
---|---|
verificationCode |
A string that specifies the verification code sent to the user. |
Account verification user.sendVerificationCode
action
Links | Description |
---|---|
user.sendVerificationCode |
The link to initiate an action to send a verification code to the user. The action must provide a value for the verificationCode property and specify application/vnd.pingidentity.user.sendVerificationCode+json as the custom content type. |
Parameters | Description |
---|---|
There are no parameters required for the user.sendVerificationCode action. |
Account verification user.skipVerification
action
Links | Description |
---|---|
user.skipVerification |
The link to skip account verification. This action can be used only if account verification is configured to allow skipping. The action must specify the application/vnd.pingidentity.user.skipVerification+json as the custom content type. |
Parameters | Description |
---|---|
There are no parameters required for the user.skipVerification action. |
PingID Authentication for Windows Passwordless Login
This step type authenticates users with PingID. It is used for passwordless login on Windows devices.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
There are no configuration schema properties for the PINGID_AUTHENTICATION_FOR_WINDOWS_PASSWORDLESS_LOGIN step type. |
Input property | Description |
---|---|
user.username |
A string that specifies the user name as it is defined in PingID. |
The following properties are returned for the SUCCEEDED
result.
Output property | Description |
---|---|
pingIdDevice.id |
A string that specifies the PingID device ID. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with the PINGID_AUTHENTICATION_FOR_WINDOWS_PASSWORDLESS_LOGIN step type. |
Links | Description |
---|---|
device.select |
The link to initiate the PingID device select action. The action must specify application/vnd.pingidentity.device.select+json as the custom content type in the request. |
Parameters | Description |
---|---|
device.id |
A string that specifies the selected PingID device ID. |
Links | Description |
---|---|
authentication.poll |
The link to specify an action to check the current authentication status. The action must specify application/vnd.pingidentity.authentication.poll+json as the custom content type in the request. |
Parameters | Description |
---|---|
There are no parameters for the authentication.poll action. |
Links | Description |
---|---|
otp.check |
The link to initiate an action to validate the one-time passcode. The action must specify application/vnd.pingidentity.otp.check+json as the custom content type in the request. |
Parameters | Description |
---|---|
otp |
A string that specifies the offline device one-time passcode. |
Links | Description |
---|---|
certificate.create |
The link to initiate an action to create a certificate. The action must specify application/vnd.pingidentity.certificate.create+json as the custom content type in the request. |
Parameters | Description |
---|---|
csr |
A string that specifies the certificate signing request, which is Base-64 encoded PEM format that contains information that is included in the certificate. |
Links | Description |
---|---|
certificate.create |
The link to initiate an action to create a certificate. The action must specify application/vnd.pingidentity.certificate.create+json as the custom content type in the request. |
Parameters | Description |
---|---|
csr |
A string that specifies the certificate signing request, which is Base-64 encoded PEM format that contains information that is included in the certificate. |
pin |
A string that specifies the PIN that protects the certificate's private key. |
Links | Description |
---|---|
certificate.readPin |
The link to initiate an action to retrieve the PIN code that protects the certificate's private key. The action must specify application/vnd.pingidentity.certificate.readPin+json as the custom content type in the request. |
Parameters | Description |
---|---|
certificate.id |
A string that specifies the certificate ID. |
Links | Description |
---|---|
authentication.resume |
The link to initiate an action to complete the authentication. The action must specify application/vnd.pingidentity.authentication.resume+json as the custom content type in the request. |
Parameters | Description |
---|---|
There are no parameters for the authentication.resume action. |
Read User
This step type reads user account data for the user specified by the ID in the input property.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
{{properties}} |
An object that specifies the user properties. Properties are dynamically derived from the environment's schema at configuration time. |
Input property | Description |
---|---|
user.id |
A string that specifies the user ID. This is a required property. |
The following properties are returned for the SUCCEEDED
result.
Output property | Description |
---|---|
{{userProperties}} |
An object that specifies the flow output. Properties are dynamically derived from the environment's schema at configuration time. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
There are no flow actions associated with the USER_READ step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the USER_READ step type. |
Reset Password
This step type specifies an action to reset a user's password using the current password.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
There are no configuration schema properties for the USER_PASSWORD_RESET step. |
Input property | Description |
---|---|
user.id |
A string that specifies the user ID of the user account associated with the password reset action. This is a required property. |
currentPassword |
A string that specifies the user's current password. This is a required property. |
newPassword |
A string that specifies the new password for the user account. This is a required property. |
The following properties are returned for the SUCCEEDED
result.
Output property | Description |
---|---|
passwordState.user.id |
A string that specifies the user's password state. |
passwordState.passwordPolicy.id |
A string that specifies the password policy ID. |
passwordState.status |
A string that specifies the current status of the password. |
passwordState.lastChanged |
The date and time the password was last changed. |
passwordState.warnings.expires |
A string that specifies the date and time the password expires. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
There are no flow actions associated with the USER_PASSWORD_RESET step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the USER_PASSWORD_RESET step type. |
Send Recovery Code
This step type specifies an action to send a recovery code to recover a forgotten password.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
There are no configuration schema properties for the USER_PASSWORD_SEND_RECOVERY_CODE step. |
Input property | Description |
---|---|
user.id |
A string that specifies the user ID of the user account associated with the send recovery code action. This is a required property. |
The following properties are returned for the SUCCEEDED
result.
Output property | Description |
---|---|
passwordState.user.id |
A string that specifies the user's password state. |
passwordState.passwordPolicy.id |
A string that specifies the password policy ID. |
passwordState.status |
A string that specifies the current status of the password. |
passwordState.lastChanged |
The date and time the password was last changed. |
passwordState.warnings.expires |
A string that specifies the date and time the password expires. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
There are no flow actions associated with the USER_PASSWORD_SEND_RECOVERY_CODE step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the USER_PASSWORD_SEND_RECOVERY_CODE step type. |
Terminate Flow
This step type ends the flow and returns an error message.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
There are no configuration properties for the TERMINATE_FLOW step type. |
Input property | Description |
---|---|
error.code |
A string that specifies the unique error code for the error. This is a required property. |
error.message |
A string that specifies the message describing the error. The error message can include HTML formatted text such as links, headings, lists, and line breaks. This is a required property. |
Output property | Description |
---|---|
There are no output properties for the TERMINATE_FLOW step type. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
There are no flow actions associated with the TERMINATE_FLOW step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the TERMINATE_FLOW step type. |
Update User
This step type specifies an action to update the user record in PingOne.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
There are no configuration schema properties for the USER_PATCH step. |
Input property | Description |
---|---|
user.id |
A string that specifies the user ID of the user account associated with the update action. This is a required property. |
The following properties are returned for the SUCCEEDED
result.
Output property | Description |
---|---|
user.{{properties}} |
The updated user record. User properties are dynamically derived from the environment's schema at configuration time. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this step type. |
Links | Description |
---|---|
There are no flow actions associated with the USER_PATCH step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the USER_PATCH step type. |
User Lookup
This step type that specifies a user lookup action to determine the authentication authority. The response returns either a PING_ONE_USER_MATCHED
or IDENTITY_PROVIDER_USER_MATCHED
result.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
matchAttributes.[] |
An array that specifies the attributes to match against the provided identifier when searching for a user in the directory. Only unique attributes can be specified, and the attributes are searched in order, returning the first user that matches. If no match is found, the action returns an error. The default attribute is username . This is a required property. |
matchPingOneUsersOnly |
A boolean that specifies whether to match only users whose authentication authority is PingOne. This property defaults to false if it is not set. |
Input property | Description |
---|---|
identifier |
A string that specifies the identifier to use when searching for the user. This is a required property. |
The following properties are returned for the PING_ONE_USER_MATCHED
result.
Output property | Description |
---|---|
user |
An object that specifies the attributes of the matched user. Properties are dynamically derived from the environment's schema at configuration time. |
The following properties are returned for the IDENTITY_PROVIDER_USER_MATCHED
result.
Output property | Description |
---|---|
user |
An object that specifies the attributes of the matched user. Properties are dynamically derived from the environment's schema at configuration time. |
Step properties used with flow executions
Flow state | Description |
---|---|
There is no flow status associated with this action. |
Links | Description |
---|---|
There are no flow actions associated with the USER_LOOKUP step type. |
Parameters | Description |
---|---|
There are no flow action parameters associated with the USER_LOOKUP step type. |
Verify Email
This step type verifies an account by prompting for a verification code sent to the user through email. The step returns a VERIFIED
result after the verification code is submitted successfully by the end user. The step can also return a SKIPPED
result if the user chooses to skip the account verification step.
Step properties used with flow definitions
Configuration schema property | Description |
---|---|
allowSkip |
A boolean that specifies whether the user is allowed to skip account verification. |
Input property | Description |
---|---|
userId |
A string that specifies the user ID of the user account to verify. This is a required property. |
The following properties are returned for the VERIFIED
result.
Output property | Description |
---|---|
There are no output properties for the VERIFIED result. |
The following properties are returned for the SKIPPED
result.
Output property | Description |
---|---|
There are no output properties for the SKIPPED result. |
Step properties used with flow executions
Flow state | Description |
---|---|
VERIFICATION_CODE_REQUIRED |
A flow status prompts the user to complete an account verification action. The user can submit a verification code to verify the account, have another verification code sent, or optionally skip verification if the step is configured to allow skipping. |
Account verification user.verify
action
Links | Description |
---|---|
user.verify |
The link to initiate an action to send a verification code to the user. The action must provide a value for the verificationCode property and specify application/vnd.pingidentity.user.verify+json as the custom content type. |
Parameters | Description |
---|---|
verificationCode |
A string that specifies the verification code sent to the user. |
Account verification user.sendVerificationCode
action
Links | Description |
---|---|
user.sendVerificationCode |
The link to initiate an action to send a verification code to the user. The action must provide a value for the verificationCode property and specify application/vnd.pingidentity.user.sendVerificationCode+json as the custom content type. |
Parameters | Description |
---|---|
There are no parameters required for the user.sendVerificationCode action. |
Account verification user.skipVerification
action
Links | Description |
---|---|
user.skipVerification |
The link to skip account verification. This action can be used only if account verification is configured to allow skipping. The action must specify the application/vnd.pingidentity.user.skipVerification+json as the custom content type. |
Parameters | Description |
---|---|
There are no parameters required for the user.skipVerification action. |
Forms
The forms API, which supports the form builder interface in the PingOne Admin Console, provides tools for administrators to create custom forms presented to users during the authentication workflow. This capability allows administrators to:
-
Define the interactive fields and the corresponding data to be collected during a registration or sign-on flow, which could include text inputs, checkboxes, dropdowns, and radio buttons with the potential for dynamic options or dynamically static options (dropdowns with options saved as part of the form or as input for an argument).
-
Define the user experience that they want to deliver to the customer, such as field ordering, labeling, control over input validation and error feedback, and support for contextual or formatting items such as text (headers, explanatory text) images, and dividers.
The forms API provides endpoints to create, read, update, and delete form builder resources.
Forms category types
The API allows the following form types:
-
REGISTRATION
A registration form that allows administrators to configure the controls and the information gathered during the registration flow. This form type allows form fields that do not map directly to PingOne user schema properties.
-
SELF_SERVICE
A self-service form that allows administrators to configure the controls and the information gathered during a self-service flow. All fields in the self-service form must be associated with PingOne user schema properties.
-
PROGRESSIVE_PROFILING
A custom registration form that prompts the user for additional information during the registration or sign-on flow. All fields in the progressive profiling form must be associated with PingOne user schema properties.
-
CUSTOM
A custom registration form that allows form fields that do not map directly to PingOne user schema properties. For example, the form could include radio buttons with options of “employee” or “contractor” that the flow manager processes to direct the user to the next relevant form.
Forms data model
Property | Description |
---|---|
created |
The time the resource was created. |
category |
A string that specifies the type of custom-defined form. Options are REGISTRATION , SELF_SERVICE , PROGRESSIVE_PROFILING , and CUSTOM . The CUSTOM and REGISTRATION form types allow the form to be built with fields that do not map specifically to the PingOne directory attributes. This is a required property. |
cols |
An integer that specifies the number of columns in the form. |
components |
An object that specifies the form configuration elements. |
description |
A string that specifies the description of the population. |
fieldTypes |
A read-only that specifies the list of the FormField types in the form. Options are TEXT , SUBMIT_BUTTON , FLOW_LINK , FLOW_BUTTON , and RECAPTCHA_V2 . |
id |
A string that specifies the resource’s unique identifier. |
markOptional |
A boolean that specifies whether optional fields are highlighted in the rendered form. This is a required property. |
markRequired |
A boolean that specifies whether required fields are highlighted in the rendered form. This is a required property. |
modified |
The time the resource was last updated. |
name |
A string that specifies the form name, which must be provided and must be unique within an environment. This is a required property. |
Form components data model
Property | Description |
---|---|
button |
A form button object that contains the button text. This is a required property. |
button.text |
A string that specifies the form button text. This is a required property. |
fields |
A list of form fields that specifies the form fields that make up the form. Options include text inputs, passwords, radio buttons, checkboxes, dropdowns, headers, and dividers. This is a required property. |
FormField data model
FormElement
represents aFormField
of typesTEXT
,PASSWORD
,RADIO
,CHECKBOX
,DROPDOWN
.FormItem
represents aFormField
of typesDIVIDER
,PARAGRAPH
,EMPTY_FIELD
,ERROR_DISPLAY
.FormElementPasswordVerify
represents aFormField
of typePASSWORD_VERIFY
.FormSubmit
represents aFormField
of typeSUBMIT_BUTTON
.FormFlowLink
representsFormField
of typeFLOW_LINK
.FormFlowButton
represents aFormField
of typeFLOW_BUTTON
.FormRecaptchaV2
represents a FormField of typeRECAPTCHA_V2
.FormQrCode
represents a FormField of typeQR_CODE
.
Property | Description |
---|---|
position |
An object containing field position information. This is a required property. |
position.col |
An integer that specifies the column position of the field. This is a required property. |
position.row |
An integer that specifies the row position of the field. This is a required property. |
position.width |
An integer that specifies the width of the field. |
type |
A string that specifies the type of the field. Options are TEXT , PASSWORD , PASSWORD_VERIFY , RADIO , CHECKBOX , DROPDOWN , DIVIDER , EMPTY_FIELD , TEXTBLOB , ERROR_DISPLAY , SUBMIT_BUTTON , FLOW_LINK , FLOW_BUTTON , RECAPTCHA_V2 , and QR_CODE . |
. This is a required property. |
FormElement data model
Property | Description |
---|---|
key |
A string that specifies the field unique key for the HTML name attribute. This is a required property. |
label |
A string that specifies the field label. This is a required property. |
layout |
A string that specifies layout attributes for radio button and checkbox fields. Options are HORIZONTAL or VERTICAL . This is a required property when the type is RADIO or CHECKBOX . |
options |
An array of strings that specifies the unique list of options. This is a required property when the type is RADIO , CHECKBOX , or DROPDOWN . |
required |
A boolean that specifies whether the field is required. This is a required property. |
validation |
An object containing validation data for the field. This is a required property when the type is TEXT . |
validation.regex |
A string that specifies a validation regular expression. The expression must be a valid regular expression string. This is a required property when the validation type is CUSTOM . |
validation.type |
A string that specifies the validation type. Options are NONE and CUSTOM . This is a required property when the field type is TEXT . |
validation.errorMessage |
A string that specifies the error message to be displayed when the field validation fails. |
FormElementPasswordVerify data model
The FormElementPasswordVerify object is an extension of FormElement and contains all of the same fields in FormElement as well as those listed below.
Property | Description |
---|---|
labelPasswordVerify |
A string that verifies password field label. |
FormItem data model
Property | Description |
---|---|
content |
A string that specifies the field content (for example, HTML when the field type is TEXTBLOB . |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
READ Forms
READ One Form
CREATE Registration Form
CREATE Progressive Profiling Form
CREATE Self Service Form
CREATE Sign On Form
CREATE Identity Provider Sign On Form
CREATE Password Reset Form
CREATE Password Recovery User Lookup Form
CREATE Password Recovery Form
CREATE Custom Form
UPDATE Form
DELETE One Form
Forms: Recaptcha
The Recaptcha configuration API provides support for a Recaptcha V2 field in a form definition. It includes operations to read, update, and delete the environment's Recaptcha configuration.
Recaptcha V2 data model
Property | Description |
---|---|
created |
The time the configuration was created. |
environment.id |
A string that specifies the environment's unique identifier. |
modified |
The time the configuration was last updated. |
siteKey |
A string that specifies the public site key for the Recaptcha configuration provided by Google. This is a required property. |
secretKey |
A string that specifies the confidential secret key for the Recaptcha configuration provided by Google. This is a required property. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
204 | No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
READ Recaptcha Configuration
UPDATE Recaptcha Configuration
DELETE Recaptcha Configuration
Configuration Management
The Configuration Management service gives you a secure and flexible approach to automating (promoting) configurations across multiple environments, enabling the seamless creation, updating, and deletion of resources while supporting dynamic configurations through variable management. Resource dependencies are maintained, ensuring smooth cross-environment transitions and promotions. Robust auditing and reporting enhance oversight and compliance.
To use the Configuration Management service you need to have the Environment Admin role for at least two environments. The general workflow is:
- Select configurations that you want to promote from one environment to another (generally, through development, testing, and production stages).
- If desired, use promotion variables to dynamically substitute different property values for a configuration resource included in a promotion operation.
- Execute the promotion plan returned by the Read One Promotion or Read All Promotions to move the configuration from the source environment to the target environment.
The Configuration Management service is comprised of these sub-services:
Click the Run In Postman button below to download the early access Postman collection for the Configuration Management APIs:
Resources requiring special handling
Certificates
Certificates are not a promotable resource in PingOne, however special handling of them is required for resources that reference them. Certificate references can be promoted in using either default certificates or through the use of promotion variables:
-
Default certificates
When a configuration resource is using the default certificate as its signing key (a SAML application, for example), the application can be promoted, and will reference the default signing key existing in the target environment. Certificate rotation for the signing key can be done by setting a new default certificate in the target environment, and then promoting the configuration resource or resources using the default signing key in the source environment.
-
Certificates as promotion variables
You can handle all certificate references other than default certificates using promotion variables. You'll need to create a promotion variable with the certificate ID in each environment. When the resource or resources referencing the certificate are promoted, the promotion operation will use the variable value to substitute the correct certificate in the target environment or environments. If there are other configuration resources that use the certificate, they will also use the correct certificate when any of these configuration resources are promoted to the same target environment or environments.
Attributes
You can promote individual attributes in the schema. However if you're promoting an application that references a custom attribute, the promotion plan will include all attributes in the schema. In this case, you can then exclude the unnecessary attributes by editing the promotion plan prior to starting the promotion operation.
Snapshots
A snapshot is a point in time representation of any configuration resource in PingOne. A snapshot is triggered when the request POST {{apiPath}}/environments/{{envID}}/snapshots
is called. The configuration resource, and optionally all of its dependencies, are then stored by the Snapshot service. The snapshots are stored and indexed using the original identifier (UUID) of the configuration resource. For example, an applications snapshot will be stored using the UUID of the application. Subsequent calls to the request POST {{apiPath}}/environments/{{envID}}/snapshots
for the same configuration resource generates a new version of the configuration resource each time the request is called. You can retrieve the version history of any configuration resource using the original UUID of the resource. You'll use the snapshot created for a configuration resource to promote (apply) the configuration resource from the source environment to another environment.
Snapshots data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
baseResourceURL |
String | Required | Mutable | The URL of the resource to use. The form is: "https://api.pingone.com/v1/environments/{{envId}}/{{resourceName}}/{{resourceId}}", where "resourceName" is the name of the configuration resource to snapshot. |
createdAt |
Date | N/A | Read-only | The date and time at which the resource was created (ISO 8601 format). |
completedAt |
Date | N/A | Read-only | The date and time at which the snapshot creation was completed (ISO 8601 format). |
configuration |
Object | N/A | Read-only | The JSON representation of the configuration resource. If the configuration resource has been deleted, this will be empty (null). |
error |
String | N/A | Read-only | If an error occurs while creating the snapshot, it's returned here. |
id |
String | Required | Immutable | The UUID of the configuration resource. |
resourceId |
String | Optional | Mutable | The UUID of the configuration resource. |
resourceUrl |
String | Optional | Mutable | The URL of the configuration resource. |
referencedResources |
String[] | Optional | Mutable | The list of UUIDs for any dependent or referenced configuration resources. The dependent or referenced resources can be only one level down in the possible tree of such resources. |
snapshotId |
String | N/A | Read-only | The UUID of the snapshot. |
startedAt |
Date | N/A | Read-only | The date and time at which the snapshot creation was started (ISO 8601 format). |
status |
String | N/A | Read-only | The status of the snapshot creation process. This can be any one of: COMPLETE, WAITING, IN_PROGRESS, ERROR. |
updatedAt |
Date | N/A | Read-only | The date and time at which the resource was last updated (ISO 8601 format). |
versionedAt |
Date | N/A | Read-only | The date and time of the updatedAt property on the original resource. For deleted events, this will be the date and time the event was published. |
Create Snapshot
Read Latest Snapshot
Read One Snapshot Version
Read All Snapshot Versions
Promotions
A promotion includes, at a minimum, source and target environment references, automatically generated source and target snapshots, the resource or resources to promote to the target environment, and a promotion plan for the promotion operation. You need to have the Environment Admin role for both the source and target environments. You can optionally include a specific source environment snapshot to use, as well as a mapping of the source environment configuration resource or resources to the target environment configuration resource or resources.
A PingOne admin having Environment Admin permissions can review the promotion plan, and update the promotion mapping and variable definitions or declarations as needed. The promotion plan is then regenerated based on the updates. Use the Read One Promotion or Read All Promotions to view the promotion plan.
If you do not set any promotion variables, the configuration resource or resources that you specify for the source or target environment will be used as is, and cannot be changed during the promotion operation. See Promotion Variables for more information.
When you choose to start the promotion operation, the promotion plan supplies the promotion operation instructions to the Promotions service. The Promotions service then:
- Filters out any configuration resources that haven't changed, and calls the required target environment API using the new or altered resources.
- Sets the promotion’s
started_at
andstatus
values. - Collects any errors into a JSON array, and returns the errors.
- Updates the promotion's
completedAt
andstatus
values when the promotion operation is complete.
Promotions data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
createdAt |
Date | N/A | Read-only | The date and time the promotion was created. |
completedAt |
Date | N/A | Read-only | The date and time the promotion operation completed. |
description |
String | Optional | Mutable | A description of the promotion to be performed. |
errors |
Object[] | N/A | Read-only | An array of JSON objects correlating the configuration resource IDs in the source environment to the error messages from the target environment. |
excludedResources |
Object[]* | Optional | Mutable | An array of JSON objects. *Optionally, this can be an array of strings. Contains the resource IDs, and resource URLs for the configuration resources to be excluded from promotion. |
mapping |
Map | Optional | Mutable | A mapping of the configuration resource IDs in the source environment to the configuration resource IDs in the target environment. |
promotionPlan |
Object[] | N/A | Read-only | An array of JSON objects containing the promotion plan generated. The promotion plan is generated by the POST operation, but is returned only by either of the GET operations. For a DELETE operation, the payload property in the response will be empty. |
promotionPlan.steps |
Object[] | N/A | Read-only | An array of JSON objects identifying the resource or resources, the configuration of the resource or resources, and the target environment or environments. |
promotionPlan.totalDistance |
Integer | N/A | Read-only | (Internal use only.) A comparison metric the Configuration Management service uses to determine whether there is a comparable resource in the target environment to replace. |
selectedResources |
Object[]* | Optional | Mutable | An array of JSON objects. *Optionally, this can be an array of strings. Contains the resource IDs, and resource URLs for the configuration resources selected for promotion. If this is omitted, the entire current environment is used (the environment ID is injected.) |
sourceEnvironment |
String | Optional | Immutable | A JSON object containing the UUID of the source environment. If not specified, the current source environment for the actor is used. |
sourceSnapshotId |
String | Optional | Mutable | The UUID of the snapshot to use as the promotion source. |
startedAt |
Date | N/A | Read-only | The date and time the promotion operation started. |
status |
String | N/A | Read-only | An enumeration indicating the status of the promotion. This can be: NEW, PREPARING, READY, IN_PROGRESS, COMPLETED, VALIDATION_FAILED, or ERROR. |
targetEnvironment |
Object | Required | Immutable | A JSON object containing the UUID of the target environment. |
targetSnapshotId |
String | Optional | Mutable | The UUID of the snapshot to use as the promotion target. |
Excluded Resources
Currently, not all resources, services, or products can be used in a promotion operation.
Excluded products or services
- PingOne DaVinci
- PingOne Authorize
- PingOne Protect
Excluded resources
- Active Identity Counts
- Activities
- Adaptive Trust Policies
- Admin Config
- API Servers
- Application Entitlements
- Application Permissions
- Application Resources
- Application Roles
- Applications Role Assignments
- Applications Secret
- Application Signons
- Application Signons Statistics
- Authorization Attributes
- Authorization Changes
- Authorization Conditions
- Authorization Connector Templates
- Authorization Policies
- Authorization Processors
- Authorization Rules
- Authorization Services
- Authorization Statements
- Branding
- Branding Settings
- Certificates
- Connector Instances
- Connectors
- Credential Counts
- Credential Issuer Profile
- Credential Types
- Custom Domains
- Dashboards
- Data Exploration Batches
- Data Explorations
- Data Exploration Templates
- Davinci Applications
- Decision Endpoints
- Delegated Admins
- Device Authentications
- Digital Wallet Applications
- External Services
- Fido Devices Metadata
- Flow Definitions
- Flow Metadata
- Flow Policies
- Flows
- Forms
- Fraud Evaluations
- Fraud Events Details
- Fraud Feedbacks
- Fraud Sessions
- Identity Cloud
- Identity Cloud Orchestrations
- Images
- Integrations
- Languages
- Legacy
- Locales
- Metrics
- Migrate
- Notification Callback
- Notification Callback AWS email
- Notification Callback Syniverse
- Notification Callback Twilio
- Notification Callback Whatsapp
- Notifications
- Notifications Quota
- OAuth Jobs
- OAuth Tokens
- Password Storage Scheme Config
- Pingid
- Pingid Mobile App Versions
- Pingid Mobile Display Names
- Pingid Mobile Os Versions
- Portal
- Presentation Sessions
- Promotions
- Promotion Variable Declarations
- Propagation
- Propagation Mappings
- Propagation Plans
- Propagation Provisioning Syncs
- Propagation Revisions ID
- Propagation Revisions ID Latest
- Propagation Rules
- Propagation Store Metadata
- Propagation Stores
- QS Dashboards
- Rate Limit IP Configs
- Recaptcha V2 Config
- Resources Secret
- Risk Evaluations
- Risk Feedback
- Risk Policy Sets
- Risk Predictors
- Roles
- Seen Devices
- Sessions
- Snapshots
- Solutions
- Subscriptions
- Tiles
- Total Identities
- Translations
- Users
- Variables
- Voice Phrases
- Licenses
- Licenses Expires At
- Licenses Metrics Active Identity Counts
- Licenses Name
- Organization Quota
- Ping Enterprise Orchestrations
- Ping Enterprise Orchestrations Callback
Create Promotion
Start Promotion
Read All Promotions
Read One Promotion
Read Promotion Status
Update Promotion
Delete Promotion
Promotion Variables
Use promotion variables to to account for environment-specific differences, such as 3rd party integrations or URLs. You can specify configuration resource property values for either the source or target environment to be substituted for existing property values by the promotion operation. Only the promotion variables you set can change property values for use by the promotion operation. If you do not set any promotion variables, the configuration resource or resources that you specify for the source or target environment will be used as is, and cannot be changed during the promotion operation.
To use promotion variables, you need to:
- Specify the configuration resource to be promoted in a snapshot.
- Define the variable or variables to be used for a source or target environment configuration resource property. See Variable Definitions.
- Declare the variables to be used by the promotion operation. See Variable Declarations.
A few things to be aware of:
- The variables are scoped only to the specified configuration resources, and are not applied to any dependent resources.
- Variables are not versioned with a snapshot, so for each promotion operation, you need to ensure the variable settings for a configuration resource are correct.
- Any configuration resources that you change directly without updating the variables will be overwritten by a subsequent promotion operation. This is because the promotion operation will use the existing variable set.
Configuration Resource Properties
Not all configuration resources or properties can be used as promotion variables. Here's the listing of configuration resources, and the associated properties that are supported as promotion variables:
Resource | Properties |
---|---|
Applications | acsUrls |
corsSettings | |
defaultTargetUrl | |
devicePathId | |
homePageUrl | |
idpSigning.key.id | |
initiateLoginUri | |
jwks | |
jwksUrl | |
kerberos.key.id | |
mobile.bundleId | |
mobile.huaweiAppId | |
mobile.huaweiPackageName | |
mobile.integrityDetection.googlePlay.serviceAccountCredentials | |
mobile.packageName | |
mobile.uriPrefix | |
postLogoutRedirectUris | |
redirectUris | |
sloEndpoint | |
sloResponseEndpoint | |
spEncryption.certificate.id | |
spEntityId | |
spVerification.cert.id | |
targetLinkUri | |
Authentication | relyingPartyId |
Branding | companyName |
logo.href | |
Custom Domain | domainName |
Email Domains | domainName |
Gateways | bindDN |
bindPassword | |
kerberos.serviceAccountPassword | |
kerberos.serviceAccountUserPrincipalName | |
radiusClients.ip | |
Identity Providers | authorizationEndpoint |
clientEnvironment | |
clientId | |
clientSecret | |
discoveryEndpoint | |
idpEntityId | |
issuer | |
jwksEndpoint | |
keyId | |
sloEndpoint | |
spSigning.key.id | |
ssoEndpoint | |
teamId | |
tokenEndpoint | |
userInfoEndpoint | |
Notification Templates | body |
content | |
replyTo.address | |
replyTo.name | |
Notifications Phone Delivery Settings | authToken |
authentication.username | |
sid | |
Notifications | key |
type | |
Provisioning | configuration.Administrator_Password |
configuration.Administrator_Username | |
configuration.BASE_URL | |
configuration.BASIC_AUTH_PASSWORD | |
configuration.BASIC_AUTH_USER | |
configuration.CLIENT_ID | |
configuration.CLIENT_SECRET | |
configuration.ClientId | |
configuration.ClientSecret | |
configuration.GROUPS_RESOURCE | |
configuration.OAUTH_ACCESS_TOKEN | |
configuration.OAUTH_CLIENT_ID | |
configuration.OAUTH_CLIENT_SECRET | |
configuration.OAUTH_REFRESH_TOKEN | |
configuration.SALESFORCE_DOMAIN | |
configuration.SCIM_URL | |
configuration.ServiceNow_Url | |
configuration.TenantDomain | |
configuration.USERS_RESOURCE | |
configuration.password | |
configuration.tenantId | |
configuration.username | |
Trusted Email Addresses | emailAddress |
Variable Definitions
When promoting a configuration, you need to define any variables you intend to use to substitute for existing property values. Once defined, you'll need to then declare a variable. See Variable Declarations for details.
Variable definitions data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
createdAt |
Date | N/A | Read-only | The date and time at which the resource was created (ISO 8601 format). |
name |
String | Required | Mutable | The name to use for the variable. This name must be unique in the environment. |
updatedAt |
Date | N/A | Read-only | The date and time at which the resource was last updated (ISO 8601 format). |
value |
Object | Required | Mutable | A JSON object containing the value to assign to the variable. Currently, the object type can be: String, List, or Integer. |
Create Variable Definition
Read All Variable Definitions
Read One Variable Definition
Update Variable Definition
Delete Variable Definition
Variable Declarations
Before you can declare a variable (POST {{apiPath}}/environments/{{envID}}/promotionVariableDeclarations
), you need to define the variable that you intend to use. See Variable Definitions for details.
Variable declarations data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
createdAt |
Date | N/A | Read-only | The date and time at which the resource was created (ISO 8601 format). |
resourceId |
String | Required | Mutable | The UUID of the configuration resource. |
updatedAt |
Date | N/A | Read-only | The date and time at which the resource was last updated (ISO 8601 format). |
variables |
Map | Required | Mutable | A mapping of configuration resource properties to the name values of defined variables. For example, for an applications resource, you might map the refreshTokenDuration property to a variable definition having a name value of refreshTokenDurationVar . |
Create Variable Declaration
Read Variable Declarations
Update Variable Declaration
Update Variable Declaration
Delete Variable Declaration
DaVinci Admin APIs
The PingOne DaVinci Admin APIs provide access to DaVinci operations through the PingOne API resource server. These services are called using the api.pingone.com
domain (or api.pingone.ca
, api.pingone.eu
, api.pingone.asia
, and api.pingone.com.au
for other geographic regions) to manage DaVinci workflow configuration.
At this time, the following services are supported on the PingOne API resource server:
-
Endpoints for managing DaVinci variables and their context.
-
Endpoints for creating and managing DaVinci flows.
-
Endpoints for managing DaVinci flow versions.
-
DaVinci Admin Flow Interactions
Endpoints for managing DaVinci flow interactions.
-
DaVinci Admin Connector Instances
Endpoints for managing DaVinci connector instances, which provide access to DaVinci connector capabilities.
-
Endpoints for managing DaVinci applications.
-
DaVinci Admin Application Flow Policies
Endpoints for managing DaVinci application flow policies.
-
Endpoints for managing DaVinci connectors.
-
Endpoints for managing DaVinci UI templates.
Click the Run in Postman button below to download the Postman collection for these endpoints.
DaVinci Admin Variables
PingOne DaVinci Admin Variables service provides endpoints to create, read, update, and delete DaVinci variables. Variables are values that can be read and modified during a flow. Every variable has a context, which determines how widely its value is shared.
The options for the variable's context types are:
-
flow
The variable is tied to a specific flow and has a single, persistent value until that value is changed.
-
flowInstance
The variable can be used in multiple flows.
-
If the variable's value is set within a flow, the variable instance in that flow gets the value set by the flow's execution.
-
If the variable's value is not set within a flow, the variable instance in that flow inherits the value.
-
-
user
The variable has a separate value for each user. If you use a variable with this context in a flow, the user must be identified.
-
company
The variable has a single value for the company. This value is used in all flows and for all users.
DaVinci Admin variable data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
createdAt |
Date | N/A | Read only | The time when the variable was created. |
context |
String | Required | Immutable | The context or type of the variable. Options are flow , flowInstance , user , or company . |
dataType |
String | Required | Mutable | Data type of the variable. Can be STRING , BOOLEAN , NUMBER , or OBJECT . |
displayName |
String | Optional | Mutable | A human-readable variable name set in the request. |
environment |
Object | N/A | Read only | The DaVinci company ID (environment ID) object. |
environment.id |
String | N/A | Read only | The DaVinci company ID, which is the PingOne environment ID. |
flowId |
String | Immutable | Optional | The flow ID of the DaVinci flow associated with the variable. |
id |
String | N/A | Read only | The variable ID. |
max |
Integer | Optional | Mutable | The maximum value of the variable. |
min |
Integer | Optional | Mutable | The minimum value of the variable. |
mutable |
Boolean | Optional | Mutable | Specifies whether the variable is mutable, which allows nodes within a flow to change the value of the variable. If the value property is null, this property is required. |
name |
String | Required | Mutable | The variable name. |
updatedAt |
Date | N/A | Read only | The time when the variable was modified. |
value |
String/Number/Boolean/Object | Optional | Mutable | An internally stored value that is part of a HashMap/Object. If the mutable property is set to false , this property is required. If mutable is not set on the request, it defaults to true . |
Limiting and filtering data
These SCIM operators can be applied to the following attributes:
-
eq
(equals)Supports attributes of type
STRING
andBOOLEAN
. -
sw
(starts with)Supports attributes of type
STRING
. -
ew
(ends with)Supports attributes of type
STRING
. -
co
(contains)Supports attributes of type
STRING
. -
and
(logical AND)Logical AND for building compound expressions in which both expressions are true.
-
or
(logical OR)Logical OR for building compound expressions if either expression is true.
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Create DaVinci Variable
Read All DaVinci Variables
Read One DaVinci Variable
Update DaVinci Variable
Delete DaVinci Variable
DaVinci Admin Connectors
PingOne DaVinci Admin Connector service provides endpoints to read DaVinci connector resources. Connectors give DaVinci the ability to integrate third party technologies, HTML pages, and other tools to create a sign-on flow. They define the capabilities that you can use as nodes in a flow. For example, an HTTP connector provides the capability to present an HTML form to collect and submit user information or make REST API calls.
DaVinci admin connector data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
description |
String | Optional | Mutable | The connector description. |
environment |
Object | N/A | Read only | The DaVinci company ID (environment ID) object. |
environment.id |
String | N/A | Read only | The DaVinci company ID, which is the PingOne environment ID. |
id |
String | N/A | Read only | The connector ID (for example, httpConnector ). |
metadata |
Object | N/A | Read only | Represents the metadata information about the connector, such as type, color, and logo. |
metadata.type |
String | N/A | Read only | The type of connector. Options are core , ping , or service . |
metadata.vendor |
String | N/A | Read only | The ID of a vendor (for example,microsoft or amazon ). |
metadata.colors |
Object | N/A | Read only | An object that specifies the colors on the canvas. |
metadata.colors.canvas |
String | N/A | Read only | A hexadecimal representation of the canvas color. |
metadata.colors.canvasText |
String | N/A | Read only | A hexadecimal representation of the canvas text color. |
metadata.colors.dark |
String | N/A | Read only | A hexadecimal representation of the shade of darkness. |
metadata.logos |
String | N/A | Read only | The image name of the connector logo file. |
metadata.logos.canvas |
Object | N/A | Read only | An object that specifies the canvas. |
metadata.logos.imageFileName |
String | N/A | Read only | The name of the connector logo image. |
name |
String | Required | Mutable | The connector name (for example, HTTP ). |
version |
String | N/A | Read only | The version number of the connector. |
DaVinci admin connectors details data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
accountConfigView |
Object[] | Optional | Mutable | Represents the account configuration of the connector. For details, see Core connectors. |
accountConfigView.componentViewSize |
String | Optional | Mutable | The size of the configuration window. |
accountConfigView.items |
Array | Optional | Mutable | An array of configurable properties. |
accountConfigView.items.propertyName |
String | Optional | Mutable | The name of the configurable property. |
accountConfigView.items.items |
Array | Optional | Mutable | An array of sub-property names under the top level property. |
accountConfigView.items.items.propertyName |
Array | Optional | Mutable | The name of the sub-property under the top level property. |
capabilities |
Object[] | Optional | Mutable | A list of all connector capabilities and their input properties. For more information, see Core connectors. |
createdAt |
Date | N/A | Read only | The time when the connector was created. |
credentialsView |
Object | Optional | Mutable | Represents the credentials view of the connector. |
credentialsView |
Object | Optional | Mutable | The fields that will be part of the connector configuration specific to credentials. |
credentialsView.items |
Array | Optional | Mutable | An array of configurable properties. |
credentialsView.items.propertyName |
String | Optional | Mutable | The name of the property. |
flowSections |
Object[] | Optional | Mutable | Represents the flow section to which the connector can be categorized. |
flowSections.name |
String | Optional | Mutable | The name of the section being shown. |
flowSections.value |
String | Optional | Mutable | A pointer to the flow section name referenced by other sections in the manifest. |
properties |
Object | Optional | Mutable | A list of properties that will be used by the capabilities. For more information, see Core connectors. |
sections |
Object[] | Optional | Mutable | An array of sections shown in Connector Configuration. For more information, see Core connectors. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Read All DaVinci Connectors
Read One DaVinci Connector
Read DaVinci Connector Details
DaVinci Admin Connector Instances
PingOne DaVinci Admin Connector Instances service provides endpoints to create, read, update, and delete DaVinci connector instances. A DaVinci connector instance is one instance of a DaVinci connector (the connection configuration specifies a connector by name). You can then use the capabilities provided by the connector inside a flow, and launch the flow through an application.
This service also includes an action to clone connector instance resources.
DaVinci admin connector instances data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
connector |
Object | Required | Immutable | The connector object. |
connector.id |
String | Required | Immutable | The connector object name (for example, httpConnector ). |
createdAt |
Date | N/A | Read only | The time when the connection was created. |
environment |
Object | N/A | Read only | The DaVinci company ID (environment ID) object. |
environment.id |
String | N/A | Read only | The DaVinci company ID, which is the PingOne environment ID. |
id |
String | N/A | Read only | The connector instance resource ID. |
name |
String | Required | Mutable | The connector instance name. |
properties |
Object | Optional | Mutable | The configuration of the connector object. This field is not applicable to all connectors and is omitted in the output if empty or null. If the specified connector requires configuration, see the Connector configuration section of the connector documentation for the connector specified in connector.id . |
updatedAt |
Date | N/A | Read only | The time when the connector instance was updated. |
DaVinci admin connector enrichment data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
connectorInstance |
Object | N/A | Read only | The connector instance object. |
connectorInstance.id |
String | N/A | Read only | The connector instance ID for the enrichment call. |
environment |
Object | N/A | Read only | The DaVinci company ID (environment ID) object. |
environment.id |
String | N/A | Read only | The DaVinci company ID, which is the PingOne environment ID. |
id |
String | N/A | Read only | The user ID. |
capabilityName |
String | N/A | Read only | The name of the capability for which the enrichment call was made. |
output |
Object | N/A | Read only | The enrichment output data object. |
output.data |
String | N/A | Read only | The data object. |
output.data.type |
String | N/A | Read only | The type of capability. Options are action and trigger . |
output.data.title |
String | N/A | Read only | The title of the capability. |
output.data.subtitle |
String | N/A | Read only | The subtitle of the capability. |
output.data.respondToUser |
Boolean | N/A | Read only | Specifies whether the capability returns response back to the client. |
output.data.capabilityType |
String[] | N/A | Read only | A capability type array of strings. |
output.data.inputs |
String[] | N/A | Read only | An array of inputs. |
output.data.enrich |
Boolean | N/A | Read only | Specifies whether enrichment is enabled. |
output.data.localizedErrors |
Object | N/A | Read only | An object that specifies localized error messages. |
output.data.localizedErrors.en |
Object | N/A | Read only | An object that specifies localized error message keys. |
output.data.localizedErrors.en.errorKey |
String[] | N/A | Read only | The mapping of the error key to a message. |
output.data.flowConfigView |
Object | N/A | Read only | An object that specifies the flow configuration view. |
output.data.flowConfigView.items |
Array | N/A | Read only | An array of strings that specifies the flow configuration properties. |
output.data.flowConfigView.items.propertyName |
String | N/A | Read only | The flow configuration property name. |
output.data.flowConfigView.items.fields |
Object | N/A | Read only | The flow configuration fields object. |
output.data.flowConfigView.items.fields.value |
Any | N/A | Read only | A value to override the property. |
output.data.flowConfigView.items.fields.options |
Array | N/A | Read only | The list of options if the property is a drop-down menu. |
output.data.flowConfigView.items.fields.options.name |
String | N/A | Read only | The name of the drop-down option. |
output.data.flowConfigView.items.fields.options.value |
String | N/A | Read only | The value of the drop-down option. |
output.userViews |
Object | N/A | Read only | The user views object. |
output.userViews.screenTemplateName |
String | N/A | Read only | The name of the screen template. |
output.userViews.items |
Object | N/A | Read only | The items object. |
output.userViews.items.propertyName |
String | N/A | Read only | The name of the property used for the screen template. |
output.userViews.payloadInputSchema |
Object | N/A | Read only | The payload input schema object. |
output.userViews.payloadInputSchema.default |
Object | N/A | Read only | The payload input schema default config object. |
output.userViews.payloadInputSchema.default.type |
String | N/A | Read only | The type of properties. |
output.userViews.payloadInputSchema.default.properies |
Object | N/A | Read only | The properties object. |
output.userViews.payloadInputSchema.default.properies.propertyName |
Object | N/A | Read only | The property name. |
output.userViews.payloadInputSchema.default.properies.type |
String | N/A | Read only | The data type for the property. |
output.userViews.payloadInputSchema.default.properies.minLength |
Number | N/A | Read only | The minimum length of the property value. |
output.userViews.payloadInputSchema.default.properies.maxLength |
Number | N/A | Read only | The maximum length of the property value. |
output.userViews.payloadInputSchema.default.properies.description |
String | N/A | Read only | The description of the property value. |
output.userViews.payloadInputSchema.default.properies.pattern |
String | N/A | Read only | The regular expression pattern to match the property value. |
output.userViews.localOutputSchema.default |
Object | N/A | Read only | The payload output schema default configuration. |
output.userViews.localOutputSchema |
Object | N/A | Read only | The local output schema. |
output.userViews.localOutputSchema.output |
Object | N/A | Read only | The output schema for the capability. |
output.userViews.localOutputSchema.type |
String | N/A | Read only | The data type of properties in the local output schema. |
output.userViews.localOutputSchema.example |
Object | N/A | Read only | The key-value pair of the example in the local output schema. |
output.userViews.localOutputSchema.properties |
Object | N/A | Read only | The JSON-schema-based properties that the capability returns in the output. |
output.userViews.localOutputSchema.properties.propertyName |
Object | N/A | Read only | The name of the property. |
output.userViews.localOutputSchema.properties.propertyName.type |
Object | N/A | Read only | The data type of the property. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Create DaVinci Connector Instance
Clone DaVinci Connector Instance
Connector Enrichment
Read All DaVinci Connector Instances
Read One DaVinci Connector Instance
Update DaVinci Connector Instance
Delete DaVinci Connector Instance
DaVinci Admin Flows
DaVinci flows are constructed, logical paths that specify the workflow for the user's authorization and authentication experiences.
Flows consist of one or more nodes joined together. Each node performs a specific task, using one of the capabilities of your connectors. After completing the task, the flow determines which task to perform next until the flow is complete.
The PingOne DaVinci Admin Flows service provides endpoints to create, read, update, and delete DaVinci flows. This service also includes endpoints to enable, deploy, import, and clone flows.
DaVinci admin flow data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
color |
String | Optional | Mutable | The color of the flow. |
connectors |
Array[object] | Optional | Mutable | An array of connectors that apply to the flow. An optional query parameter can toggle behavior, either the names of the connectors are returned or the connection objects themselves are returned as embedded objects. |
createdAt |
Time | N/A | Read only | The timestamp when the flow was created. |
currentVersion |
Integer | Optional | Immutable | The saved version of the flow. |
deployedAt |
Time | N/A | Read only | The stamp when the flow was last deployed. |
description |
String | Optional | Mutable | The description of the flow. |
enabled |
Boolean | Optional | Immutable | The state of the flow. This can be stored as its own value in the database or it can reflect an existing flowStatus . |
environment |
Object | N/A | Read only | The DaVinci company ID (environment ID) object. |
environment.id |
String | N/A | Read only | The DaVinci company ID, which is the PingOne environment ID. |
graphData |
Object | Optional | Mutable | The graph-based representation of the flow depicted in the UI. |
id |
String | N/A | Read only | The flow ID. |
inputSchema |
Array[object] | Optional | Mutable | The flow input parameters in an array of JSONschema objects. If the trigger.type property is AUTHENTICATION , then the flow is a PingOne flow, and the input schema properties are listed in this table. If the trigger.type property is not AUTHENTICATION , then the flow is not a PingOne flow and the input schema properties are described in Input schema for non-PingOne flows data model properties. |
inputSchema.propertyName |
String | Required | Mutable | An input schema property name. |
inputSchema.description |
String | Optional | Mutable | The description for an input schema property. |
inputSchema.isExpanded |
Boolean | Optional | Mutable | Specifies whether the input schema is expanded in the response. |
inputSchema.preferredDataType |
String | Required | Mutable | The data type of the input schema property. Options are string , number , integer , boolean , array , and object . |
inputSchema.preferredControlType |
String | Optional | Mutable | The control type of the input schema property. Options are textField . |
inputSchema.required |
Boolean | Optional | Mutable | Specifies whether the input schema property is required for the flow. |
name |
String | Required | Mutable | The name of the flow. |
outputSchema |
Object | Required | Mutable | The JSONschema output object of the flow. |
outputSchema.output |
Object | Required | Mutable | The output object of the output schema. |
outputSchema.output.type |
String | Required | Mutable | The output type. |
outputSchema.output.additionalProperties |
Boolean | Required | Mutable | Specifies whether the output has additional properties. |
outputSchema.output.properties |
Object | Required | Mutable | A JSON object that specifies the output schema's properties. |
outputSchema.output.properties.{{propName}} |
Object | Required | Mutable | An output schema property definition. |
outputSchema.output.properties.{{propName}}.type |
Object | Required | Mutable | An output schema property's data type. |
publishedVersion |
Integer | Optional | Immutable | The currently deployed version of the flow. |
settings |
Object | Optional | Mutable | Flow settings saved by the user. See the Settings property data model table for details. |
trigger |
Object | Optional | Mutable | The flow trigger object. |
trigger.type |
String | Optional | Mutable | If the trigger type is set to AUTHENTICATION , you invoke the flow through PingOne OpenID Connect or SAML endpoints. The AUTHENTICATION trigger type overwrites the inputSchema values with the default authentication schema. |
trigger.configuration |
Object | Optional | Mutable | The configuration object for session reuse. |
trigger.configuration.pwd |
Object | Optional | Mutable | The configuration object for password session reuse. |
trigger.configuration.pwd.enabled |
Boolean | Optional | Mutable | Specifies whether this configuration must be used to check for existing sessions. |
trigger.configuration.pwd.lastSignOn |
Integer | Optional | Mutable | An integer that specifies the duration (in seconds) that an active session can be reused. |
trigger.configuration.mfa |
Object | Optional | Mutable | The configuration object for MFA session reuse. |
trigger.configuration.mfa.enabled |
Boolean | Optional | Mutable | Specifies whether this configuration must be used to check for existing sessions. |
trigger.configuration.mfa.lastSignOn |
Integer | Optional | Mutable | An integer that specifies the duration (in seconds) that an active session can be reused. |
updatedAt |
Date | N/A | Read only | The timestamp when the flow was updated or saved. |
Settings property data model
The following table lists the supported flow settings properties that can be used in the settings
property.
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
csp |
String | Optional | Mutable | Content Security Policy content to which a Content-Security-Policy meta tag will be added. If you use a custom Javascript flow player, it is required. |
css |
String | Optional | Mutable | The CSS styling rules to be applied to the flow version. |
cssLinks |
Array | Optional | Mutable | A list of URL locations of CSS files to apply to the flow version. |
customErrorScreenBrandLogoUrl |
String | Optional | Mutable | The URL of the logo to use for the error page, such as “https://example.com/logo.png". |
customErrorShowFooter |
Boolean | Optional | Mutable | Show footer in the error screen. |
customFaviconLink |
String | Optional | Mutable | The URL of the favicon image to use for the page. This image is displayed in the title bar of the browser and in saved bookmarks. |
customLogoUrlSelection |
String | Optional | Mutable | The URL location of the logo to show on error pages. |
customTitle |
String | Optional | Mutable | The title of the page. This title is displayed in the title bar of the browser and used for the page title in search engine results. |
doNotSubstituteUnreplacedFields |
Boolean | Optional | Mutable | By default, unreplaced parameterized fields will be substituted with an empty string. This parameter overrides that behavior if set to true. |
flowHttpTimeoutInSeconds |
Number | Optional | Mutable | Timeout period for every node's execution time. A response must be returned by a node before this timeout. The default value is 15 seconds. If set to 0, the default timeout value is used. |
flowTimeoutInSeconds |
Number | Optional | Mutable | The period after which a particular flow execution becomes inactive. The default value is 300 seconds. If set to 0, the default timeout value is used. |
intermediateLoadingScreenCss |
String | Optional | Mutable | The CSS rules to use for the intermediate page. This setting applies only when the show intermediate page setting is enabled (useIntermediateLoadingScreen ). |
intermediateLoadingScreenHtml |
String | Optional | Mutable | The HTML content of the intermediate page. Applies only when the show intermediate page is enabled (useIntermediateLoadingScreen ). |
jsLinks |
Array | Optional | Mutable | The location of JavaScript files to apply to the flow. |
logLevel |
String | Optional | Mutable | The log level for flow analytics. Options are None , Info , or Debug . |
pingOneFlow |
Boolean | Optional | Mutable | PingOne runs this flow for OIDC or SAML authentication. When a flow is invoked, PingOne sends input parameters to be made available for any node in the flow. |
requireAuthenticationToInitiate |
Boolean | Optional | Mutable | Flow invocation via OpenID requires authentication. Use the /sdktoken endpoint to retrieve the accessToken value, which can be sent in the query parameter &accessToken=<accessToken> . |
scrubSensitiveInfo |
Boolean | Optional | Mutable | Remove sensitive information from analytics. |
sensitiveInfoFields |
Array | Optional | Mutable | These fields will be masked with ****** in Flow analytics. |
useCsp |
Boolean | Optional | Mutable | Enable and add a content security policy if you are adding additional scripts. |
useCustomCss |
Boolean | Optional | Mutable | When enabled, DaVinci uses the CSS rules in the custom CSS field. |
useCustomScript |
Boolean | Optional | Mutable | When enabled, DaVinci uses the JavaScript files in the JavaScript files field. |
useIntermediateLoadingScreen |
Boolean | Optional | Mutable | When enabled, DaVinci shows a custom user-facing page between each node in the flow. |
Input schema for non-PingOne flows data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
inputSchema.propertyName |
String | Required | Mutable | An input schema property name. |
inputSchema.description |
String | Optional | Mutable | The description for an input schema property. |
inputSchema.isExpanded |
Boolean | Optional | Mutable | Specifies whether the input schema is expanded in the response. |
inputSchema.preferredDataType |
String | Required | Mutable | The data type of the input schema property. Options are string , number , integer , boolean , array , and object . |
inputSchema.preferredControlType |
String | Optional | Mutable | The control type of the input schema property. Options are textField . |
inputSchema.required |
Boolean | Optional | Mutable | Specifies whether the input schema property is required for the flow. |
Limiting and filtering data
You can limit the number of results returned on the Read DaVinci Flows and Read One DaVinci Flow requests with the attributes
parameter. This parameter filters the response data returned by the request. The query accepts top-level DaVinci admin flow data model properties as a list of comma separated values. The query returns only the specified property values; it removes all other properties from the response. For example, the following request uses the attributes
query parameter:
/environments/{{envID}}/flows/{{davinciFlowID}}?attributes=name,description
The response returns the following flow data:
{
"_links": {...},
"id": "{{resourceID}}",
"name": "SomeFlow,
"description": "A brief description"
}
SCIM operators
These SCIM operators can be applied to the following attributes:
-
eq
(equals)Supports attributes of type
STRING
,DATE
,NUMBER
, andBOOLEAN
. -
gt
(greater than)Supports attributes of type
DATE
andNUMBER
. -
ge
(greater than or equal to)Supports attributes of type
DATE
andNUMBER
. -
lt
(less than)Supports attributes of type
DATE
andNUMBER
. -
le
(less than or equal to)Supports attributes of type
DATE
andNUMBER
. -
sw
(starts with)Supports attributes of type
STRING
. -
ew
(ends with)Supports attributes of type
STRING
. -
co
(contains)Supports attributes of type
STRING
. -
within
(within a specified date)Supports attributes of type
DATE
. -
and
(logical AND)Logical AND for building compound expressions in which both expressions are true.
-
or
(logical OR)Logical OR for building compound expressions if either expression is true.
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Create DaVinci Flow
Deploy a DaVinci Flow
Clone a DaVinci Flow
Import DaVinci Flow
Import DaVinci Legacy Flow
Read One DaVinci Flow
Read All DaVinci Flows
Enable a DaVinci Flow
Update DaVinci Flow
Delete DaVinci Flow
DaVinci Admin Flow Versions
The PingOne DaVinci Admin Flow Versions service provides endpoints to read, update, and delete DaVinci flow versions. This service also includes endpoints to export, revert, and see details about a flow version.
DaVinci admin flow versions data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
createdAt |
Time | N/A | Read only | The timestamp when the flow was created. |
alias |
String | Optional | Mutable | The user defined flow version alias. |
clonedFrom |
Number | Optional | Immutable | The version number from which this flow version was cloned or created. |
deployedAt |
Time | N/A | Read only | The stamp when the flow was last deployed. |
description |
String | Optional | Mutable | The description of the flow. |
enabled |
Boolean | Optional | Immutable | Specifies the state of the flow. This can be stored as its own value in the database or it can reflect an existing flowStatus . |
environment |
Object | N/A | Read only | The DaVinci company ID (environment ID) object. |
environment.id |
String | N/A | Read only | The DaVinci company ID, which is the PingOne environment ID. |
graphData |
Object | Optional | Mutable | The graph-based representation of the flow depicted in the UI. |
flow |
Object | Required | Immutable | The flow object associated with this flow version. |
flow.id |
String | Required | Immutable | The flow ID of the flow associated with this flow version. |
flow.name |
String | Required | Immutable | The name of the flow associated with this flow version. |
outputSchema |
Object | Required | Mutable | The JSONschema output object of the flow. |
updatedAt |
Date | N/A | Read only | The timestamp when the flow was updated or saved. |
version |
Number | Required | Mutable | The version number of the flow instance represented by this object. |
Flow versions details property data model
The following table lists the supported flow versions details settings properties.
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
color |
String | Optional | Mutable | The color of the flow. |
connectors |
Array[object] | Optional | Mutable | An array of connectors that apply to the flow. |
connectors.id |
String | Optional | Mutable | The connector ID associated with the flow. |
description |
String | Optional | Mutable | The description of the flow. |
enabled |
Boolean | Optional | Immutable | Specifies the state of the flow. |
graphData |
Object | Optional | Mutable | The graph-based representation of the flow depicted in the UI. |
inputSchema |
Array[object] | Optional | Mutable | The flow input parameters in an array of JSONschema objects. |
name |
String | Required | Mutable | The name of the flow. |
outputSchema |
Object | Required | Mutable | The JSONschema output object of the flow. |
settings |
Object | Optional | Mutable | Flow settings saved by the user. See the Settings property data model table for details. |
trigger |
Object | Optional | Mutable | The flow trigger object. |
trigger.type |
String | Optional | Mutable | If the trigger type is set to AUTHENTICATION , you invoke the flow through PingOne OpenID Connect or SAML endpoints. |
trigger.configuration |
Object | Optional | Mutable | The configuration object for session reuse. |
trigger.configuration.pwd |
Object | Optional | Mutable | The configuration object for password session reuse. |
trigger.configuration.pwd.enabled |
Boolean | Optional | Mutable | Specifies whether this configuration must be used to check for existing sessions. |
trigger.configuration.pwd.lastSignOn |
Integer | Optional | Mutable | An integer that specifies the duration (in seconds) that an active session can be reused. |
trigger.configuration.mfa |
Object | Optional | Mutable | The configuration object for MFA session reuse. |
trigger.configuration.mfa.enabled |
Boolean | Optional | Mutable | Specifies whether this configuration must be used to check for existing sessions. |
trigger.configuration.mfa.lastSignOn |
Integer | Optional | Mutable | An integer that specifies the duration (in seconds) that an active session can be reused. |
updates |
Array | N/A | Read only | String of actions taken to generate this version from the previous version. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Read All DaVinci Flow Versions
Read One DaVinci Flow Version
Read DaVinci Flow Version Details
Revert DaVinci Flow Version
Export a DaVinci Flow Version
Add a DaVinci Flow Version Alias
Delete DaVinci Flow Version
DaVinci Admin Flow Interactions
The PingOne DaVinci Admin Flow Interactions service provides endpoints to read DaVinci flow interactions and flow interaction events.
Flow interactions data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
id |
String | N/A | Read only | The flow interaction execution ID. |
environment |
Object | N/A | Read only | The DaVinci company ID (environment ID) object. |
environment.id |
String | N/A | Read only | The DaVinci company ID, which is the PingOne environment ID. |
events |
Object | N/A | Read only | The list of events in this flow interaction. |
flow |
Object | N/A | Read only | The flow object associated with this flow interaction. |
flow.id |
String | N/A | Read only | The flow ID of the flow associated with this flow interaction. |
flow.name |
String | N/A | Read only | The name of the flow associated with this flow interaction. |
flow.version |
String | N/A | Read only | The version number of the flow associated with this flow interaction. |
logLevel |
Number | N/A | Read only | The log level of the flow. |
isSubflow |
Boolean | N/A | Read only | Specifies whether the current flow is a subflow. |
timestamp |
Boolean | N/A | Read only | A UTC timestamp that specifies when the event was triggered. |
Flow interaction events detail data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
capabilityName |
String | N/A | Read only | The capability that triggered the event. |
connector |
Object | N/A | Read only | The connector object. |
connector.id |
String | N/A | Read only | The connector ID. |
connector.name |
String | N/A | Read only | The connector name. |
connectorInstance |
Object | N/A | Read only | The connector instance object. |
connectorInstance.id |
String | N/A | Read only | The connector instance ID. |
connectorInstance.name |
String | N/A | Read only | The connector instance name. |
environment |
Object | N/A | Read only | The DaVinci company ID (environment ID) object. |
environment.id |
String | N/A | Read only | The DaVinci company ID, which is the PingOne environment ID. |
executionTime |
Number | N/A | Read only | The time taken to execute the node in milliseconds. |
flow |
Object | N/A | Read only | The flow object. |
flow.id |
String | N/A | Read only | The ID of the executed flow. |
flow.name |
String | N/A | Read only | The name of the executed flow. |
flow.version |
Number | N/A | Read only | The version number of the executed flow. |
id |
String | N/A | Read only | The flow interaction ID. |
isSubflow |
Boolean | N/A | Read only | Specifies whether the current flow is a subflow. |
logLevel |
Number | N/A | Read only | The log level defined in the flow settings. Options are 1 (None), 2 (Info), and 3 (Debug). |
message |
String | N/A | Read only | The event message (the name of the event). |
nodeId |
String | N/A | Read only | The ID of the node that triggered the event. |
nodeTitle |
String | N/A | Read only | The title of the node that triggered the event. |
nextEvent |
String | N/A | Read only | Specifies the next DaVinci event triggered by this event. |
properties |
Object | N/A | Read only | The key-value pairs for the properties defined in the capability. |
requestContext |
Object | N/A | Read only | An object that contains details about the request. |
requestContext.ip |
String | N/A | Read only | The IP address of the client that triggered the request. |
requestContext.userAgent |
String | N/A | Read only | The user agent address of the client that triggered the request. |
requestContext.cookies |
Object | N/A | Read only | The cookies attached to the request, listed as key-value pairs. |
requestContext.headers |
Object | N/A | Read only | The headers attached to the request, listed as key-value pairs. |
response |
Object | N/A | Read only | The key-value pairs for the capability response. |
success |
Boolean | N/A | Read only | Specifies whether node execution was successful. |
timestamp |
Boolean | N/A | Read only | A UTC timestamp that specifies when the event was triggered. |
usageTransactionType |
String | N/A | Read only | Specifies whether the connector usage is counted. Values are COUNTED and UNCOUNTED . |
Flow interaction events minimal data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
id |
String | N/A | Read only | The flow interaction event ID. |
environment |
Object | N/A | Read only | The DaVinci company ID (environment ID) object. |
environment.id |
String | N/A | Read only | The DaVinci company ID, which is the PingOne environment ID. |
capabilityName |
String | N/A | Read only | The capability that triggered the event. |
connector |
Object | N/A | Read only | The connector object. |
connector.id |
String | N/A | Read only | The connector ID. |
connector.name |
String | N/A | Read only | The connector name. |
connectorInstance |
Object | N/A | Read only | The connector instance object. |
connectorInstance.id |
String | N/A | Read only | The connector instance ID. |
connectorInstance.name |
String | N/A | Read only | The connector instance name. |
executionTime |
Number | N/A | Read only | The time taken to execute the node in milliseconds. |
flow |
Object | N/A | Read only | The flow object. |
flow.id |
String | N/A | Read only | The ID of the executed flow. |
flow.name |
String | N/A | Read only | The name of the executed flow. |
flow.version |
Number | N/A | Read only | The version number of the executed flow. |
isSubflow |
Boolean | N/A | Read only | Specifies whether the current flow is a subflow. |
message |
String | N/A | Read only | The event message. |
nodeId |
String | N/A | Read only | The ID of the node that triggered the event. |
nodeTitle |
String | N/A | Read only | The title of the node that triggered the event. |
success |
Boolean | N/A | Read only | Specifies whether node execution was successful. |
timestamp |
Boolean | N/A | Read only | A UTC timestamp that specifies when the event was triggered. |
usageTransactionType |
String | N/A | Read only | Specifies whether the connector usage is counted. Values are COUNTED and UNCOUNTED . |
Limiting and filtering data
You can limit the number of results returned on the Read DaVinci Flow Interactions and Read DaVinci Flow Interaction Events requests with the limit
parameter. See Pagination for more information about use of the limit
parameter, as well as other methods of controlling pagination.
You can filter response data by applying a SCIM filtering expression to the Read DaVinci Flow Interactions and Read DaVinci Flow Interaction Events requests. These SCIM operators can be applied to the following attributes:
-
ge
(greater than or equal to)Supported attributes:
timestamp
-
le
(less than or equal to)Supported attributes: Supported attributes:
timestamp
Response codes
Code | Message |
---|---|
200 | Successful operation. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Read DaVinci Flow Interactions
Read One DaVinci Flow Interaction
Read DaVinci Flow Interaction Events
Read One DaVinci Flow Interaction Event
DaVinci Admin Applications
PingOne DaVinci Admin Applications service provides endpoints to create, read, update, and delete DaVinci applications. This service also includes endpoints to rotate the application key and application secret values.
A DaVinci application configuration is the link between your site and the sign-on flows you have created in DaVinci. The application configuration contains settings to determine how external sites can send requests for flows, what flows can be requested, and how users and resources from other sites are managed.
DaVinci Admin applications data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
apiKey |
Object | Optional | Mutable | The collection of API keys associated with this application resource. |
apiKey.enabled |
Boolean | Optional | Mutable | Specifies whether the API key for this appliction is enabled. |
apiKey.value |
String | Optional | Mutable | The value of the API key. |
createdAt |
Date | N/A | Read only | The time when the variable was created. |
environment |
Object | N/A | Read only | The DaVinci company ID (environment ID) object. |
environment.id |
String | N/A | Read only | The DaVinci company ID, which is the PingOne environment ID. |
id |
String | N/A | Read only | The variable ID. |
name |
String | Required | Mutable | The variable name. |
oauth |
Object | Optional | Immutable | The OAuth configuration for this application resource. |
oauth.clientSecret |
String | Optional | Immutable | The client secret used by this application resource. |
oauth.redirectUris |
Array | Optional | Immutable | The list of redirect URIs configured for this application resource. |
oauth.logoutURIs |
Array | Optional | Immutable | The list of logout URIs configured for this application resource. |
oauth.scopes |
Array | Optional | Immutable | The list of OAuth scopes configured for this application resource. |
oauth.grantTypes |
Array | Optional | Immutable | The list of OAuth grant types configured for this application resource. |
oauth.spjwksUrl |
Array | Optional | Mutable | A URL to retrieve JWKS keys to verify the authorization request signature. This option takes precedence over spjwksOpenid property if both are set. |
oauth.spjwksOpenid |
Array | Optional | Mutable | A set of JWKS keys to verify the authorization request signature. This property is ignored if spjwksUrl is set. |
updatedAt |
Date | N/A | Read only | The time when the variable was modified. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Create DaVinci Application
Rotate DaVinci Application Key
Rotate DaVinci Application Secret
Read DaVinci Applications
Read One DaVinci Application
Update DaVinci Application
Delete DaVinci Application
DaVinci Admin Application Flow Policies
PingOne DaVinci Admin Application Flow Policies service provides endpoints to create, read, update, and delete DaVinci application flow policies. Application flow policies specify which flows are run through the application. A flow policy is an entity that points to one or more flows or versions of flows.
DaVinci Admin application flow policies data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
createdAt |
Date | N/A | Read only | The time when the flow policy was created. |
environment |
Object | N/A | Read only | The DaVinci company ID (environment ID) object. |
environment.id |
String | N/A | Read only | The DaVinci company ID, which is the PingOne environment ID. |
id |
String | N/A | Read only | The flow policy ID. |
name |
String | Required | Mutable | The flow policy name. |
flowDistributions |
Array | Optional | Immutable | An array of flow distribution properties that are a part of this flow policy. |
flowDistributions.id |
String | Optional | Immutable | The flow ID associated with this flow policy. |
flowDistributions.weight |
Number | Optional | Mutable | The weight that is assigned to the current flow in the flow policy. |
flowDistributions.version |
String | Optional | Mutable | The version of the flow to be used in the flow policy. |
flowDistributions.successNodes |
Array | Optional | Mutable | An array of node IDs in the flow that indicate a successful execution of the flow policy. |
flowDistributions.successNodes.id |
Array | Optional | Mutable | The node ID. |
flowDistributions.ip |
Array | Optional | Mutable | An array of IP addresses to create a whitelist of IP addresses from which flow executions can be performed. |
status |
String | Optional | Mutable | The status of the flow policy. Options are Enabled and Disabled . |
trigger |
Object | Optional | Immutable | The trigger associated with the flow. |
trigger.type |
String | Optional | Immutable | If the trigger type is set to AUTHENTICATION , you invoke the flow through PingOne OpenID Connect or SAML endpoints. |
updatedAt |
Date | N/A | Read only | The time when the flow policy was modified. |
DaVinci Admin application flow policy event data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
environment |
Object | N/A | Read only | The environment object. |
environment.id |
String | N/A | Read only | The DaVinci company ID, which is the PingOne environment ID. |
events |
Object | N/A | Read only | The DaVinci event object. |
events.id |
String | N/A | Read only | The DaVinci event ID. |
events.timestamp |
Date | N/A | Read only | A UTC timestamp that specifies when the event was logged. |
flow |
Object | N/A | Read only | The DaVinci flow object. |
flow.id |
String | N/A | Read only | The DaVinci flow ID. |
flow.version |
Number | N/A | Read only | The DaVinci flow version number. |
totalCount |
Number | N/A | Read only | The total number of flow executions. |
successCount |
Number | N/A | Read only | The total count of success nodes reached in flow executions. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Create DaVinci Application Flow Policies
Read DaVinci Application Flow Policies
Read DaVinci Application Flow Policy Events
Read One DaVinci Application Flow Policy
Update DaVinci Application Flow Policy
Delete DaVinci Application Flow Policy
DaVinci Admin UI Templates
You can create user interface (UI) templates that match your company style and branding, which you can include in flows using an HTTP connector. The PingOne DaVinci Admin UI Templates service provides endpoints to create, read, and delete DaVinci UI templates.
DaVinci Admin UI templates data model properties
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
createdAt |
Date | N/A | Read only | A UTC string that specifies the time when the DaVinci UI template was created. |
description |
String | Optional | Mutable | The UI template description. |
environment |
Object | N/A | Read only | The DaVinci company ID (environment ID) object. |
environment.id |
String | N/A | Read only | The DaVinci company ID, which is the PingOne environment ID. |
id |
String | N/A | Read only | The DaVinci UI template ID. |
name |
String | Required | Mutable | The UI template name. |
inputSchema |
String | Optional | Mutable | A JSON representation of the input schema defined in this template. |
outputSchema |
String | Optional | Mutable | A JSON representation of the output schema defined in this template. |
script |
String | Optional | Mutable | Javascript code utilized by this template. |
style |
String | Optional | Mutable | The CSS used in flows that are associated with this template. |
template |
String | Optional | Mutable | The HTML template to me rendered. |
updatedAt |
Date | N/A | Read only | A UTC string that specifies the time when the UI template was last modified. |
validationRules |
Array | Optional | Mutable | The validation rules object. |
validationRules.propertyName |
String | Required | Mutable | The name of the property to which the validation rule applies. |
validationRules.rules |
Array | Required | Mutable | The rules object in which the validation rules elements are defined. |
validationRules.rules.ruleName |
String | Required | Mutable | The name of the rule. Options are presence , email , length , format , and equality . |
validationRules.rules.message |
String | Optional | Mutable | The rule message that displays if the required property is not present or if the property is not a valid email. For length rules, enter a minimum, maximum, or exact value for the property and a validation message that is displayed for each length restriction that is not met. For format rules, enter the regex that defines the required format and the validation message that displays if the property does not match the format. For equality rules, enter the other property that this property must match, and the validation message that displays if the properties do not match. |
validationRules.rules.attribute |
String | Optional | Mutable | The property to check when applying the equality rule. |
validationRules.rules.pattern |
String | Optional | Mutable | The pattern to match when applying the format rule. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Create DaVinci UI Template
Read DaVinci UI Templates
Read One DaVinci UI Template
Delete DaVinci UI Template
Changelog
The following changes have been made to the PingOne APIs or the associated SDKs.
Release Date | Description |
---|---|
Aug 19, 2024 | PingOne Protect now has a risk predictor called Traffic Anomaly intended to detect traffic anomalies in terms of variables such as users, devices, and sessions. The Traffic Anomaly predictor will eventually include a variety of rules, some of which you can select to enable or disable. Currently, the predictor detects situations where there are a large number of risk evaluations requested for a single user within a short period of time, and optionally can also detect situations where the number of users per device during a given period is suspicious. When a risk level of High is calculated for a Traffic Anomaly predictor, the recommendedAction field in the risk evaluation response has the value DENY , indicating that you should probably deny access. To create a Traffic Anomaly predictor, set the type parameter to the new value TRAFFIC_ANOMALY. If you want to also check the number of users per device, use the objects described in the traffic anomaly risk predictor data model. For details, see Risk Predictors and Risk evaluations. |
Aug 5, 2024 | When creating composite predictors, you can now include conditions that check what PingOne user groups the user belongs to. For details, see the Composite Risk Predictors section in Risk Predictors and the relevant example. |
Aug 5, 2024 | The Bot Detection predictor now has an option that you can enable to expand the range of bot activity that PingOne Protect can detect. For details, see the new field includeRepeatedEventsWithoutSdk under Risk Predictors. |
Jul 22, 2024 | For MFA, there is now an option to use dynamic linking to attach a unique identifier to the registration of a FIDO device. For details, see MFA devices. |
Jul 15, 2024 | MFA is now enforced for environment administrators during registration. You can read and update admin sign-on settings using the new Administrator Security endpoints. For details, see Administrator Security. |
Jul 3, 2024 | The Suspicious Device predictor now includes an option to specify that any risk policies that include the predictor will require that the Signals SDK payload be provided as a signed JWT whose signature will be verified before proceeding with risk evaluation. For details, see Risk Predictors. |
Jun 27, 2024 | We've added the new role "Application Owner", enabling you to restrict administrator access to specific applications. Use this role to assign application developers permissions only to the applications they manage. For details, see Roles. |
Jun 18, 2024 | When creating risk evaluations, you can now provide additional detail about the context of the flow by providing a value for flow.subtype in addition to flow.type . For details, see Risk evaluations. |
Jun 17, 2024 | A new endpoint, riskFeedback , has been added to allow you to provide feedback on the accuracy of specific risk evaluations that were carried out. Each such call can include feedback for up to 100 risk evaluations, and for each you can specify a feedback category and a reason for including the evaluation in that category, For details, see Providing feedback for risk evaluations. |
Jun 4, 2024 | For MFA, there is now an option to use dynamic linking to attach a unique identifier to a FIDO transaction. For details, see Create a request property JWT and Device authentications data model. |
Jun 3, 2024 | When creating or updating MFA policies, you can now include a field called promptForNicknameOnPairing to allow users to provide nicknames for devices during pairing. For details, see Device Authentication Policies. |
May 28, 2024 | The Forms service now supports a social login button as a field type option. For details, see Forms. |
May 6, 2024 | The platform now supports the AU (Australia/Asia Pacific) region. The platform continues to support the AP (Asia Pacific) region. However, if your environments use the AP region designation (api.pingone.asia domain) for Asia-Pacific countries, be aware that this region does not support the migration of PingID customers (or the PingID product) to the PingOne platform. To get PingID platform support for your Asia-Pacific environments, use the AU region designation (api.pingone.com.au domain) when creating your new environments. For details, see Working with PingOne APIs. |
Apr 24, 2024 | The Resources service now provides a property to add application permissions to access tokens. For details, see Resources. |
Apr 8, 2024 | Simplify changing your PingOne regional domain with an environment variable, tld , in the public PingOne environment template that represents the top level domain (TLD) for your PingOne domain, such as com or eu . All the {{...Path}} variables, such as {{apiPath}} and {{authPath}} , reference {{tld}} . To change your region's top level domain, merely change the value of {{tld}} . See PingOne API domains for more information. |
Apr 4, 2024 | With Managed Credential Issuance, client applications can issue and update credentials using Create Credential Type (managed) rather than an Issuance Rule. |
Apr 3, 2024 | You can submit a redirect URL and redirect message, used and seen by users when submitting verification documents, in the body of Create Verify Transaction. |
Apr 3, 2024 | You can issue and update user credentials via a Create a User Credential or Update a User Credential call rather than an Issuance Rule. |
Apr 3, 2024 | When you create a trusted email domain, PingOne now prepares an additional text record that reflects the association of the domain with the specific PingOne environment. If you add this new record to your DNS, any "sender" email address belonging to the domain is set to active status as soon as you create it, with no need for a verification email. For details, see Trusted Email Domains. |
Apr 2, 2024 | FIDO policies now include an option called aggregateDevices that you can use to specify that the displayed list of available authentication methods should include only a single generic entry for FIDO2 devices, even if the user has multiple paired FIDO2 devices. For details, see FIDO Policies. With the introduction of this feature, responses to requests that use the deviceAuthentications and flows endpoints may now include a field called aggregateFido2Devices , indicating whether the available authentication method list should include only a single generic FIDO2 option. |
Mar 12, 2024 | We've added the new LDAP Gateway attribute userTypes.updateUserOnSuccessfulAuthentication . When enabled, on user sign on, user attributes are updated based on responses from the LDAP server. For details, see Gateway LDAP data model. |
Mar 4, 2024 | The external IdP service now supports PKCE. A new pkceMethod property has been added to the base IdP data model. For details, see Identity Provider Management. |
Mar 4, 2024 | PingOne Protect now has a new risk predictor called Email Reputation to detect the use of disposable email addresses during registration. The value of the type parameter for this predictor is EMAIL_REPUTATION. For details, see Risk Predictors. For risk evaluations based on policies that include an email reputation predictor, the response may include a value of TEMP_EMAIL_MITIGATION for the result.recommendedAction field. For details, see Risk evaluations. |
Mar 4, 2024 | For risk evaluations that use a risk policy with the New Device predictor, the response now includes the field details.device.lastSeen , which represents the date and time that the device was last seen. If an externally-maintained device ID was provided in the risk evaluation request, the response will include externalLastSeen for the date and time that the device was last seen. For details, see Risk evaluations. |
Feb 28, 2024 | For situations where a user did not receive the one-time passcode (OTP) that was sent for pairing a device, you can now use the devices endpoint to resend the OTP. For details, see Resend Pairing Code. |
Feb 21, 2024 | The platform now supports the device_code device authorization grant type on an application configuration, and it also provides endpoints to initiate and manage a device authorization flow. For details, see Device Authorization Grant. |
Feb 20, 2024 | A new field, fidoUserVerification , was added to the information that can be included in MFA device reports generated with the dataExplorations endpoint. For details, see Reporting. |
Feb 14, 2024 | PingOne now supports the CLIENT_SECRET_JWT and PRIVATE_KEY_JWT token endpoint authentication methods for OIDC applications. For details, see the jwks and jwksUrl properties in Application Operations, the client_assertion and client_assertion_type properties in OpenID Connect/OAuth 2, Token (authorization_code) (CLIENT_SECRET_JWT), Token (authorization_code) (PRIVATE_KEY_JWT), and Configure CLIENT_SECRET_JWT as the Token Auth Method. |
Feb 12, 2024 | PingOne Protect now has a new risk predictor to prevent Adversary-in-the-Middle (AitM) attacks. To create an AitM predictor, set the type parameter to the new value ADVERSARY_IN_THE_MIDDLE and use the whiteList parameter to specify the legitimate domains that your users will access for your restricted resources. For details, see Risk Predictors. |
Feb 5, 2024 | PingOne Verify no longer reads or uses verifyStatus on the user. The PingOne Neo Verify Verify Status endpoint, /environments/{{envID}}/users/{{userID}}/verifyStatus and its two operations, Read User Verification Status and Update User Verification Status at the same URL, are deprecated. The endpoint and requests will be removed February 2025. |
Jan 19, 2024 | We've added the icon property to the Environments service, enabling you to assign an icon to a PingOne environment. See the Environments data model for details. |
Jan 16, 2024 | The platform's client secret configuration now supports optional parameters to designate the replaced secret as a "previous" secret that remains valid for a specified period, up to 30 days. For details, see Update Application Secret and Create Resource Client Secret. |
Jan 11, 2024 | The platform supports the PingOne Authorize application resources and roles services, which provide endpoints to define custom resources, roles, and permissions to protect external application resources. For details, see PingOne Authorize Application Resources and Roles. |
Jan 8, 2024 | The platform supports reduced self-service scopes when the mfa authentication method is not included as an amr claim value in the token. For details, see PingOne self-management scopes. |
Jan 7, 2024 | Changes have been made to the steps required to retrieve MFA device reports generated as files. This is reflected in the responses to the relevant requests. For details, see Reporting. Note that the .zip file containing the report is now password-protected and cannot be opened without the password that is returned. |
Jan 4, 2024 | A field called device.externalId has been added to the Event data model for risk evaluations. You can use this field to send an externally-maintained device ID to the risk evaluation. If you provide such an ID, that is the device ID that will be used rather than the device ID provided by the Signals SDK. For details, see Risk evaluations. |
Jan 3, 2024 | We've added a corsSettings object to support applications using cross-origin resource sharing (CORS). See Cross-origin resource sharing, and the corsSettings properties in the Applications data models for OIDC, SAML, and WS-Federation. |
Dec 15, 2023 | You can now set and get the default identity provider (IdP) for a population. See Update Population Default IdP and Read One Population Default IdP for details. |
Dec 8, 2023 | PingOne Platform API collections in the PingOne public workspace now use Postman Collection-Level Authorization of type bearer . All requests that use bearer token authorization are now set to Inherit authorization from parent . |
Dec 4, 2023 | The PingOne Neo Verify User Data endpoint, /environments/{{envID}}/users/{{userID}}/verifyTransactions/{{transactionID}}/userData and its only operation, Read User Verification Data at the same URL, are deprecated. The endpoint and request will be removed December 2024. |
Dec 4, 2023 | The New Device Paired notification template now has an optional variable called report.fraud . If you include this variable, the notification will include a link for reporting fraudulent pairing attempts. For details, see Notifications Templates. |
Nov 16, 2023 | We've added documentation for the supported password encoding schemes. See Password encoding for more information. |
Oct 24, 2023 | You can now assign admin roles to user groups. See Group Role Assignments. |
Oct 12, 2023 | PingOne now supports outbound mutual TLS (mTLS) authentication with webhooks. You can upload a key with a usageType of OUTBOUND_MTLS and pass the ID to the tlsClientAuthKeyPair.id property when creating or updating a webhook. For more information, see Subscriptions (webhooks). |
Oct 4, 2023 | Added the displayName , sourceId , and sourceType parameters to allow querying of external user groups. See Groups. |
Sep 19, 2023 | When creating composite predictors, it is now possible to create additional sets of conditions to form an if / else if structure. To facilitate this, the composition object has been replaced with an array called compositions . To ensure backward compatibility, requests that contain the single composition object are still supported. For details, see Risk Predictors. |
Sep 18, 2023 | When providing the flow type as input for a risk evaluation, you can now use other types in addition to AUTHENTICATION . The new flow types supported are: REGISTRATION , ACCESS , AUTHORIZATION , and TRANSACTION . See Risk Evaluations. |
Sep 18, 2023 | In the MFA Settings for an environment, you can now specify whether MFA should be enabled by default for a user when their account is created. For details, see users.mfaEnabled in MFA settings. |
Sep 14, 2023 | If you create a pairing key that is shared by multiple applications, but define different pairing key lifetimes for the different applications, all the applications using the pairing key now use the most strict setting that you specified for key lifetime (shortest time). |
Sep 7, 2023 | We've added a Correlation-Id setting in the header of Phone Delivery Settings requests to the custom provider enabling you to track notifications sent by the custom provider using the Correlation-Id value. See Phone Delivery Settings. |
Sep 5, 2023 | We've added information regarding how to handle client secret updates for external identity providers. See Update Identity Provider. |
Sep 5, 2023 | You can now specify Elliptical Curve Digital Signature Algorithm (ECDSA) signing certificate algorithms for your SAML identity providers and applications. See Create Identity Provider (SAML) and SAML Application Settings Data Model. |
Aug 10, 2023 | You can now use the RequestedAuthnContext parameter to specify lower-priority application flow policies for SAML applications. See Application Flow Policy Assignments. |
Jul 31, 2023 | Added a new endpoint to PingOne Authorize to manage API service deployment. See API Service Deployment. |
Jul 26, 2023 | We've added the new roles DaVinci Admin and DaVinci Read-Only Admin . Currently, you cannot assign these roles to a Worker app. For details, see Roles. |
Jul 5, 2023 | A new field called newDeviceNotification has been added for MFA policies to allow you to specify that users should receive an SMS or email notification when a new device is added to their account. For details, see Device Authentication Policies. |
Jul 5, 2023 | New fields were added to the information that can be included in MFA device reports generated with the dataExplorations endpoint: deviceIntegrityStateCompromised , deviceIntegrityStateReason , deviceIntegrityStateTimestamp , deviceIntegrityStateAdvice , extension , fidoBackupEligibility , fidoBackupState , lastDeviceTrxTime . For details, see Reporting. |
Jun 30, 2023 | Two new risk predictors - Bot Detection and Suspicious Device - have been added. For details, see Risk Predictors and Risk Evaluations. |
Jun 30, 2023 | For including data from the Signals SDK in risk evaluations, the data in now sent using the sdk.signals.data property rather than sending the data in the header of the request. For details, see Risk Evaluations. |
Jun 20, 2023 | In MFA policies, you can now disable pairing for specific authentication methods. You can use this option if you want to phase out an existing authentication method but want to allow users to continue using the method for authentication for existing devices. See pairingDisabled in Device Authentication Policies. |
Jun 19, 2023 | To provide support for passkeys, Fido policies have been expanded significantly. For details, see FIDO Policies. Note that FIDO policy requests now use the endpoint environments/{{envID}}/fido2Policies and not environments/{{envID}}/fidoPolicies . In the framework of these changes, support was added for a new MFA device type called FIDO2. For details, see MFA Devices. |
Jun 15, 2023 | Requests that use the flows endpoint and the deviceAuthentications endpoint now include additional device status information in the response: usableStatus , pushStatus , and otpStatus . For details, see Flows and MFA Device Authentications. |
Jun 12, 2023 | PingOne MFA has moved to Firebase Cloud Messaging for sending push messages. This impacts the credentials you must enter when enabling push notifications for Google Play-based mobile applications. For details, see Application MFA Push Credentials. |
Jun 1, 2023 | We've fixed an issue with the Try a Request feature in the documentation. We've re-enabled this feature for all endpoints except the authorization endpoints (identified by the {{authPath}} variable). The Try a Request feature has always been blocked for these endpoints, due to a CORS constraint. |
May 18, 2023 | You can now choose to include the IP address of an actor and the user-agent HTTP header of an event in the source section of a subsciption audit event. See Create Subscriptions. |
May 8, 2023 | It is now possible to have one-time passwords delivered via voice to phone numbers that include extensions. For details on enabling support for phone numbers with extensions, see MFA Settings. |
Apr 28, 2023 | PingOne now supports a Language Translations service, which provides operations to view the custom string translations for a specified language and to update localized strings for specified user interface elements. For details, see Language Translations. |
Apr 25, 2023 | DaVinci no longer ignores the pi.flow OAuth property. For details about pi.flow , see the OpenID Connect/OAuth2 data model. |
Apr 23, 2023 | When creating notification policies, you can now use the quotas array to limit the use of email messages for pairing and authentication. For details, see Notification Policies. |
Apr 19, 2023 | For integrity checking on Android devices, PingOne MFA now uses Google's Play Integrity API. This requires you to provide additional information from your Google service account if you want to create or update an application that uses integrity checking. For the details of the new mandatory fields, see the Applications OIDC settings data model table in Application Operations and the Create Application (OIDC Protocol - Native App) sample. |
Apr 14, 2023 | PingOne now supports the Forms service, which provides tools for administrators to create custom forms presented to users during the authentication workflow. For details, see Forms and Forms Recaptcha. |
Apr 3, 2023 | When creating notification policies, you can now use the countryLimit object to limit the countries where you can use SMS and voice notifications. For details, see Notification Policies. |
Mar 27, 2023 | PingOne now supports the SCIM 2.0 identity management standard for provisioning users into PingOne Directory. Currently we support the /Users endpoint with basic SCIM to PingOne Directory attribute mapping. For details, see SCIM. |
Mar 27, 2023 | When creating or updating New Device risk predictors, you can now use the activationAt parameter to specify a date on which the learning process for the predictor should be restarted. This can be used in conjunction with the fallback setting (default.result.level ) to force strong authentication when moving the predictor to production. For details, see Risk Predictors. |
Mar 26, 2023 | In addition to combining existing predictors, you can now include the following risk factors in your composite predictors: country, state, IP range, IP domain organization, ISP, target resource (application). For details, see Risk Predictors. |
Mar 16, 2023 | We've added new Sessions endpoints to Reset the Authentication Session by Session ID or Reset the Authentication Session by Session Token. |
Mar 13, 2023 | When defining the settings for mobile applications in an MFA policy, you can now use the new pairingKeyLifetime object to specify how long an issued pairing key can be used until it expires. For details, see Device Authentication Policies. |
Mar 13, 2023 | You can now define the number of consecutive push notifications that can be ignored or rejected by a user within a defined period before push notifications are blocked for an application. Use this setting to prevent attacks based on repeated push notifications that may lead users to eventually accept the authentication request. For details, see the documentation for the pushLimit object in Device Authentication Policies. |
Feb 01, 2023 | The platform now supports properties for enumerated values and regular expression validation in the schema data model. For details, see Schemas. |
Jan 10, 2023 | You can now configure Android applications to use Huawei Mobile Services. For details, see Application Operations and Application MFA Push Credentials. |
Jan 10, 2023 | You can now use the dataExplorations endpoint to generate reports of MFA devices. For details, see Reporting. |
Jan 10, 2023 | For notification templates of type "Push", it is now possible to specify a push category to control the type of banner that is displayed to the user. For details, see Notification Templates. |
Jan 3, 2023 | You can now use the riskPredictors endpoint to create New Device predictors, which allow your risk policy to take into account the risk associated with users trying to access applications from unknown devices or devices that have not been used in the recent past. For details, see Risk Predictors. |
Jan 3, 2023 | In MFA policies, it is now possible to specify how much time users have to respond to a push notification before it expires. This period can be defined separately for each mobile application included in the MFA policy. For details, see Device Authentication Policies. |
Jan 3, 2023 | The default method to use for MFA is now set at the MFA policy level rather than at the environment level. For details, see Device Authentication Policies. |
Jan 3, 2023 | It is now possible to block a user's MFA device, and to unblock a device that is currently blocked. For details, see MFA Devices. |
Dec 15, 2022 | It is now possible to use the API to unlock a device that was locked-out due to too many failed MFA attempts, even if the defined waiting period has not yet elapsed. For details, see MFA Devices. |
Dec 15, 2022 | It is now possible to use the gateways endpoint to create a RADIUS gateway. For details, see Gateway Management. |
Dec 8, 2022 | We've added properties to support applications using WS-Federation. See the Applications base data model and the Applications WS-Federation settings data model for more information. |
Dec 2, 2022 | We've added an email verification endpoint to verify a user's email through a verification code. See User Email Verification. |
Nov 22, 2022 | You can now use the hiddenFromAppPortal property to hide an application in the application portal, overriding your configured group membership access policy. See Applications base data model. |
Oct 26, 2022 | You can now use the nameFormat property to define the naming format for attributes other than Subject . See Applications attribute mapping data model. |
Oct 26, 2022 | We've added the initiateLoginUri and targetLinkUri properties to the Applications OIDC data model. |
Oct 25, 2022 | The Token Introspection Endpoint now supports authentication with a Resource ID and Secret. See POST Token Introspection (Resource ID and Secret) and Resource Secret. |
Oct 21, 2022 | You can now allow a wildcard character in the Redirect URI for OIDC applications. See Applications OIDC settings data model. |
Oct 19, 2022 | PingOne Risk now includes an SDK that allows you to obtain additional risk-related data and pass the data to the risk evaluation, resulting in improved detection. The riskEvaluations endpoint can now take the data provided by the SDK in a header called X-SDK-DATA-PAYLOAD . For details, see the documentation for creating risk evaluations. |
Sep 28, 2022 | To simplify automated testing of your applications, you can now create dedicated testing devices. When you use the API to send authentication requests to such a device, the OTP is not sent to the actual device, but instead is returned as part of the body of the response. See MFA Devices. |
Sep 15, 2022 | We've added support for the WS-Federation protocol to the Application Management service. This supports Microsoft's Office365 and Azure integration with PingOne. See Create Application (WS-Federation Protocol) for more information. |
Aug 31, 2022 | When using the mfaSettings endpoint to update MFA settings, you can now use pairing.pairingKeyFormat to specify the type of pairing keys that should be used - 12-digit numeric keys or 16-character alphanumeric keys. Existing environments will continue to use the 12-digit numeric keys unless changed. New environments will use the 16-character keys by default. |
Aug 31, 2022 | It is now possible to create composite predictors - for situations where you are interested in combining a number of risk predictors into a single predictor. See Risk Predictors. |
Aug 26, 2022 | The platform now supports adding custom claims to an OpenID Connect scope. See Resource Scopes. |
Aug 18, 2022 | We've added a default property to the Populations endpoint, enabling you to assign a default population to an environment. See Populations. |
Aug 14, 2022 | When creating or editing an MFA policy, you can now use the field mobile.applications[].integrityDetection to specify how registration and authentication attempts should be handled if a response is not received for device integrity: continue with the flow or block the user. For details, see Device Authentication Policies. |
Aug 14, 2022 | When defining a mobile application, you can now use mobile.integrityDetection.excludedPlatforms in conjuction with mobile.integrityDetection.mode to enable device integrity checking only for Android or only for iOS. For details, see Application Operations. |
Aug 2, 2022 | You can now use Kerberos to sign-on users. See Gateway LDAP data model in Gateway Management and the Sign On with Kerberos request. |
Aug 2, 2022 | You can now force a reset of the password identified by the user ID and environment ID without the administrator supplying a password. See Force Change Password request. |
Aug 2, 2022 | It is now possible to use the API to create and manage FIDO policies, which can then be included in device authentication policies. For details, see FIDO Policies and Device Authentication Policies. |
Aug 1, 2022 | It is now possible to use the riskPolicySets endpoint with conditions of type AGGREGATED_SCORES to create score-based policies. See Risk Policies. |
Jul 18, 2022 | For sign-on policies in PingOne, MFA steps are added now by referencing an existing MFA policy rather than having to define the specific authentication methods that are allowed for the policy. For details, see Sign-On Policy Actions. |
Jul 14, 2022 | The platform now includes PingFederate admin roles, allowing admins to SSO from PingOne into PingFederate with the appropriate permissions for their role. See Roles. |
Jul 10, 2022 | For organizations that prefer to maintain their own user device information, it is now possible to initiate authentication while providing the information necessary for contacting the user. See the documentation for the selectedDevice object in MFA Device Authentications. |
Jul 7, 2022 | It is now possible to create passwordless authentication flows that require only FIDO2 authentication with no need for the user to provide their username. To use this feature, use the rp.id property in the request body for deviceAuthentications . For details, see MFA Device Authentications. |
Jun 6, 2022 | You can now define notification policies to limit the use of SMS and voice messages for pairing and authentication. For details, see Notification Policies. |
Apr 28, 2022 | The platform now includes the PingOne Authorize API access management service, which provides tools to externalize the management and evaluation of access control policies for HTTP-based APIs. See PingOneAuthorize API Access Management. |
Apr 25, 2022 | MFA Native SDK v1.7.0 now supports authentication code flows for Android and iOS operating systems. See Authentication code flow. SDK v1.7.0 also supports elliptic-curve cryptography (ECC) for signing and verifying mobile requests. This feature uses iOS secure enclave capabilities. |
Apr 25, 2022 | The platform now includes endpoints that initiate an authentication code flow. See MFA Authentication Code. The platform includes a new uriPrefix property on the application's mobile object that specifies a valid app/universal link or app schema to enable direct triggering of the mobile application when scanning a QR code. See Application Operations. |
Mar 11, 2022 | The platform now requires a minimum password length of 8 - 32 characters. For more information, see Password Policies. |
Mar 07, 2022 | The platform now supports a hybrid flow authorization request, in which some tokens are returned from the authorization endpoint, and others are returned from the token endpoint. For more information, see GET Authorize (hybrid) and POST Authorize (hybrid). |
Feb 09, 2022 | The platform now supports a policy.id property for MFA devices that specifies the device authentication policy ID associated with the device resource. For more information, see MFA Devices and MFA Pairing Keys. |
Feb 04, 2022 | The platform now supports a PingFederate-SSO platform application, which is created automatically if the PingOne environment includes PingFederate. For more information, see Application Management. |
Jan 13, 2022 | Custom risk predictors cannot be referenced as an attribute in a placeholder details list (${details.<attribute>}). See Custom risk predictor conditions in Risk Predictors for more information. |
Dec 27, 2021 | The platform now supports configuring the whiteList property on a per risk predictor basis. For information about risk predictors that support the whiteList property, see Risk Predictors. |
Dec 27, 2021 | The platform now supports the User Location Anomaly risk predictor. See Risk Predictors. |
Dec 23, 2021 | For authorization requests that return an invalid request object error, the error message now includes additional details about the INVALID_VALUE . For example, the old detail message stated this: "The request parameter contains an invalid Request Object" . The new detail message provides specific information about the validation error: "The request parameter contains an invalid Request Object: The token signature is invalid." . |
Dec 17, 2021 | The Integration Catalog has been updated to easily retrieve application integration information and assets. |
Dec 17, 2021 | The image service API now returns a regionalized URL for any new images uploaded. For example, if you are in the EU and use pingone.eu , then uploaded images will now be in this format "https://uploads.pingone.eu/environments/..." instead of "https://uploads.pingone.com/environments/..." . This regionalization is also applicable to uploaded images in the .asia and .ca regions. Old image URLs will still work as expected. For more information, see Images. |
Dec 16, 2021 | The platform now supports configuration of policies for MFA enrollment and authentication transactions in PingOne Flows. The apiPath/environments/envID/deviceAuthenticationPolicy endpoint is deprecated, but still supported. No immediate code change are required, but it's recommended to change to the new apiPath/environments/envID/deviceAuthenticationPolicies endpoint.See Device authentication policies that now supports the following operations: |
Dec 15, 2021 | The platform now includes endpoints that initiate and complete an MFA action without requiring a call to the PingOne authorize service. For more information, see MFA Device Authentications. |
Dec 15, 2021 | The platform now supports the ability to configure short codes and toll-free origination numbers to send SMS and voice notifications to recipients in multiple countries. See the supportedCountries property in the Custom provider phone number properties table. |
Dec 12, 2021 | The platform now supports configuration of untrusted sender email addresses at the email notification template content level, when using a custom email sender. See Content properties. |
Dec 08, 2021 | The platform now provides easier integration with custom providers' remote gateways, including support for dispatching voice notifications. This implementation uses the GET and POST operations and customizable body and headers.Basic and bearer authentication methods are supported. See Phone delivery settings. |
Dec 07, 2021 | The platform now includes decision endpoints that allow efficient evaluation of policies developed in the PingOneAuthorize Policy Editor Service. For more information, see PingOneAuthorize Policy Decision Service. |
Nov 08, 2021 | The platform now supports a JSON array PATCH action to update targeted elements on a user object. For more information, see Update User (Patch JSON Array). |
Oct 25, 2021 | The notifications settings property, notificationsSettings.defaultLanguage , has been removed from the platform. When required, notifications use the environment's default language, which is set using the /environments/{{envID}}/languages endpoint. For information about notification content and language selection, see Runtime logic for content selection. For information about an environment's default language, see Language Management. |
Oct 04, 2021 | Ping Identity has added a Canada regional data center, that will provide enhanced performance and response on services for Canadian customers accounts hosted on this data center. Canada data center domains: |