OpenID Connect/OAuth 2

PingOne integrates with applications that use standards-compliant protocols by taking on the role of an OpenID Connect provider and OAuth 2 authorization server. In this capacity, PingOne provides the framework for connected applications to access protected HTTP resources. For more information about OpenID Connect and OAuth 2, see the OpenID Connect 1.0 spec and the OAuth 2.0 Authorization Framework RFC6749.

The PingOne authorization endpoint /{{envID}}/as/authorize is used to interact with the resource owner and obtain an authorization grant. For more information and additional examples, see Authorization and authentication by application type.

OpenID Connect/OAuth2 data model

Property	Type	Required?	Mutable?	Description
`acr_values`	String	Optional	Mutable	Either a single DaVinci policy (identified by the flow policy ID), or one or more PingOne sign-on policies by name (space-separated). The PingOne sign-on policies can be the predefined sign-on policies, `Single_Factor` and `Multi_Factor`, or any custom defined sign-on policy names. The PingOne sign-on policy names should be listed in order of preference, and they must be assigned to the application.
`client_assertion`	String	Optional	Mutable	A JWT that contains a signed assertion with the application’s credentials. This property is required if the application's `tokenEndpointAuthMethod` is set to either `PRIVATE_KEY_JWT` or `CLIENT_SECRET_JWT`.
`client_assertion_type`	String	Optional	Mutable	A string that specifies the client assertion type. The value of this property must be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`. This property is required if the application's `tokenEndpointAuthMethod` is set to either `PRIVATE_KEY_JWT` or `CLIENT_SECRET_JWT`.
`client_id`	String	Required*	Immutable	The application's UUID. *Note: This parameter is optional for `GET /{{envID}}/as/idp-signoff?id_token_hint={{idToken}}`.
`client_secret`	String	Required	Immutable	The application's client secret.
`code`	String	Optional	Immutable	the authorization code returned by the authorization server. This property is required only if the `grant_type` is set to `authorization_code`.
`code_challenge`	String	Optional	Immutable	Computed from the `code_verifier` that is used in a Proof Key for Code Exchange (PKCE) authorization request. The length and character set requirements for the `code_challenge` string are documented in Section 4.1 of RFC7636. The computation for the `code_challenge` string is documented in Section 4.2 of RFC7636.
`code_challenge_method`	String	Optional	Mutable	Specifies the computation logic used to generate the `code_challenge` string. The token endpoint uses this method to verify the `code_verifier` for PKCE authorization requests. Options are: `plain` and `S256`.
`code_verfier`	String	Optional	Immutable	Used to create the `code_challenge` value passed to the authorization server in the request. The length an character set requirements for the `code_verifier` string is documented in Section 4.1 of RFC7636.
`grant_type`	String	Optional	Mutable	The grant type of the token request. Options are `authorization_code`, `implicit`, `refresh_token`, and `client_credentials`.
`id_token_hint`	String	Optional*	Mutable	The previously issued ID token used to indicate the identity of the user. This is passed to the logout endpoint as a hint about the user's current authenticated session with the client. *Note: This parameter is required for `GET /{{envID}}/as/idp-signoff?id_token_hint={{idToken}}`.
`login_hint`	String	Optional	Mutable	A login identifier to pre-fill the Username field of the sign-on screen. The string can be the UUID of an existing user in the environment, which results in the look-up of the user's `username` property, or it can be another string used to pre-fill the sign-on screen. The Username field of the sign-on screen does not pre-fill if (1) no string is provided as a hint, and (2) the OpenID Connect scope `openid` is not specified. In the flow response, if the `login_hint` value is a `username`, the value is returned in the flow response's `identifier` attribute. If the `login_hint` is a UUID, and the look-up finds a user, the `username` value is returned in the `identifier` attribute. If a user is not found, the UUID is returned in the flow response's `identifier` attribute.
`login_hint_token`	Token	Optional	Immutable	Provides a way for the client to identify and authenticate the end-user without needing to encode the entire authentication request in a signed JWT. Using a separate token instead of the `login_hint` parameter also means that this token can be signed by a client different from the authenticating client.
`mobilePayload`	Parameter	Optional	Mutable	Used by mobile applications leveraging PingOne MFA SDK. See Implement automatic pairing of native app as MFA authenticator app.
`max_age`	String	Optional	Mutable	The maximum amount of time allowed (in seconds) since the user last authenticated. If the `max_age` value is exceeded, the user must re-authenticate. If the `max_age value` is set to 0 (`max_age=0`), the user is always required to re-authenticate.
`nonce`	String	Optional	Immutable	Used to associate a client session with a token to mitigate replay attacks. The value is passed through unmodified from the authentication request to the token. This is an optional property for authorization requests that return a code.
`post_logout_redirect_uri`	String	Optional	Mutable	The URL to which the browser is redirected after a logout has been performed. When `id_token_hint` is specified, this URI must match one of the `postLogoutRedirectUri` values for the application using `id_token_hint`. If `post_logout_redirect_uri` is specified, and it does not match one of the `postLogoutRedirectUri` values of any enabled application in the specified environment, this condition is handled as an un-redirectable error.
`prompt`	String	Optional	Mutable	Specifies whether the user is prompted to login for re-authentication. The prompt parameter can be used as a way to check for existing authentication, verifying that the user is still present for the current session. For `prompt=none`, the user is never prompted to login to re-authenticate, which can result in an error if authentication is required. For `prompt=login`, if time since last login is greater than the `max-age`, then the current session is stashed away in the flow state and treated in the flow as if there was no previous existing session. When the flow completes, if the flow's user is the same as the user from the stashed away session, the stashed session is updated with the new flow data and persisted (preserving the existing session ID). If the flow's user is not the same as the user from the stashed session, the stashed session is deleted (logout) and the new session is persisted.
`redirect_uri`	String	Required	Mutable	The URL of the return entry point of the application.
`refreshTokenRollingGracePeriodDuration`	Integer	Optional	Mutable	The number of seconds that a refresh token may be reused after having been exchanged for a new set of tokens. This is useful in the case of network errors on the client. Valid values are between 0 and 86400 seconds. Null is treated the same as 0.
`request`	Token	Optional	Immutable	A JWT that enables OIDC/OAuth2 request parameters to be passed as a single, self-contained parameter. If the application's `supportUnsignedRequestObject` property value is set to `false`, the JWT must be signed (using the `HS256` signing algorithm). Using a JWT enables integrity protection of parameters that are required for risk-based authentication or privacy and consent use cases. Specifically: Passing in the user agent's original IP address when the PingOne platform is used behind a server side application that is functioning as an authentication gateway or PingFederate. Passing in a purpose or usage description string that could be displayed to the user on the authentication UI prompt, SMS or voice message, push notification, or email message. For more information, see Create a request property JWT.
`response_mode`	String	Optional	Mutable	The mechanism for returning authorization response parameters from the authorization endpoint. Options are `query`, `fragment`, `form_post`, and `pi.flow`. The `pi.flow` option is a Ping Identity custom response mode to specify that the `redirect_uri` parameter is not required and authorization response parameters are encoded as a JSON object wrapped in a flow response and returned directly to the client with a `200` status. For more information about the `query`, `fragment`, and `form_post` options, see the ResponseModes section of the OAuth 2.0 Multiple Response Type Encoding Practices specification. For non-redirect use case information, see Redirect and non-redirect authentication flows.
`response_type`	String	Required	Mutable	The code or token type returned by an authorization request. Options are `token`, `id_token`, and `code`. It's possible to reference multiple response types. See the OpenID spec OAuth 2.0 Multiple Response Type Encoding Practices for details.
`scope`	String	Optional	Mutable	Permissions that determine the resources that the application can access. This parameter is not required, but it is needed to specify accessible resources. See Authorization for details when using the `offline_access` value here.
`state`	String	Optional	Mutable	Used to maintain state between the logout request and the callback to the endpoint specified by the `post_logout_redirect_uri` query parameter.
`subject_token`	String	Required	Immutable	The security token that represents the identity of the PingFederate cluster (or other client type) that requires access to PingOne services.
`subject_token_type`	String	Required	Immutable	The type of the security token provided in the `subject_token` property. Options are `pingone_gateway_credential`.
`token`	String	Required	Immutable	The token string. This is a required property for token introspection and token revocation.

Note: PingOne licenses can disable access to specific scopes (and their associated permissions) based on the capabilities allowed by the license package. For more information about restricted scopes, see Access services through scopes and roles.

Application access control conditions

You can configure OpenID Connect applications for access control by setting the accessControl property on the application. For more information about accessControl properties, see Application Operations. When accessControl properties are set for an application, the user must meet the requirements specified by these application properties to get a token. If the user attempts to authenticate and the grant_type is either authorization_code or implicit, then the application's accessControl conditions are evaluated to determine whether the user can be issued a token.

The token (or tokens) is minted if the user meets the application's access control conditions. If the conditions are not met, the token (or tokens) is not issued and an ACCESS_FAILED error is returned. If access is denied, a USER.ACCESS_DENIED event is published; otherwise, a USER.ACCESS_ALLOWED event is published.

Note: If the user already has an access token, application access restrictions are not applied to refresh token or to token introspection operations.

For more information, see Control access to applications through roles and groups.

Audit reporting events

To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.

Service	Event
applications	SECRET.UPDATED
applications	SECRET.READ
applications	GRANT.CREATED
applications	GRANT.UPDATED
applications	GRANT.DELETED
resources	RESOURCE.CREATED
resources	RESOURCE.UPDATED
resources	RESOURCE.DELETED
resources	SCOPE.CREATED
resources	SCOPE.UPDATED
resources	SCOPE.DELETED
resources	ATTRIBUTE.CREATED
resources	ATTRIBUTE.UPDATED
resources	ATTRIBUTE.DELETED
resources	SECRET.UPDATED
resources	SECRET.READ

Response codes

Code	Message
200	Successful operation.
201	Successfully created.
204	Successfully removed. No content.
400	The request could not be completed.
401	You weren’t authenticated to perform this operation.
403	You do not have permissions or are not licensed to make this request.
404	The requested resource was not found.

Warning: Applications in an environment configured to use a custom domain should use the custom domain URL in the {{authPath}} instead of the default PingOne domain. For more information about custom domains, see Custom Domains. In addition, URLs are generated based on the inbound initial authorize call. For example, if the environment's custom domain is acme.com, but the initial call is from https://auth.pingone.com/{{envID}}/as/authorize, then the generated URLs will have a format of https://auth.pingone.com/{{envId}}/.... If the initial call is from https://acme.com/as/authorize, the generated URLs will have a format of https://acme.com/....

Configuration options

The following topics provide information about the platform's advanced configuration options in authorize and token requests.

Redirect and non-redirect authentication flows

Describes the authorize request's response_mode options, which include the query, fragment, and form_post options for redirecting back to the client. It also describes how to use the PingOne pi.flow custom response option for non-redirect flows, returning response parameters encoded as a JSON object directly to the client.
Create a login_hint_token JWT

Describes the claims required by the login hint token, and how to sign the JWT using an application's client secret as the signing key.
Create a request property JWT

Describes the claims required by the request property token, and how to sign the JWT using either the application's client secret or a private key as the signing key.
Create a client secret JWT

Describes the claims required by a JWT used to authenticate the PingOne /token request, and how to sign the JWT using an application's client secret as the signing key.
Create a private key JWT

Describes the claims required by a JWT used to authenticate the PingOne /token request, and how to sign the JWT using a private key as the signing key.
Create a private_key_jwt JWKS string

Describes how to configure a JWKS string (or JWKS URL) to add to an application configuration to enable the use of a private key JWT as the authentication method for a PingOne /token request.
Use an authentication JWT for token fulfillment

Describes how to map attributes from a source's authentication JWT to the PingOne generated token.

Redirect and non-redirect authentication flows

The response_mode authorization service property provides the mechanism for returning authorization response parameters from the authorization endpoint. In PingOne, the response_mode property's options are query, fragment, form_post, and pi.flow. The query, fragment, form_post options are defined in the OAuth 2.0 Multiple Response Type Encoding Practices specification.

When redirecting back to the client using the redirect_uri property:

query

The response parameters are encoded in the query string added to the redirect_uri.
fragment

The response parameters are encoded in the fragment added to the redirect_uri.
form_post

The response returns a form_post encoded response, and after user approval, returns a result in an HTTP POST to the client.

The pi.flow option is a Ping Identity custom response mode to specify that the redirect_uri parameter is not required and authorization response parameters are encoded as a JSON object wrapped in a flow response and returned directly to the client with a 200 status. For example, with native mobile apps and SPAs that want to render the end-user interface, setting the response_mode property to pi.flow allows the app to authenticate using the flows API without needing to handle HTTP redirections. When authentication is complete, the app receives the auth code, access token, or ID token in a JSON response instead of a redirect.

Note: A browser-based application that interacts with the authorization endpoint using either form_post or pi.flow must protect itself against Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) vulnerabilities. If a user has already authenticated using the browser, a malicious script running within the browser context that makes an authorization request using form_post or pi.flow may receive the user’s access/id tokens directly in the response. To mitigate this risk, ensure your application follows these recommendations:

Disable support for the OAuth 2.0 Implicit Grant Type.
Choose a Token Endpoint Authentication Method other than NONE.
Configure the application's corsSettings.behavior property to ALLOW_SPECIFIC_ORIGINS and in the corsSettings.origins property only list your application’s origins. For more information, see Application Operations.
Ensure that your application is written with security best practices to prevent script injection.

Use cases for pi.flow

The following outlines several use cases for a non-redirect flow using the pi.flow option for the response_mode property. For application integration use cases (including PingFederate), a login_hint_token is also specified in the authorize request to specify the application ID and the associated user ID.

The login_hint_token must be a signed JWT in which the iss claim is the ID of an enabled application and the aud claim is the platform issuer URL. For example:

{
  "iss": "{{integratedAppID}}",
  "sub": "{{userID}}",
  "aud": "https://auth.pingone.com/{{envID}}/as",
  "iat": 1300819380,
  "exp": 1300819391
}

The JWT must be signed using the HS256, HS384, or HS512 algorithm and the application's client secret as the key.

Integrations with PingFederate

The PingFederate PingOne MFA adapter uses the response_mode property with the pi.flow option. For detailed information about integrating PingFederate and PingOne MFA, see PingOne MFA Integration Kit.

Non-redirect flow for mobile clients

A non-redirect flow for mobile clients implements custom flow interfaces with PingOne platform flow APIs but with native application interface components. PingOne can be used for complete authentication or MFA only by providing a login_hint_token with the already authenticated user context on the authorization request.

The following sample shows an authorize request for the non-redirect flow:

{{authPath}}/{{envID}}/as/authorize?response_type=token id_token&response_mode=pi.flow&scope=openid profile email&state={{string}}&login_hint_token={{loginHintJwt}}&client_id={{clientID}}

Transaction approval flows

PingOne supports transaction approval when strong authentication is required for elevated security for a high-value transaction, or high-risk resource or service. The authorize request includes the response_mode and request parameters. The request property value is a JWT that enables OIDC/OAuth2 request parameters to be passed as a single, self-contained parameter.

The following sample shows an authorize request for a transaction approval flow:

{{authPath}}/{{envID}}/as/authorize?response_type=token id_token&response_mode=pi.flow&scope=openid&state={{string}}&request={{requestString}}&client_id={{clientID}}

Note: for more information about creating the login_hint_token or request token values, see Create a login_hint_token JWT and Create a request property JWT.

PingOne support for response_mode options

The following table shows the current support for response_mode options for specific response_type values in the authorize request.

response_mode	response_type	Supported option
omitted	`code`	`query`
omitted	`id_token`	`fragment`
omitted	`token`	`fragment`
omitted	`id_token` `token`	`fragment`
omitted	`code` `id_token`	`fragment`
omitted	`code` `token`	`fragment`
omitted	`code` `id_token` `token`	`fragment`
`query`	`code`	`query`
`query`	`id_token`	error
`query`	`token`	error
`query`	`id_token` `token`	error
`query`	`code` `id_token`	error
`query`	`code` `token`	error
`query`	`code` `id_token` `token`	error
`fragment`	`code`	`fragment`
`fragment`	`id_token`	`fragment`
`fragment`	`token`	`fragment`
`fragment`	`id_token` `token`	`fragment`
`fragment`	`code` `id_token`	`fragment`
`fragment`	`code` `token`	`fragment`
`fragment`	`code` `id_token` `token`	`fragment`
`form_post`	`code`	`form_post`
`form_post`	`id_token`	`form_post`
`form_post`	`token`	`form_post`
`form_post`	`id_token` `token`	`form_post`
`form_post`	`code` `id_token`	`form_post`
`form_post`	`code` `token`	`form_post`
`form_post`	`code` `id_token` `token`	`form_post`
`pi.flow`		`pi.flow`

Create a login_hint_token JWT

A login_hint_token is a JWT that provides a way for the client to identify and authenticate the end-user without needing to encode the entire authentication request in a signed JWT. The following information describes the OIDC parameters and the steps for generating and signing the token.

Prerequisites

Install a JWT token generator such as jwtgen globally using npm install -g jwtgen. This action requires npm.
Retrieve the environment id property value associated with your worker application and user.
Retrieve the clientId and clientSecret property values for the worker application.
Retrieve the user ID id or username property value for whom this token will be associated.

Note: For non-production applications, you can use the PingOne Login Hint Token Generator to generate a login_hint_token value. This utility requires the same parameters described above (environment ID, client ID, client secret, and user ID or username). The tool also requires that you select one of PingOne's geographic regions.

Generate a signed token

The header parameters cty and enc must not be included in the login_hint_token JWT header. PingOne does not support nested signing or encryption operations here.

The command to generate the login_hint_token JWT takes the following parameters:

Parameter	Description
`-a`	Specifies the JWT signing algorithm. Options are `HS256`, `HS384`, and `HS512`.
`-s`	Specifies the signing key, which is the application's `clientSecret` property value.
`-e`	Specifies the expiration date, expressed as the number of seconds from the time of creation. The typical value is 3600 seconds.
`--claims`	Specifies the claims required by the token: `iss`: A string that specifies the client ID of the issuer creating the token `sub`: A string that specifies the identifier for the authenticated user (for example, the `id` or `username` property value). `iat`: An integer that specifies the timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token was originally issued. `exp`: An integer that specifies the timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token will expire. `aud`: A string that specifies the intended audience for this token. `nbf`: (Optional) Indicates that the current date and time must be after or equal to this value. If included, this value is validated per RFC 7519 4.1.5.

Note: For example, a common iss claim value is the client ID for PingFederate, with the aud claim specifying PingOne as the intended audience for the token. The issuer claim identifies the identity provider that authenticated the user (PingFederate) and the audience claim identifies PingOne.

Run the jwtgen command.

jwtgen -a "HS256" -s "YOUR_CLIENT_SECRET" -e 3600 --claims '{
"iss":"YOUR_CLIENT_ID",
"sub":"YOUR_USER_ID_OR_USERNAME",
"iat":1300819380,
"exp":1300819391,
"aud":"https://auth.pingone.com/YOUR_ENVIRONMENT_ID/as"
}'

Record the token returned successfully by the command to use as the value of the login_hint_token property in the authorize request.

Note: You can use the PingOne JWT Decoder to view the claims information in a JSON Web Token. This utility asks you to provide the JWT token, and it returns a Header (the type of encoded object in the payload), the Payload (the JWT claims set), and the Signature (an encoding of the Header and Payload).

Create a request property JWT

A request property JWT enables OIDC/OAuth2 request parameters to be passed as a single, self-contained parameter. Using a JWT enables integrity protection of parameters that are required for risk-based authentication or privacy and consent use cases.

You can create a request JWT using the following signing algorithms:

HS256, HS384, HS512

Use this signing algorithm when an application's client secret is the signing key.
RS256, RS384, RS512

Use this signing algorithm when an external private key is used as the signing key.

For example, the request JWT for a transaction approval action takes the following parameters:

Parameter	Description
Signing algorithm	Specifies the JWT signing algorithm. Options are `HS256`, `HS384`, `HS512` and `RS256`, `RS384`, `RS512`.
Signing key	Specifies the signing key, which is the application's `clientSecret` property value or an external private key.
`--claims`	Specifies the claims required by the token: `iss`: A string that specifies the application ID of the issuer creating the token `aud`: A string that specifies the intended audience for this token. `pi.template`: A string that specifies the template name and the variables required by the template. For information see Notifications Templates. `pi.clientContext`: A string that specifies the name-value pairs that define the client context. For information see Device Authentictation. `pi.remoteIp`: A string that specifies the user's IP address. This is an optional property used with authentication policies that include IP-based conditions. `pi.webAuthn.challenge`: Include this parameter if you want to use dynamic linking to attach a unique identifier to a FIDO transaction. The value should be a custom challenge to replace the automatically-generated challenge sent with the authentication request. Must be a valid and unique Base64URL string that decodes to a data array of at least 32 bytes. You can generate a challenge that meets these criteria by adding a random nonce to the transaction details to ensure uniqueness and then using SHA-256 to hash the information.

Request property JWT signed using the client secret

This sample shows the information required in a transaction approval JWT in which the JWT is signed using the PingOne client secret with HS256 encryption:

"jwtHeader": {
  "alg": "HS256",
  "typ": "JWT"
},
"jwtBody":
{
  "aud": "https://auth.pingone.com/{{envID}}/as",
  "iss": "{{appID}}",
  "pi.template": {
    "name": "transaction",
    "variant": "{{variantName}}",
    "variables": {
      "sum": "1,000,000",
      "currency": "USD",
      "recipient": "Charlie Parker"
    }
  },
  "pi.clientContext": {
    "alert.color": "red"
  }
}

This sample demonstrates the use of the pi.webAuthn.challenge parameter for using dynamic linking to attach a unique identifier to a FIDO transaction:

"jwtHeader": {
  "alg": "HS256",
  "typ": "JWT"
},
"jwtBody":
{
  "aud": "https://auth.pingone.com/{{envID}}/as",
  "iss": "{{appID}}",
  "pi.webAuthn": {
    "challenge": "1cd774777136450c97e83267a52cecccb5f52d1adbc0f46c42e164edadb47fb3"
  }
}

The following information describes the OIDC parameters and the steps for generating and signing the token.

Prerequisites

Install a JWT token generator.
Retrieve the environment id property value associated with your application and user.
Retrieve the clientId and clientSecret property values for the application.
Retrieve the name of the transaction notification template that you want to use.

Note: For non-production applications, you can use the PingOne JWT Encoder located on the Developer Tools page (JWT Encoder) to generate a JSON Web Token. This utility asks you to provide values for the JWT header, the JWT payload (the set of claims), and the RSA private key. The JWT Encoder page provides detailed documentation about these three components.

Generate a signed token

Run JWT token generator, providing the information above.
Record the token returned successfully by the command to use as the value of the request property in the authorize request.

Note: You can use the PingOne JWT Decoder located on the Developer Tools page (JWT Decoder) to view the claims information in a JSON Web Token. This utility asks you to provide the JWT token, and it returns a Header (the type of encoded object in the payload), the Payload (the JWT claims set), and the Signature (an encoding of the Header and Payload).

Request property JWT signed using a private key and JWKS string

This sample shows the information required in a transaction approval JWT in which the JWT is signed using an external private key with RS256 encryption:

"jwtHeader": {
  "alg": "RS256",
  "typ": "JWT"
},
"jwtBody":
{
  "aud": "https://auth.pingone.com/{{envID}}/as",
  "iss": "{{appID}}",
  "pi.template": {
    "name": "transaction",
    "variant": "{{variantName}}",
    "variables": {
      "sum": "1,000,000",
      "currency": "USD",
      "recipient": "Charlie Parker"
    }
  },
  "pi.clientContext": {
    "alert.color": "red"
  }
}

Note: When you sign a request JWT using a private key and the RS256 (or RS384, RS512)signing algorithm, you must set the application's jwks (or jwksUrl) property to sign the JWT. For information about the application configuration, see the OIDC settings data model properties table in Application Operations.

Generate a keypair

Use a keypair generator to create a keypair with the following configuration options.
- Key size: 2048
- Key use: signature
- Algorithm: RS256
- Key-ID: SHA-256
- Show X.509: No

Save the generated Public and Private Keypair and the Public Key.

Example public and private keypair

{
"p": "x1mRR-Y1_i8ZPTLe2sPmuif4hhIfaxSph8m_iACDEHvAfTh0RMV7SrExscRSUXzcWX_FbSIKE5tDm4c1qzImnmWz06z6SSQYUjl0iU6V439sebR662deH5kOF92Vbtj5OLk-mNdj-fm6CdwnWEp3vb36T9kOiKHGReluwJpG1I8",
"kty": "RSA",
"q": "tY0osG4YzkzTX_NCxN3QBFinw_hvJLX6zVXZ-PGHTOD0iFsdwCzmqa3o6_4-GtHUSiuoboTscx2ItbU824IDp41p99HLvSm0lZixszqlcG1JZSaQVj5_5rOBttTcovvAL5te4jq5Mi966WC3yT-V_ZLxE3jFNt5vNzW8ykxsAJ8",
"d": "T_2qcj4Tb-wuMCvI3uOvBZza21PjzkCy5iTClT3QZ30Wlwm8A35x1b3MVHz7JGox3I_KvMClwQdrDMU2aibQaGzs_EunMH5Y1VhlKDg4RvuQBoyB9lpDT1TdrmDe7kHDPDERrB84gPQkrAm-RgJ0W_zPyJMR013pZjOwPKlxKYbsW1G02Jbg2Vl1zatNWBm1MFYQYEOYyaNQkt32WktNdgixYg0Qdt3Q160mbfNz5c9USLVqvCsye0J2t9DZPK7WzadQCC4S7ehdmQkGd87IfD4XyKuZND_nE8Nz5nbgOLNfuIwR6QH7ksOHT9ur1JVKkzEkX8P40_7LXdarwraiBQ",
"e": "AQAB",
"use": "sig",
"kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us",
"qi": "t06uC_ML8E01gKSeFPH7LNFxpumuIaYBc_Enr10dB-wqGpYfs6B5yqf5SjlXg1K89Z3QZFcU9AdJW0SYtr9T-A7b3csxeWUW98hOwfXentP8vcSv3dXJI753f64tAZqz5Mgd6jh0D8i1Fvg6d7Hqm_a5cfd-DO80QkW9c8u8rmk",
"dp": "L95hFWvBQVUb8WcavltWNxNMCR2m77aZcuLOHCFLV5TvxuHcgXsOPQRJk4852RlrbA5TYP5Qfx7EYD9acs5rGZQAV27s9s01DeGAC0yUj3lUmfDtp0M-BcZh7PcnX-O4DJfm4RqvhiIiOyXjSL8w-5330l6jr8lw6-6-yn8BTR8",
"alg": "RS256",
"dq": "lFS9ftClEcCxHn7Y-ZGkyDhK8ZFD9YF9ZVCUY5GqksRk5hdTylSlLNL7L_0sbqsrQGJFHe8aZL8nmBZ4n3utUrL2dlSBmo69jVARN7ddvep8gdktKlmsFChrfZ6SmdMIZZ0Su9FwyDEEwjKUVifOezwYHWmZ78dypHASTFJ-F08",
"n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q"
}

Example public key

{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us",
"alg": "RS256",
"n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q"
}

Generate a signed JWT

Create a signed JWT with Algorithm RS256 and header and payload information shown below.

Header
```
{
 "alg": "RS256",
 "typ": "JWT"
}
```

Payload (for the transaction approval example)

{
 "aud": "https://auth.pingone.com/{{envID}}/as",
 "iss": "{{appID}}",
 "pi.template": {
   "name": "transaction",
   "variant": "{{variantName}}",
   "variables": {
     "sum": "1,000,000",
     "currency": "USD",
     "recipient": "Charlie Parker"
   }
}

Record the token returned successfully.

Note: The value for exp must be valid. It cannot be in the past, and it cannot be set more than one hour in the future.

Record the token returned successfully by the command to use as the value of the request property in the authorize request.

Create the JWKS string

You will use the generated keys to create a JWKS string object that can be used as the value in your PingOne application’s jwks property.

Copy the Public Key and wrap it like this:

{
"keys": [
  <Your public key>
 ]
}

Which looks like this:

{
"keys": [
   {
     "kty": "RSA",
     "e": "AQAB",
     "use": "sig",
     "kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us",
     "alg": "RS256",
     "n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q"
   }
 ]
}

The string needs to be reduced to one line and the double quotes escaped.

The JSON for the PingOne application POST (or PUT) to create the application looks like:

{
  ...
  "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
   "jwks": "{ \"keys\": [ { \"kty\": \"RSA\", \"e\": \"AQAB\", \"use\": \"sig\", \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\", \"alg\": \"RS256\", \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\" } ]}",
  ...
}

Configure the JWKS URL

To use the jwksUrl property in the PingOne application's configuration, the JWKS string must be hosted on a web server, accessible to the internet (using https://). For testing purposes, the following code sample shows a simple node server file (running on a local web server) that hosts the JWKS string.

const https = require("https");
const host = 'localhost';
const port = 3000;

const requestListener = function (req, res) {
    res.setHeader("Content-Type", "application/json");
    res.writeHead(200);    

    const jwksString = "{\r\n  \"keys\": [\r\n    {\r\n        \"kty\": \"RSA\",\r\n        \"e\": \"AQAB\",\r\n        \"use\": \"sig\",\r\n        \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\",\r\n        \"alg\": \"RS256\",\r\n        \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\"\r\n    }\r\n  ]\r\n}";

    res.end(jwksString);
};

const server = https.createServer(requestListener);
server.listen(port, host, () => {
    console.log(`Server is running on https://${host}:${port}`);
});

With the JWKS string in a known location, the application configuration JSON looks like this:

{
  ...
  "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
  "jwksUrl": "https://{{pathToJwksString}}",
  ...
}

Create a client secret JWT

The CLIENT_SECRET_JWT property is a supported value on the application's tokenEndpointAuthMethod property. This client authentication method uses the application's client secret to sign a JWT, which is passed in as a property to authenticate the token request.

For JWT-based client authentication, the token supports the following required and optional claims.

Claim	Type	Required	Description
`iss`	String	Required	A string that specifies the issuer. This value must match the application ID (client ID) of the PingOne application.
`sub`	String	Required	A string that specifies the identifier for the authenticated user. This value must match the application ID (client ID) of the PingOne application.
`aud`	URI	Required	A string that lists the audience, the resources for which this token is intended. Valid options are: (1) the token endpoint (`/as/token`), (2) the issuer uri (`/as`), (3) the endpoint being called (for example, `/as/introspect`). The value must be the full URL, including the PingOne domain, or custom domain.
`exp`	Timestamp	Required	A timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token will expire, as defined in JWT RFC7519. This JWT must not be expired. Tokens that expire more than one hour from now are rejected.
`nbf`	Timestamp	Optional	A "not before" timestamp. If present, the JWT must be valid. JWTs are rejected if `nbf` is in the future.

Other properties of the JWT are:

The optional iat and jti claims from the JSON Web Token (JWT) spec are not validated. See RFC7523 JWT Format and Processing Requirements.
The JWT can include other claims in addition to those listed above.
The JWT must be signed. For CLIENT_SECRET_JWT signing, the platform supports only the HS256, HS384, and HS512 symmetric keyed hashing algorithm.
The JWT must be valid.

Prerequisites and workflow

The following information describes the OIDC parameters and the steps for generating and signing the JWT.

Retrieve the environment id property value associated with your application.
Retrieve the clientId and clientSecret property values for the application.
Install a JWT generator.
Generate the signed JWT using the JWT generator. To create the client_secret_jwt JWT, the token generator will require values for the following parameters:

Parameter	Description
Signing algorithm	The JWT signing algorithm. Options for the `client_secret_jwt` JWT are `HS256`, `HS384`, and `HS512`.
Signing key	The signing key for the `client_secret_jwt` JWT, which is the application's `clientSecret` property value.
Expiration	The expiration date, expressed as the number of seconds from the time of creation. The typical value is 3600 seconds.
Claims	The claims required by the token. Required claims are `iss`, `sub`, `aud`, and `exp`.

Record the JWT returned successfully by the JWT generator.

Note: If the aud value uses a custom domain, the URL uses the custom domain instead of the PingOne domain and environment ID. For example, https://<customDomain>/as/token.

Use the JWT in a token request

For applications that set the tokenEndpointAuthMethod to CLIENT_SECRET_JWT, the token request requires the following two properties:

client_assertion

A JWT that contains a signed assertion with the application’s credentials. This is the JWT that you generated and signed with your application's client secret.
client_assertion_type

A string that specifies the client assertion type. The value of this property must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.

For more information about the token request, see Token.

Create a private key JWT

The PRIVATE_KEY_JWT property is a supported value on the application's tokenEndpointAuthMethod property. This client authentication method uses an external private key to sign a JWT, which is passed in as a property to authenticate the token request.

Note: When you use a private key to sign a JWT, you must set the jwks (or jwksUrl) property on the application. For more information, see Applications OIDC settings data model. For information on creating a JWKS string, see Create a private_key_jwt JWKS string.

For JWT-based client authentication, the token supports the following required and optional claims.

Claim	Type	Required	Description
`iss`	String	Required	A string that specifies the issuer. This value must match the application ID (client ID) of the PingOne application.
`sub`	String	Required	A string that specifies the identifier for the authenticated user. This value must match the application ID (client ID) of the PingOne application.
`aud`	URI	Required	A string that lists the audience, the resources for which this token is intended. Valid options are: (1) the token endpoint (`/as/token`), (2) the issuer uri (`/as`), (3) the endpoint being called (for example, `/as/introspect`). The value must be the full URL, including the PingOne domain, or custom domain.
`exp`	Timestamp	Required	A timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token will expire, as defined in JWT RFC7519. This JWT must not be expired. Tokens that expire more than one hour from now are rejected.
`nbf`	Timestamp	Optional	A "not before" timestamp. If present, the JWT must be valid. JWTs are rejected if `nbf` is in the future.

Other properties of the JWT are:

The optional iat and jti claims from the JSON Web Token (JWT) spec are not validated. See RFC7523 JWT Format and Processing Requirements.
The JWT can include other claims in addition to those listed above.
The JWT must be signed. For PRIVATE_KEY_JWT signing, the platform supports the RS256, RS384, and RS512 symmetric keyed hashing algorithm.
The JWT must be valid.

Generate a keypair

Use a keypair generator to create a keypair with the following configuration options. This example uses the RS256 signing algorithm (RS384, and RS512 are also supported).
- Key size: 2048
- Key use: signature
- Algorithm: RS256
- Key-ID: SHA-256
- Show X.509: No

Save the generated Public and Private Keypair and the Public Key.

Example public and private keypair

{
"p": "x1mRR-Y1_i8ZPTLe2sPmuif4hhIfaxSph8m_iACDEHvAfTh0RMV7SrExscRSUXzcWX_FbSIKE5tDm4c1qzImnmWz06z6SSQYUjl0iU6V439sebR662deH5kOF92Vbtj5OLk-mNdj-fm6CdwnWEp3vb36T9kOiKHGReluwJpG1I8",
"kty": "RSA",
"q": "tY0osG4YzkzTX_NCxN3QBFinw_hvJLX6zVXZ-PGHTOD0iFsdwCzmqa3o6_4-GtHUSiuoboTscx2ItbU824IDp41p99HLvSm0lZixszqlcG1JZSaQVj5_5rOBttTcovvAL5te4jq5Mi966WC3yT-V_ZLxE3jFNt5vNzW8ykxsAJ8",
"d": "T_2qcj4Tb-wuMCvI3uOvBZza21PjzkCy5iTClT3QZ30Wlwm8A35x1b3MVHz7JGox3I_KvMClwQdrDMU2aibQaGzs_EunMH5Y1VhlKDg4RvuQBoyB9lpDT1TdrmDe7kHDPDERrB84gPQkrAm-RgJ0W_zPyJMR013pZjOwPKlxKYbsW1G02Jbg2Vl1zatNWBm1MFYQYEOYyaNQkt32WktNdgixYg0Qdt3Q160mbfNz5c9USLVqvCsye0J2t9DZPK7WzadQCC4S7ehdmQkGd87IfD4XyKuZND_nE8Nz5nbgOLNfuIwR6QH7ksOHT9ur1JVKkzEkX8P40_7LXdarwraiBQ",
"e": "AQAB",
"use": "sig",
"kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us",
"qi": "t06uC_ML8E01gKSeFPH7LNFxpumuIaYBc_Enr10dB-wqGpYfs6B5yqf5SjlXg1K89Z3QZFcU9AdJW0SYtr9T-A7b3csxeWUW98hOwfXentP8vcSv3dXJI753f64tAZqz5Mgd6jh0D8i1Fvg6d7Hqm_a5cfd-DO80QkW9c8u8rmk",
"dp": "L95hFWvBQVUb8WcavltWNxNMCR2m77aZcuLOHCFLV5TvxuHcgXsOPQRJk4852RlrbA5TYP5Qfx7EYD9acs5rGZQAV27s9s01DeGAC0yUj3lUmfDtp0M-BcZh7PcnX-O4DJfm4RqvhiIiOyXjSL8w-5330l6jr8lw6-6-yn8BTR8",
"alg": "RS256",
"dq": "lFS9ftClEcCxHn7Y-ZGkyDhK8ZFD9YF9ZVCUY5GqksRk5hdTylSlLNL7L_0sbqsrQGJFHe8aZL8nmBZ4n3utUrL2dlSBmo69jVARN7ddvep8gdktKlmsFChrfZ6SmdMIZZ0Su9FwyDEEwjKUVifOezwYHWmZ78dypHASTFJ-F08",
"n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q"
}

Example public key

{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us",
"alg": "RS256",
"n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q"
}

Generate a signed JWT

Create a signed JWT with with a signing algorithm of RS256, RS384, or RS512 and header and payload information shown below.

Header
```
{
 "alg": "RS256",
 "typ": "JWT"
}
```

Payload

{
 "iss": "{{appID}}",
 "sub": "{{appID}}",
 "exp": 1691085204,
 "aud": "https://auth.pingone.com/{{envID}}/as/token"
}

Record the token returned successfully.

Note: The value for exp must be valid. It cannot be in the past, and it cannot be set more than one hour in the future.

Use the JWT in a token request

For applications that set the tokenEndpointAuthMethod to PRIVATE_KEY_JWT, the token request requires the following two properties:

client_assertion

A JWT that contains a signed assertion with the application’s credentials. This is the JWT that you generated and signed with your private key.
client_assertion_type

A string that specifies the client assertion type. The value of this property must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.

For more information about the token request, see Token.

Create a private_key_jwt JWKS string

In the PingOne application configuration, when the tokenEndpointAuthMethod property is set to PRIVATE_KEY_JWT, the configuration requires either the jwks property (specifying a JWKS string) or the jwksUrlproperty (specifying the location on a web server that hosts the JWKS string).

When using the jwksUrl property, the application configuration JSON looks like this. Note that the jwksUrl must be https://:

{
  ...
  "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
  "jwksUrl": "https://{{pathToJwksString}}",
  ...
}

The application configuration JSON for the JWKS string in the jwks property must be formatted as one line with double quotes escaped:

{
  ...
  "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
  "jwks": "{ \"keys\": [ { \"kty\": \"RSA\", \"e\": \"AQAB\", \"use\": \"sig\", \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\", \"alg\": \"RS256\", \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\" } ]}",
  ...
}

The following information describes the steps for generating the JWKS for use with "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT".

Create the JWKS string

You will use the generated keys you created for your private key JWT (see Create a private key JWT) to generate a JWKS string object that can be used as the value in your PingOne application’s jwks property.

Copy the Public Key and wrap it like this:

{
"keys": [
  <Your public key>
 ]
}

Which looks like this:

{
"keys": [
   {
     "kty": "RSA",
     "e": "AQAB",
     "use": "sig",
     "kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us",
     "alg": "RS256",
     "n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q"
   }
 ]
}

The string needs to be reduced to one line and the double quotes escaped.

The JSON for the PingOne application POST (or PUT) to create the application looks like:

{
  ...
  "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
  "jwks": "{\r\n  \"keys\": [\r\n    {\r\n        \"kty\": \"RSA\",\r\n        \"e\": \"AQAB\",\r\n        \"use\": \"sig\",\r\n        \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\",\r\n        \"alg\": \"RS256\",\r\n        \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\"\r\n    }\r\n  ]\r\n}",
  ...
}

Note: When you set PRIVATE_KEY_JWT as your application's tokenEndpointAuthMethod, the following endpoints support the client_assertion and client_assertion_type properties.

{{authPath}}/{{envID}}/as/token
{{authPath}}/{{envID}}/as/introspect
{{authPath}}/{{envID}}/as/par
/as/revoke
/as/device_authorization

For more information about using the client_assertion and client_assertion_type properties with the token request, see Token (authorization_code) (PRIVATE_KEY_JWT).

Configure the JWKS URL

To use the jwksUrl property in the PingOne application's configuration, the JWKS string must be hosted on a web server, accessible to the internet (using https://). For testing purposes, the following code sample shows a simple node server file (running on a local web server) that hosts the JWKS string.

const https = require("https");
const host = 'localhost';
const port = 3000;

const requestListener = function (req, res) {
    res.setHeader("Content-Type", "application/json");
    res.writeHead(200);    

    const jwksString = "{\r\n  \"keys\": [\r\n    {\r\n        \"kty\": \"RSA\",\r\n        \"e\": \"AQAB\",\r\n        \"use\": \"sig\",\r\n        \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\",\r\n        \"alg\": \"RS256\",\r\n        \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\"\r\n    }\r\n  ]\r\n}";

    res.end(jwksString);
};

const server = https.createServer(requestListener);
server.listen(port, host, () => {
    console.log(`Server is running on https://${host}:${port}`);
});

With the JWKS string in a known location, the application configuration JSON looks like this:

{
  ...
  "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
  "jwksUrl": "jwksUrl": "{{pathToJwksString}}",
  ...
}

Use an authentication JWT for token fulfillment

Token fulfillment in PingOne enables admins to map attributes from a source's authentication JWT to the PingOne generated token to improve interoperability with OIDC applications. When a PingOne application has a tokenEdnpointAuthMethod set to PRIVATE_KEY_JWT or CLIENT_SECRET_JWT, claims from these source authentication tokens can be mapped to PingOne tokens using the following expression variables:

#root.context.requestData.clientAssertion.{{property}}

Represents the value of a specified property from the payload of the authentication JWT presented by the application at PingOne's token endpoint.
#root.context.requestData.clientAssertion

Represents the payload of the authentication JWT presented by the application at PingOne's token endpoint.
#root.context.requestData.clientAssertionHeader.{{property}}

Represents the value of a specified property from the header of the authentication JWT presented by the application at PingOne's token endpoint.
#root.context.requestData.clientAssertionHeader

Represents the header of the authentication JWT presented by the application at PingOne's token endpoint.
#root.context.requestData

Represents the header and the payload of the authentication JWT presented by the application at PingOne's token endpoint.
#root.context.appConfig.tokenEndpointAuthMethod

Represents the token endpoint authentication method of the requesting application. The value is either PRIVATE_KEY_JWT, CLIENT_SECRET_JWT, or null if the application is not configured to use PRIVATE_KEY_JWT or CLIENT_SECRET_JWT.

In PingOne, the resource's attribute mapping endpoint supports these expressions as request body parameters. For example, you can create a resource attribute on a custom resource using the Create Resource Attribute endpoint: POST {{apiPath}}/environments/{{envID}}/resources/{{resourceID}}/attributes. This POST requires a name/value pair, and in the sample request body below, the value specifies a custom1 property, which is a claim from the source authentication JWT (client_assertion).

{
    "name": "clientAssertion_custom",
    "value": "${#root.context.requestData.clientAssertion.custom1}"
}

The claim represented by custom1 from the authentication JWT will be mapped to the PingOne JWT returned by the PingOne token request. If the custom1 claim in the JWT represents a nested JSON object, you can write your expression as #root.context.requestData.clientAssertion.custom1.x or #root.context.requestData.clientAssertion.custom1['x'] to access a nested property named x from the sample JWT below:

{
  "iss": "{{issID}}",
  "sub": "{{subID}}",
  "aud": "https://auth.pingone.com/{{envID}}/as/token",
  "jti": "a_0eDHMN...",
  "exp": 1736268635,
  "iat": 1736268335,
  "custom1": {
    "x": "xerox",
    "y": "yankee"
  }
}

Additional examples

Suppose you have a source authentication JWT with the following headers and claims:

{
  "alg": "RS512",
  "kid": "2DqNmmIHeJq-YrcR7K8Pjwi4KAI"
}.{
  "iss": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
  "sub": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
  "aud": "https://auth.pingone.com/{{envID}}/as/token",
  "jti": "vm7kRZz_AM3bHAVRdrKlMA",
  "exp": 1734550892,
  "iat": 1734550592
}

Include JWT claims

If you create a resource attribute mapping POST request using the #root.context.requestData.clientAssertion expression in the value property, the PingOne token endpoint will include the source JWT claims in the response:

{
  "alg": "RS256",
  "kid": "default"
}.{
  "client_id": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
  "iss": "https://auth.pingone.com/6991589d-87eb-47f4-9131-284cebe106b3/as",
  "jti": "0e428c3e-592b-4ec3-9684-505573e7a2d0",
  "iat": 1734550592,
  "exp": 1734554192,
  "aud": [
    "abc itu"
  ],
  "scope": "openid myOidc example",
  "sub": "1fc88a5e-a677-4df7-81ae-75df4f7839d2",
  "sid": "e506bd43-830d-46b3-8487-b80fd1dd7df9",
  "context_requestData_clientAssertion_customResource": {
    "clientAssertion": {
      "iss": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
      "sub": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
      "aud": "https://auth.pingone.com/{{envID}}/as/token",
      "jti": "vm7kRZz_AM3bHAVRdrKlMA",
      "exp": 1734550892,
      "iat": 1734550592
    }
  },
  "env": "{{envID}}",
  "org": "{{orgID}}"
}

The context_requestData_clientAssertion_customResource attribute in the PingOne token includes the claims that the authentication JWT presented at PingOne’s token endpoint.

Include JWT headers and claims

If you use the #root.context.requestData expression in the value property of your attribute mapping, the PingOne token request will include the source JWT's headers and claims in the response:

{
  "alg": "RS256",
  "kid": "default"
}.{
  "client_id": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
  "iss": "https://auth.pingone.com/6991589d-87eb-47f4-9131-284cebe106b3/as",
  "jti": "0e428c3e-592b-4ec3-9684-505573e7a2d0",
  "iat": 1734550592,
  "exp": 1734554192,
  "aud": [
    "abc itu"
  ],
  "scope": "openid myOidc example",
  "sub": "1fc88a5e-a677-4df7-81ae-75df4f7839d2",
  "sid": "e506bd43-830d-46b3-8487-b80fd1dd7df9",
  "context_requestData_customResource": {
    "clientAssertionHeader": {
      "alg": "RS512",
      "kid": "2DqNmmIHeJq-YrcR7K8Pjwi4KAI"
    },
    "clientAssertion": {
      "iss": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
      "sub": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
      "aud": "https://auth.pingone.com/{{envID}}/as/token",
      "jti": "vm7kRZz_AM3bHAVRdrKlMA",
      "exp": 1734550892,
      "iat": 1734550592
    }
  },
  "env": "{{envID}}",
  "org": "{{orgID}}"
}

The context_requestData_customResource attribute in the PingOne token includes the headers and claims that the authentication JWT presented at PingOne’s token endpoint.

Authorization

The authorize endpoints support the following actions:

The authorize endpoint /{{envID}}/as/authorize is used to interact with the end user and obtain an authorization grant. Note that PingOne supports both GET and POST operations for authorize requests. The supported parameters for an authorize request vary depending on the value of the response_type parameter (code, token, id_token or combinations of these three options).
For non-redirect flows, such as with native mobile apps in which the app renders the end user interface, response_mode property value is set to pi.flow. This setting allows the app to authenticate using the PingOne flows API without needing to handle HTTP redirections. The pi.flow value is also used with transaction approval use cases in which strong authentication is required for elevated security for a high-value transaction, or high-risk resource or service.
For applications having authorization_code or device_code grant types, and if the application's resource grant includes the offline_access scope, if offline_access is included in the scope parameter of the authorize request, a refresh token is included in the token response. If the offline_access socpe is omitted from the authorize request in this case, a refresh token is not included, even if the grant type allows it.

If the client includes prompt=consent in a request with an authorization_code grant type, PingOne doesn't prompt for application consent. This limitation doesn't apply to requests with a device_code grant type, because the PingOne authentication policy service always prompts for application consent when requests use the device_code grant type.
For applications having a refresh_token grant type, when the client includes offline_access in the scope parameter, and the request is using the authorization_code or device_code grant type, a refresh token is always included in the token response. See Application Resource Grants to add the refresh_token grant type to an application.

If the application does not have a resource grant that includes offline_access in the scope parameter, a refresh token is always included in the token response for grant types that allow it.

Use Cases

Authorize (authorization_code)

Authorize (implicit)

Authorize (hybrid)

Authorize (authorization_code)

Authorize (implicit)

Authorize (hybrid)

Authorize (Non-redirect and MFA Only Flows)

Authorize (Transaction Approval)

Resume

Userinfo

Signoff

IdP Signoff

Discovery OpenID Configuration

Read JWKS

Pushed Authorization Request

Applications can use a pushed authorization request (PAR) to securely initiate authorization flows. A PAR allows applications to send their authorization requests directly to PingOne without going through the browser, which safeguards sensitive data from end-user devices.

With a PAR, an application can push an authorization request payload to PingOne with a direct back-channel request, which is a more secure method of sending sensitive data, such as personally identifiable information, than sending it with a browser on the front channel.

The POST /{{envID}}/as/par endpoint accepts the same request parameters as /{{envID}}/as/authorize, as well as any additional parameters needed for client authentication. It can accept signed and unsigned requests. Requests must be less than 1MB.

After PingOne validates the request and saves the payload, it returns the request_uri parameter as a reference to the payload. The response also indicates the lifetime of the request URI. The default lifetime is 60 seconds.

The application then uses the front channel to request an authorization code or token, sending the request_uri parameter to PingOne. PingOne uses the request URI to look up the request payload and continue the authorization flow. PingOne accepts a particular request URI only once.

For more information on the PAR specification, see RFC 9126.

Pushed Authorization Request (NONE)

Pushed Authorization Request (CLIENT_SECRET_POST)

Pushed Authorization Request (CLIENT_SECRET_BASIC)

Pushed Authorization Request (CLIENT_SECRET_JWT)

Pushed Authorization Request (PRIVATE_KEY_JWT)

Authorize (implicit) (request_uri)

Device Authorization Grant

The device authorization grant endpoints support the following actions for applications configured with the DEVICE_CODE grant type:

The device authorization endpoint /{{envID}}/as/device_authorization starts an action to return an activation code to the end user. The endpoint response returns a device code, a user code, and a verification URI. The supported parameters for the endpoint request are the client_id parameter and an optional scope parameter.
The start flow endpoints /{{envID}}/device/{{appIdentifier}} or /{{envID}}/device in which the appIdentifier variable represents one of either the application ID (clientId or applicationId) or a short secondary application identifier (devicePathId configured per app) that is used only with the /device endpoint.
The token endpoint /{{envID}}/as/token returns the tokens issued for the device.

Note: For information about configuring and application connection that uses a DEVICE_CODE grant type, see Create Application (OIDC Device Authorization Grant). For OpenID Connect/OAuth2 data model properties associated with these endpoints, see OpenID Connect/OAuth 2. For flow states associated with device auth grant flows, see DAG_USER_CODE_REQUIRED and DAG_CONSENT_REQUIRED in Flows. For IETF specification information, see RFC8628 OAuth 2.0 Device Authorization Grant.

Use Cases

Configure Device Authorization Grant Flow

Device authorization grant data model

Property	Type	Required?	Mutable?	Description
`client_id`	String	Required	Immutable	The application's UUID.
`grant_type`	String	Required	Mutable	The grant type of the token request. Options are `urn:ietf:params:oauth:grant-type:device_code`.
`scope`	String	Optional	Mutable	Permissions that determine the resources that the application can access. This parameter is not required, but it is needed to specify accessible resources. See Authorization for details when including `offline_access` in the `scope` parameter.
`device_code`	String	Required	Read only	The device verification code. This is a required property for device auth grant flows.
`user_code`	String	Required	Read only	The end-user verification code. This is a required property for device auth grant flows.
`verification_uri`	String	Required	Read only	The end-user verification URI on the authorization server. This is a required property for device auth grant flows.
`verification_uri_complete`	String	Optional	Read only	The end-user verification URI on the authorization server that includes the `user_code`.
`expires_in`	String	Required	Read only	The lifetime, in seconds, of the `device_code`. This value is set on the application configuration.
`interval`	String	Optional	Read only	The minimum amount of time, in seconds, that the client should wait between polling requests to the token endpoint. If no value is provided, the default is 5 seconds. This value is set on the application configuration.

Authorize (device)

Token (device_code) (NONE)

Start device flow (with appIdentifier)

Start device flow (without appIdentifier)

Token

The token endpoints support the following actions:

The token endpoint /{{envID}}/as/token is used by the client to obtain an access token by presenting its authorization grant. Note that authentication requirements to this endpoint are configured by the application's tokenEndpointAuthMethod property. For information about the application's tokenEndpointAuthMethod property, see the "Applications OIDC settings data model" table in Application Operations.
The token introspection endpoint /{{envID}}/as/introspect returns the active state of an OAuth 2.0 token and the claims specified in RFC 7662 Section 2.2. The request requires the token parameter, which is the token string.
The token revocation endpoint {{envID}}/as/revoke revokes the token specified in the request. Note that this operation does not apply to the tokens issued for the PingOne API resource.

Use Cases

Token (authorization_code) (CLIENT_SECRET_BASIC)

Token (authorization_code) (CLIENT_SECRET_POST)

Token (client_credentials) (CLIENT_SECRET_POST)

Token (authorization_code) (CLIENT_SECRET_JWT)

Token (authorization_code) (PRIVATE_KEY_JWT)

Token (authorization_code) (NONE)

Token (refresh_token) (CLIENT_SECRET_BASIC)

Token (refresh_token) (CLIENT_SECRET_POST)

Token (refresh_token) (CLIENT_SECRET_JWT)

Token (refresh_token) (PRIVATE_KEY_JWT)

Token (refresh_token) (NONE)

Token Admin App (client_credentials)

Token Exchange (Gateway Credential)

Token Introspection (Access Token)

Token Introspection (ID Token)

Token Introspection (Refresh Token)

Token Introspection (Resource ID and Secret)

Token Revocation

SAML 2.0

The SAML endpoints are used by SAML applications to initiate sign-on and signoff operations. The SAML service implements functions to initiate SAML 2.0 single sign-on and single logout authentication flows.

Use Cases

SAML 2.0 protocol

The SAML protocol allows clients to obtain a requestor’s authentication state. SAML 2.0 uses security tokens, which contain assertions about the requestor, to pass authentication and authorization information about the requestor between the identity provider and the resource provider.

SAML SSO authentication requests

A SAML SSO authentication request uses the following authentication flow:

The client (browser) initiates a login action to access a protected resource.
The identity provider issues an <AuthnRequest> message to be delivered by the user agent to the SAML service endpoint using either HTTP Redirect or HTTP POST.
The SAML service validates the request and creates an authentication flow with the flow orchestration service.
The SAML service indicates user interaction is required to perform the authentication flow.
The browser is redirected to the PingOne hosted authentication UI or the per application configured URL of a custom UI, passing in the environmentId and flowSessionId query parameters. The authentication UI uses flow orchestration and action services endpoints to complete the authentication flow. The authentication API checks on every call to ensure that the session token cookie contains the current token for the session associated with the flow. On successful completion of the flow, a new session token is generated for the session and set in the cookie.
The browser is redirected to the resume endpoint of the SAML service.
The SAML service retrieves and deletes the authentication flow from the flow orchestration service.
The SAML service generates the appropriate tokens and issues a <Response> message delivered by the user agent to the identity provider using HTTP POST.

The following is a sample SAML assertion generated for an authentication <AuthnRequest> request:

<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="identifier_1"
    Version="2.0"
    IssueInstant="2004-12-05T09:21:59">
    <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
  </samlp:AuthnRequest>

Request model

The following data model describes the supported attributes for a SAML <AuthnRequest> request. For more information see Security Assertion Markup Language (SAML) V2.0 Technical Overview.

Property	Required?	Description
`id`	Required	The value of the ID attribute in the request. The `InResponseTo` attribute in the corresponding response must match this value.
`version`	Required	The value should be set to `2.0`.
`IssueInstant`	Required	The time (in UTC) that the request was issued.
`destination`	Required	A URI reference indicating the address to which this request has been sent. It is required if the `<AuthnRequest>` request, optional otherwise. If submitted, it should match the location at which the message was received.
`consent`	Optional	A string that specifies whether or not (and under what conditions) consent has been obtained from a principal in the sending of this request.
`ForceAuthn`	Optional	A boolean that when set to `true` specifies that the identity provider must authenticate the presenter directly rather than rely on a previous security context. If a value is not provided, the default value is `false`.
`IsPassive`	Optional	A boolean that when set to `true` specifies that the identity provider and the user agent itself must not visibly take control of the user interface from the requester and interact with the presenter in a noticeable fashion. If a value is not provided, the default value is `false`.
`AssertionConsumerServiceIndex`	Optional	This value specifies the location to which the `<Response>` message should be returned to the requester. It applies only to profiles in which the requester is different from the presenter. If omitted, then the identity provider must return the `<Response>` message to the default location associated with the requester for the profile of use.
`AssertionConsumerServiceURL`	Optional	This value specifies the location to which the `<Response>` message must be returned to the requester. This attribute is mutually exclusive with the `AssertionConsumerServiceIndex` attribute and is typically accompanied by the `ProtocolBinding` attribute.
`ProtocolBinding`	Optional	A URI reference that identifies a SAML protocol binding used when returning the `<Response>` message. This attribute is mutually exclusive with the `AssertionConsumerServiceIndex` attribute and is typically accompanied by the `AssertionConsumerServiceURL` attribute.
`ProviderName`	Optional	This value specifies the human-readable name of the requester. It is used only for logging purposes, if available and if needed.
`<saml:Issuer>`	Required	This value specifies the service provider (9)SP) Entity ID. It identifies the entity that generated the request message. This should be treated as the `client_id`.
`<ds:Signature>`	Optional	An XML Signature that authenticates the requester and provides message integrity.
`<RequestedAuthnContext>`	Optional	A value that specifies the requirements, if any, that the requester places on the authentication context that applies to the responding provider's authentication of the presenter.
`<saml:Subject>`	Optional	A value that specifies the requested subject that names the actual identity about which it wishes to receive an assertion.
`<NameIDPolicy>`	Optional	A value that specifies the constraints on the name identifier to be used to represent the requested subject.
`<saml:Conditions>`	Optional	A value that specifies the SAML conditions the requester expects to limit the validity and/or use of the resulting assertion (or assertions).
`<Scoping>`	Optional	A value that specifies a set of identity providers trusted by the requester to authenticate the presenter, as well as limitations and context related to proxying of the `<AuthnRequest>` message to subsequent identity providers by the responder.

The following is a sample SAML assertion response:

<samlp:Response
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="identifier_2"
    InResponseTo="identifier_1"
    Version="2.0"
    IssueInstant="2004-12-05T09:22:05"
    Destination="https://sp.example.com/SAML2/SSO/POST">
    <saml:Issuer>https://auth.pingone.com/{{envID}}</saml:Issuer>
    <samlp:Status>
      <samlp:StatusCode
        Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      ID="identifier_4"
      Version="2.0"
      IssueInstant="2004-12-05T09:22:05">
      <saml:Issuer>https://auth.pingone.com/{{envID}}</saml:Issuer>
      <!-- a POSTed assertion MUST be signed -->
      <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
      <saml:Subject>
        <saml:NameID
          Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
          3f7b3dcf-1674-4ecd-92c8-1544f346baf8
        </saml:NameID>
        <saml:SubjectConfirmation
          Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
          <saml:SubjectConfirmationData
            InResponseTo="identifier_1"
            Recipient="https://sp.example.com/SAML2/SSO/POST"
            NotOnOrAfter="2004-12-05T09:27:05"/>
        </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions
        NotBefore="2004-12-05T09:17:05"
        NotOnOrAfter="2004-12-05T09:27:05">
        <saml:AudienceRestriction>
          <saml:Audience>https://sp.example.com/SAML2</saml:Audience>
        </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement
        AuthnInstant="2004-12-05T09:22:00"
        SessionIndex="identifier_3">
        <saml:AuthnContext>
          <saml:AuthnContextClassRef>
            urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
         </saml:AuthnContextClassRef>
        </saml:AuthnContext>
      </saml:AuthnStatement>
    </saml:Assertion>
  </samlp:Response>

IdP-Initiated SSO

IdP-initiated SSO allows users to authenticate through their identity provider, which then issues and signs SAML assertions to service providers. This allows users to access multiple applications and services with a single authentication.

IdP-Initiated SSO uses the following flow:

A user signs on to their system with a username and password and is presented with an application catalog that displays icons representing the web-based applications and services they can access.
The user clicks an icon to access one of those applications or services.
The IdP creates and signs an SAML assertion that includes information about the user’s identity, along with any other attribute information that the IdP and SP agreed to share to authenticate users.
The IdP either sends the assertion to the SP through a browser or sends a reference to the assertion that the SP can use to securely retrieve the assertion.
The SP validates the signature to ensure that the SAML assertion really came from its trusted IdP and that none of the values in the assertion have been modified. It also extracts the identity, attribute, and authorization information it needs to determine whether access should be granted and which privileges the user will have.
Users access the application or service.

IdP-Initiated SSO has the following benefits:

The user gains access to catalog of applications and services with a single authentication.
The authentication flow is more secure because user credentials are never transmitted between IdP and SP.
The authentication flow is simpler because it eliminates a redirect step from SP to IdP.

You can start the IdP-Initiated SSO authentication session using the Get Identity Provider Initiated SSO request.

SAML SLO logout requests

A SAML single logout (SLO) operation uses the following flow:

The user initiates logout.
The session participant initiates single logout by sending a <LogoutRequest> message to the identity provider that sent the corresponding <AuthnRequest> authentication assertion.
The SAML service validates the request. It then calls the end session endpoint of the flow orchestration service and passes through the cookie header. The flow orchestration service deletes the session identified by the session cookie and includes a Set-Cookie in the response to immediately expire the session cookie.
The identity provider uses the contents of the <LogoutRequest> message to determine the session(s) being terminated.
The identity provider issues a <LogoutResponse> message to the original requesting session participant.

DaVinci flows with SAML applications

The following workflow outlines the interaction between PingOne applications and DaVinci flows and flow policies.

PingOne applications support a configuration option to assign DaVinci flow policies to the application. For information on designating a DaVinci flow as a PingOne flow, see PingOne Initiated Flows.
The SAML SSO service retrieves the application configuration data. Based on the configuration, the application can use either a PingOne sign-on policy or a DaVinci flow policy to determine the sign-on workflow. To assign DaVinci flow policies to applications, see Application Flow Policy Assignments.
For DaVinci flow policy use cases, the DaVinci widget renders the sign-on flow page. For more information about DaVinci widgets, see Launching a flow with the widget in the PingOne admin documentation.
The DaVinci widget manages the flow, and after the flow completes, the PingOne SSO Connector creates a session and passes control back to the protocol service.
The SAML SSO service processes the response, performs attribute mapping using user attributes from the PingOne directory, creates a SAMLResponse, and sends it to the SAML application.
The application continues its normal flow, calling the PingOne token endpoint to obtain the tokens.

Note: To get information about the DaVinci flow policies available for assignment to an application, see Flow Policies.

SAML data model

Property	Type	Required?	Mutable?	Description
`acsUrls`	URL	Required	Mutable	The Assertion Consumer Service URLs. The first URL in the list is used as default. There must be at least one URL.
`assertionDuration`	Integer	Required	Mutable	The assertion validity duration in seconds.
`assertionSigned`	Boolean	Optional	Mutable	Whether the SAML assertion itself should be signed. The default value is `true`.
`defaultTargetUrl`	String	Optional	Mutable	A URL that sets the relay state if the identity provider does not include an `applicationUrl` query parameter in its `/{{envID}}/saml20/idp/startsso` request.
`description`	String	Optional	Mutable	A description of the resource.
`enabled`	Boolean	Optional	Mutable	Whether the application is enabled. The default is `false` if this value is not set.
`icon.id`	String	Optional	Mutable	The icon resource’s unique identifier.
`icon.href`	String	Optional	Mutable	The URL of the icon resource.
`id`	String	Required	Immutable	The resource’s unique identifier.
`idpSigning.key.id`	String	Optional	Mutable	The certificate to be used by the identity provider to sign assertions and responses. If this property is omitted, the default signing certificate for the environment is used.
`loginPageUrl`	String	Optional	Mutable	The URL of the authentication flow UI that this application uses to interact with the end-user through the authentication flow. If a URL is not specified, the default PingOne hosted UI is used.
`name`	String	Required	Mutable	The name of SAML attribute and should be unique within an environment. Note that `samlAssertion.subject` is a reserved case-insensitive name that indicates the mapping to be used for the subject in the assertion.
`protocol`	String	Required	Mutable	The protocol used by the application. This value determines the set of additional protocol specific properties, links, and embedded resources associated with the resource. Options are `OPENID_CONNECT` and `SAML`.
`RelayState`	String	Required	Mutable	The target application ID for SAML assertions used in IdP-initiated SSO.
`responseSigned`	Boolean	Optional	Mutable	Whether the SAML assertion response itself should be signed. The default value is `false`.
`returnUrl`	String	Optional	Mutable	The endpoint of the PingOne SSO Connector receiving the `ppmResponse`from the PingOne SAML SSO service. This is strictly validated based on configuration.
`sessionNotOnOrAfterDuration`	Integer	Optional	Mutable	Update this value if the SAML application requires a different `SessionNotOnOrAfter` attribute value within the `AuthnStatement` element than the `NotOnOrAfter` value set by the `assertionDuration` property.
`sloBinding`	String	Optional	Mutable	The binding protocol to be used for the logout response. Options are `HTTP_REDIRECT` or `HTTP_POST`. The default is `HTTP_POST`. Existing configurations with no data default to `HTTP_POST`.
`sloEndpoint`	URL	Optional	Mutable	The logout endpoint URL. If a `sloEndpoint` logout endpoint URL is not defined, logout actions result in an error.
`sloResponseEndpoint`	URL	Optional	Mutable	The endpoint URL to submit the logout response. If a value is not provided, the `sloEndpoint` property value is used to submit SLO response.
`spEntityId`	String	Required	Immutable	The service provider entity ID used to lookup the application. This is a required property and is unique within the environment.
`spVerification.cert.id`	String	Optional	Mutable	The certificate ID used to verify the service provider signature.

Application access control conditions

You can configure SAML applications for access control by setting the accessControl properties on the application. For more information about accessControl properties, see Application Operations. When accessControl properties are set for an application, the user must meet the requirements specified by these application properties. If the user attempts to authenticate, then the application's accessControl conditions are evaluated before creating an assertion.

An assertion is created if the user meets the the application's access control conditions. If the conditions are not met, then an authorization failed error is returned with the top level code urn:oasis:names:tc:SAML:2.0:status:Responder and the second level code urn:oasis:names:tc:SAML:2.0:status:RequestDenied. If access is denied, a USER.ACCESS_DENIED event is published; otherwise, a USER.ACCESS_ALLOWED event is published.

For more information, see Control access to applications through roles and groups.

Audit reporting events

To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.

Service	Event
applications	ATTRIBUTE.CREATED
applications	ATTRIBUTE.UPDATED
applications	ATTRIBUTE.DELETED

Response codes

Code	Message
200	Successful operation.
201	Successfully created.
400	The request could not be completed. .
401	You weren’t authenticated to perform this operation.
404	The requested resource was not found.

SAML SSO Using POST

SAML ACS Endpoint for Inbound SSO

SAML ACS Endpoint for Identity Provider Initiated Inbound SSO

SAML SLO Using POST

Read SAML Metadata

SAML SSO Using GET

Identity Provider Initiated SSO

Read SAML Service Provider Metadata

Service Provider Initiated Inbound SSO

SAML SLO Using GET

SAML resume

External Authentication

The external authentication API provides endpoints for performing end user authentication with PingOne supported external identity providers. End users are redirected immediately to the authentication initialization endpoint at the external authentication service. After users authenticate at the provider, they are redirected back to the external authentication service's authentication callback endpoint, where the external authentication API validates the token or assertion returned from the external identity provider.

Use Cases

Sign-on using an External Identity Provider

External authentication data model

Property	Type	Required?	Mutable?	Description
`attributes`	Object	N/A	Read-only	The mapped user attributes and their values from the external identity provider.
`<attributename>`	Object	N/A	Read-only	The name of the mapped user attribute from the external identity provider.
`<attributename>.value`	String	N/A	Read-only	The value for the mapped user attribute from the external identity provider.
`<attributename>.update`	String	N/A	Read-only	An enumeration that specifies the update behavior for this attribute based on identity provider configuration. Options are `EMPTY_ONLY` and `ALWAYS`.
`externalId`	String	N/A	Read-only	The identifier returned by the identity provider for the external user.
`flow`	Object	Required	Immutable	A reference to the PingOne flow associated with this external authentication.
`flow.id`	String	Required	Mutable	The flow UUID associated with this external authentication.
`identityProvider`	Object	Required	Immutable	A reference to the external identity provider that is used to authenticate the user.
`identityProvider.id`	String	Required	Mutable	The UUID of the external identity provider to which the user is redirected for sign-on.
`status`	String	N/A	Read-only	The status of the external authentication. Options are: `PROVIDER_RESPONSE_REQUIRED`: Awaiting callback from provider with authentication results. `COMPLETED`: External authentication request completed successfully. `FAILED`: The identity provider returned an error.
`error`	Object	N/A	Read-only	When the `status` is `FAILED`, returns an error detail from the identity provider to the PingOne flow associated with this external authentication.
`error.code`	String	N/A	Read-only	The PingOne code for the error.
`error.message`	String	N/A	Read-only	The description of the error.

Audit reporting events

To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.

Service	Event
external-authentications	AUTHENTICATION.CREATED
external-authentications	AUTHENTICATION.UPDATED

Response codes

Code	Message
302	Found.
400	The request could not be completed.
401	You weren’t authenticated to perform this operation.
403	You do not have permissions or are not licensed to make this request.

Read External Authentication Initialization

Read External Authentication Callback

PingOne Flows

The flow endpoint is used to interact with the user in a sign-on workflow. Flow endpoint operations are used only to implement custom authentication UIs. OIDC/OAuth 2 and SAML requests initiate the flow and redirect the browser to the custom authentication UI (which is configured in the application through the application's loginPageUrl property).

Note: Flows expire after 15 minutes of inactivity. Interacting with a flow beyond this period results in a 404.

Common sign-on actions

Login actions

The flow endpoint can initiate login actions that specify the operations required to authenticate with a username and password.

Multi-factor authentication actions

The flow endpoint can also initiate multi-factor authentication (MFA) actions that specify the operations required to complete authentication using a registered user device and a one-time password (OTP).

Identity first actions

The flow can initiate a discovery action used to identify the user by username and determine the applicable authentication methods for this user.

Progressive profiling actions

Progressive profiling actions prompt users to provide additional data at sign on. This action type does not authenticate users. It is used only to obtain additional profile data.

Agreement actions

Agreement actions enforce user consent to an agreement at sign on. This action type does not authenticate users. It is used only to obtain user consent to a terms of service agreement.

Identity provider actions

An action that bypasses the PingOne sign-on prompt and immediately redirects the user to an external identity provider's sign-on workflow to authenticate.

Use Cases

Flow status

In a sign-on workflow, the flow's status property value returned by the last action identifies the appropriate next action in the authentication process. For example, if an application uses the LOGIN sign-on policy, when a user initiates sign-on and starts the authentication flow, the response returned by the flow shows a status value that specifies the next required step to complete this flow successfully. For the LOGIN sign-on policy, the next action prompts the user to enter a username and password, as indicated by the USERNAME_PASSWORD_REQUIRED value in the status property.

"status" : "USERNAME_PASSWORD_REQUIRED"

The response data includes a link to the required action, which in this case is the usernamePassword.check:

{
  "_links" : {
    "self" : {
      "href" : "https://auth.pingone.com/{{envID}}/flows/{{flowID}}"
    },
    "session.reset" : {
      "href" : "https://auth.pingone.com/{{envID}}/flows/{{flowID}}"
    },
    "usernamePassword.check" : {
      "href" : "https://auth.pingone.com/{{envID}}/flows/{{flowID}}"
    }
  },

After the user submits a username and password, the flow calls the usernamePassword.check action to verify the username and password.

For more information about flow actions, see Flow API Actions.

Flow status values

An authentication flow can return one of the following status values in response to a sign-on action:

Status value	Description
`USERNAME_PASSWORD_REQUIRED`	This value specifies that a username and password is required. This status can initiate a `usernamePassword.check` action, a `user.register` action, a `registration.external` action, a `password.forgot` action, or an `authenticate` action to sign on using an external identity provider.
`PASSWORD_REQUIRED`	This value specifies that a password is required. This status initiates a `usernamePassword.check` action.
`SIGN_ON_REQUIRED`	This value specifies that a sign-on action is required. This status transitions to a `user.lookup` action and a `registration.external` action in a passwordless authentication flow.
`RECOVERY_CODE_REQUIRED`	This value specifies that the user initiated a `password.forgot` action and a recovery code must be sent. This status calls the `password.recover` action.
`VERIFICATION_REQUIRED`	This value specifies that the user's account must be verified. This status calls the `user.verify` action.
`OTP_REQUIRED`	This value specifies that the user must complete a multi-factor authentication action. This status calls the `otp.check` action.
`DEVICE_SELECTION_REQUIRED`	This value specifies that the user must complete a device selection multi-factor authentication action. This status calls the `device.select` action.
`PASSWORD_EXPIRED`	This value specifies that a user's password has expired and must be updated. This status calls the `password.reset` action.
`MUST_CHANGE_PASSWORD`	This value specifies that a temporary password must be changed or updated. This status calls the `password.reset` action.
`ACCOUNT_LINKING_REQUIRED`	This value specifies that the external identity returned by the identity provider requires an account linking action to link the external account to an existing user. This status can initiate a `usernamePassword.check` to link to an existing user, a `user.register` action to create a link to a new user, a `registration.external` action, or a `password.forgot` to link to an existing user who has forgotten the password.
`ACCOUNT_CONFIRMATION_REQUIRED`	This value specifies that the external identity information returned by the identity provider requires an account confirmation action to verify the account data. This status can initiate a `user.confirm` action to verify the account information.
`EXTERNAL_AUTHENTICATION_REQUIRED`	This value specifies that account authentication is required through an external identity provider's authentication flow. The `authenticate` embedded resource link provides the location to redirect the browser to sign on with the specified identity provider.
`PROFILE_DATA_REQUIRED`	This value specifies that user must submit the requested profile data in order to continue the authentication flow.
`COMPLETED`	This value specifies that the entire flow is completed and initiates a browser redirect to the `resumeUrl` property to continue.
`FAILED`	This value specifies that the entire flow has failed.
`PUSH_CONFIRMATION_REQUIRED`	This value specifies that a push was sent to a native device to confirm the authentication. The client will have to poll this status using `GET /{{envID}}/flows/{{flowID}}` to check whether the native device answered the push.
`PUSH_CONFIRMATION_TIMED_OUT`	This value specifies that a push was sent to a native device, but the native device didn't answer the push during the allowed timeframe.
`ASSERTION_REQUIRED`	This value specifies that for a FIDO2 device type, an assertion generated by the browser from the provided webauthn public key credential request is required to continue the flow. The flow calls the `assertion.check` action.
`AGREEMENT_CONSENT_REQUIRED`	This value specifies that users need to consent to an agreement. This status calls the `user.consent` action.
`DAG_USER_CODE_REQUIRED`	This value specifies that an activation action is required to continue the flow. The flow calls the `deviceAuthGrant.userCode.verify` action.
`DAG_CONSENT_REQUIRED`	This value specifies that users need to consent to a device authorization grant agreement. This status calls the `deviceAuthGrant.consent` action. After accepting consent, a record is stored in the user's OAuth Scope Consents.
`COMPLETED_ACCEPTED`	This completed state is used for device authorization grants to transition to a completed state. Unlike the `COMPLETED` flow state, this state does not transition the flow to the resume URL.
`COMPLETED_DECLINED`	This completed state is used for device authorization grants to transition to a completed state, and it generates a "device consent declined" audit event.

Flow status data model and embedded resources

The following sections show the parameters required by the flow status. In addition, the following links and embedded resources are returned in the flow response for the given flow status.

USERNAME_PASSWORD_REQUIRED

Property	Type	Required?	Mutable?	Description
`username`	String	Required	Mutable	A string that specifies the username or ID of the user to authenticate.
`password`	String	Required	Mutable	A string that specifies the password or ID of the user to authenticate.

Links	Description
`usernamePassword.check`	The link to initiate a sign-on action that allows users to login with a username and password. The request body requires the `username` and `password` attributes.
`user.register`	The link to initiate a sign-on action to register a user. The request body requires the `username`, `email`, and `password` attributes needed to define a new user.
`registration.external`	The link to redirect a sign-on action to register a user to an external identity provider's registration workflow.
`password.forgot`	The link to initiate an action to recover a user’s forgotten password. The request body requires the `username` attribute to identify the user.

Embedded resources	Description
`socialProviders.authenticate`	The link to the external authentication resource to initiate authentication using an external identity provider's authentication flow. The response also returns the following information about the identity provider: `id`, `name`, and `type`. For more information, see Base identity providers data model.
`passwordPolicy`	The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, see Password policies data model.

Note: If an associated login action is configured with the enforceLockoutForIdentityProviders property set to true, and the user's account is locked out (the account.canAuthenticate attribute is set to false), the login flow fails and returns an ACCOUNT_LOCKED_OUT error.

SIGN_ON_REQUIRED

Property	Type	Required?	Mutable?	Description
`username`	String	Required	Mutable	A string that specifies the username or ID of the user to sign on.

Links	Description
`user.lookup`	The link for existing users to sign on using their `username`.
`registration.external`	The link to redirect a sign-on action to register a user to an external identity provider's registration workflow.

PASSWORD_REQUIRED

Property	Type	Required?	Mutable?	Description
`username`	String	Required	Mutable	A string that specifies the username or ID of the user to authenticate. If provided, must match the user currently associated with the session.
`password`	String	Required	Mutable	A string that specifies the password or ID of the user to authenticate.

Links	Description
`usernamePassword.check`	The link to initiate a sign-on action that allows users to log in with a username and password. The request body requires the `username` and `password` attributes.
`password.forgot`	The link to initiate an action to recover a user’s forgotten password. The request body requires the `username` attribute to identify the user.

Embedded resources	Description
`socialProviders.authenticate`	The link to the external authentication resource to initiate authentication using an external identity provider's authentication flow. The response also returns the following information about the identity provider: `id`, `name`, and `type`. For more information, see Base identity providers data model.

PASSWORD_EXPIRED

Property	Type	Required?	Mutable?	Description
`currentPassword`	String	Required	Mutable	A string that specifies the current password, which must be verified before the new password is set.
`newPassword`	String	Required	Mutable	A string that specifies the new password to set.

Links	Description
`password.reset`	The link to initiate a sign-on action that allows users to reset their password. The request body requires the `currentPassword` and `newPassword` attributes.

Embedded resources	Description
`passwordPolicy`	The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, see Password policies data model.

MUST_CHANGE_PASSWORD

Property	Type	Required?	Mutable?	Description
`currentPassword`	String	Required	Mutable	A string that specifies the current password, which must be verified before the new password is set.
`newPassword`	String	Required	Mutable	A string that specifies the new password to set.

Links	Description
`password.reset`	The link to initiate a sign-on action that allows users to reset their password. The request body requires the `currentPassword` and `newPassword` attributes.

Embedded resources	Description
`passwordPolicy`	The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, see Password policies data model.

RECOVERY_CODE_REQUIRED

Property	Type	Required?	Mutable?	Description
`recoveryCode`	String	Required	Mutable	A string that specifies the recovery code sent to the user to recover the user's password.
`newPassword`	String	Required	Mutable	A string that specifies the new password to set.

Links	Description
`password.recover`	The link to initiate an action to recover the account and set a new password. The request body requires the `recoveryCode` and `newPassword` attributes.
`password.sendRecoveryCode`	The link to send the one-time password (OTP) to the user.

Embedded resources	Description
`passwordPolicy`	The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, see Password policies data model.

VERIFICATION_CODE_REQUIRED

Property	Type	Required?	Mutable?	Description
`verificationCode`	String	Required	Mutable	A string that specifies the verification code to check.

Links	Description
`user.verify`	The link to initiate an action to verify the user account to continue the authentication flow.
`user.sendVerificationCode`	The link to initiate an action to send the user a new account verification email.

DEVICE_SELECTION_REQUIRED

Property	Type	Required?	Mutable?	Description
`device.id`	String	Required	Mutable	A string that specifies the ID of the selected device.

Links	Description
`device.select`	The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.

Embedded resources	Description
`devices`	The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Device properties.

OTP_REQUIRED

Property	Type	Required?	Mutable?	Description
`selectedDevice.id`	String	Required	Mutable	A string that specifies the ID of the currently selected device.

Links	Description
`device.select`	The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.
`otp.check`	The link to initiate an action to validate the OTP used in the multi-factor authentication flow.

Embedded resources	Description
`devices`	The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Device properties.

PUSH_CONFIRMATION_REQUIRED

Property	Type	Required?	Mutable?	Description
`selectedDevice.id`	String	Required	Mutable	A string that specifies the ID of the currently selected device.

Links	Description
`device.select`	The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.

Embedded resources	Description
`devices`	The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Device properties.

PUSH_CONFIRMATION_TIMED_OUT

Property	Type	Required?	Mutable?	Description
`selectedDevice.id`	String	Required	Mutable	A string that specifies the ID of the currently selected device.

Links	Description
`device.select`	The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.

Embedded resources	Description
`devices`	The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Device properties.

Note: For MFA actions that use push notification on a native device, the user resource must have a native device and an application associated with its user ID. In cases where a push token is sent to an uninstalled application, APNs may not return an unregistered application error. By not returning an error, the MFA flow continues to prompt for push confirmation and can result in a PUSH_CONFIRMATION_TIMED_OUT status.

ACCOUNT_LINKING_REQUIRED

Links	Description
`user.register`	The link to initiate a sign-on action that initiates an action to register a user. The request body requires the `username`, `email`, and `password` attributes to define a new user.
`registration.external`	The link to redirect a sign-on action to register a user to an external identity provider's registration workflow.

Embedded resources	Description
`matchedUsers`	An array of 0 or more users that match the external identity. The request returns the `username`, `email`, and `lastSignedOnAt` attributes needed to identify the user.
`identityProviders`	The external identity provider used to authenticate. The request returns the `name` and `type` attributes needed to identify the identity provider used for authentication.

ACCOUNT_CONFIRMATION_REQUIRED

Links	Description
`user.confirm`	The link to initiate an action to verify the data returned by the external identity provider. The request body can include the returned attributes from the identity provider.

Embedded resources	Description
`attributes`	An array of attributes returned by the external identity provider.

EXTERNAL_AUTHENTICATION_REQUIRED

Property	Type	Required?	Mutable?	Description
`name`	String	Required	Mutable	A string that specifies the name of the identity provider.
`type`	String	Required	Mutable	A string that specifies the identity provider type.

Embedded resources	Description
`identityProvider.authenticate`	A string that specifies the URL for the external identity provider's sign-on screen to initiate authentication with the external identity provider.
`identityProvider.loginButtonIcon`	A string that specifies the URL for the external identity provider's login button icon file.

Note: If an associated login action is configured with the enforceLockoutForIdentityProviders property set to true, and the user's account is locked out (the account.canAuthenticate attribute is set to false), the login flow fails and returns an ACCOUNT_LOCKED_OUT error.

PROFILE_DATA_REQUIRED

Property	Type	Required?	Mutable?	Description
`displayName`	String	Required	Mutable	A string that specifies the display name as defined in the user schema.
`name`	String	Required	Mutable	A string that specifies the attribute name/path as defined in the user schema (for example, `email`, `address.postalCode`).
`required`	Boolean	Required	Mutable	A boolean that specifies whether the user is required to provide a value for the attribute.

Links	Description
`user.update`	The link to update the specified user's profile with the user attribute values provided in the request.

Embedded resources	Description
`attributes`	An array of user attributes provided to update the user's profile.
`attributes.name`	A string that specifies the attribute path, as defined in the user schema (for example, `email`, `name.family`, `address.postalCode`).
`attributes.displayName`	A string that specifies the attribute's display name, as defined in the user schema. This property is optional.
`attributes.required`	A boolean that specifies whether the user is required to provide a value for the attribute.
`promptText`	A string that specifies text to display to the user when prompting for attribute values.

ASSERTION_REQUIRED

Response property	Description
`publicKeyCredentialRequestOptions`	A string that specifies the public key credential request options object generated for the selected device that should be used to call the `navigator.credentials.get()` on the browser to generate the assertion.

Property	Type	Required?	Mutable?	Description
`assertion`	String	Required	Mutable	A string that specifies the authenticator assertion response, which contains the signed challenge needed to complete the MFA action.
`compatibility`	String	Optional	Mutable	A string that specifies the browser compatibility to support webauthn. Options are `FULL` (compatible with FIDO2 biometrics and security key), `SECURITY_KEY_ONLY` (compatible with security key only), and `NONE` (browser is not compatible with the webauthn method).
`origin`	String	Required	Mutable	A string that specifies the server name where the fetch originates, providing the URI scheme and hostname (for example, https://apps.pingone.com).

Links	Description
`device.select`	The link to initiate an action to specify a device ID to use in the multi-factor authentication flow. For more information, see Select an MFA device.
`assertion.check`	The link to initiate an action to validate the assertion used in the multi-factor authentication flow. For more information, see Check assertion.

Embedded resources	Description
`devices`	The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Devices model properties.

AGREEMENT_CONSENT_REQUIRED

Property	Type	Required?	Mutable?	Description
`accept`	Boolean	Required	Mutable	A boolean that specifies whether the user has consented to the agreement. This property is required for a `user.consent` action. The value is `true` if the user has consented to the agreement.

Links	Description
`user.consent`	The link to initiate an action in which the user accepts the agreement.

DAG_USER_CODE_REQUIRED

Parameters	Description
`userCode`	A string that specifies the user code value returned by the device authorization grant authorize request.

Links	Description
`deviceAuthGrant.userCode.verify`	The link to initiate an action to verify the end-user's user code.

DAG_CONSENT_REQUIRED

Parameters	Description
`accept`	A boolean that specifies whether the user has consented to the agreement. This property is required for a `deviceAuthGrant.consent` action. The value is `true` if the user has consented to the agreement.

Links	Description
`deviceAuthGrant.consent`	The link to initiate an action to complete the consent agreement. On accepting the agreement, the flow transitions to the `COMPLETED_ACCEPTED` flow state; otherwise, it transitions to `COMPLETED_DECLINED`.

Flows

The GET /{{envID}}/flows/{{flowID}} operation retrieves the flow specified by the flowID in the request URL. For more information about this flow action, see Get a flow.

Flow API actions

The flow endpoint operation, POST /{{envID}}/flows/{{flowID}}, supports several flow actions that are specified by the custom media type provided in the HTTP Content-Type request header. The following table lists the PingOne custom media types and their associated authentication flow actions:

Media type	Flow action
`application/vnd.pingidentity.session.reset+json`	Update or reset a flow
`application/vnd.pingidentity.usernamePassword.check+json`	Sign on with a username and password
`application/vnd.pingidentity.user.lookup+json`	Sign on with a username in a passwordless flow
`application/vnd.pingidentity.password.forgot+json`	Forgot password
`application/vnd.pingidentity.user.register+json`	Register a user
`application/vnd.pingidentity.usernamePassword.check+json`	Check a user's password
`application/vnd.pingidentity.password.reset+json`	Reset a user's password
`application/vnd.pingidentity.password.recover+json`	Recover a user's password
`application/vnd.pingidentity.password.sendRecoveryCode`	Send the user a recovery code
`application/vnd.pingidentity.user.verify+json`	Verify a user
`application/vnd.pingidentity.user.sendVerificationCode+json`	Send the user a verification email
`application/vnd.pingidentity.device.select+json`	Select an MFA device
`application/vnd.pingidentity.otp.check+json`	Validate the one-time password
`application/vnd.pingidentity.user.update+json`	Submit profile data
`application/vnd.pingidentity.user.confirm+json`	Confirm account information
`application/vnd.pingidentity.assertion.check+json`	Check assertion
`application/vnd.pingidentity.user.consent+json`	Agreement Accept Consent
`application/vnd.pingidentity.kerberos.lookup+json`	Sign on using Kerberos
`application/vnd.pingidentity.deviceAuthGrant.userCode.verify+json`	Confirm Device Activation Code
`application/vnd.pingidentity.deviceAuthGrant.consent+json`	Accept Device Authorization Grant Consent

Flows common response data model

These common properties are returned with the flow response.

Property	Type	Required?	Mutable?	Description
`aggregateFido2Devices`	Boolean	N/A	Read-only	Indication of whether the available authentication method list should include only a single generic FIDO2 option rather than including an entry for each paired FIDO2 device.
`application`	Object		Immutable	A reference to the application that initiated the flow.
`application.id`	String		Immutable	A string that specifies the ID of the application that initiated the flow.
`application.name`	String		Immutable	A string that specifies the name of the application that initiated the flow.
`application.icon.id`	String		Immutable	A string that specifies the icon ID for the application that initiated the flow.
`application.icon.href`	String		Immutable	A string that specifies the URL of the icon for the application that initiated the flow.
`authenticator`	Array		Read only	An array that specifies the set of authentication methods that the user completed in this flow. The values returned by the flow must use the values defined in RFC 8176. The order of the methods returned by the flow might not reflect the order in which they were executed in the flow.
`authorizeResponse.access_token`	String		Read only	A string that specifies the access token returned by the flow in a non-redirect or MFA only authentication flow (for an `implicit` authorization request).
`authorizeResponse.id_token`	String		Read only	A string that specifies the ID token returned by the flow in a non-redirect or MFA only authentication flow (for an `implicit` authorization request).
`authorizeResponse.code`	String		Read only	A string that specifies the authorization code returned by the flow in a non-redirect or MFA only authentication flow (for an `authorization_code` authorization request).
`authorizeResponse.state`	String		Immutable	A string that specifies the authorization `state` (used to maintain state between the logout request and the callback to the redirect URI) returned by the flow in a non-redirect or MFA only authentication flow (for an `authorization_code` authorization request).
`completedSignOnPolicy.id`	String		Read only	A string that specifies the ID of the completed sign-on policy resource after the flow is `COMPLETED`.
`completedSignOnPolicy.name`	String		Read only	A string that specifies the name of the completed sign-on policy after the flow is `COMPLETED`.
`createdAt`	Date		Read only	The time the resource was created.
`expiresAt`	Date		Read only	The time this flow will expire due to inactivity timeout based on a sliding window.
`id`	String		Immutable	A string that specifies the flow resource’s unique identifier.
`identifier`	String		Immutable	A string that specifies a `username` value returned from the `login_hint` property.
`resumeUrl`	String		Immutable	A string that specifies where the flow handler UI will redirect the browser to after the flow is `COMPLETED` or `FAILED`.
`status`	String		Immutable	A string that specifies the status of the flow.
`user.id`	String		Immutable	A string that specifies the ID of the session user. This value is used for authentication flows initiated with an existing session's unique ID.

These common links are returned with the flow response.

Links	Description
`self`	The link to the current flow resource.
`session.reset`	The link to the session reset action. This link is present if the user has signed on previously on this device. It can be used to sign off the user and reset the flow.

These common embedded resources are returned with the flow response:

Embedded resources	Description
`devices`	List of objects containing the properties of each devices associated with the user.
`devices[].otpStatus.status`	Whether or not the device can be used currently for OTP-based authentication. Value returned is ENABLED or DISABLED. Relevant only for devices where `type` is MOBILE.
`devices[].otpStatus.reason`	If the status is DISABLED, contains the reason that the device cannot be used for OTP-based authentication, for example, that the application used a version of the MFA SDK that does not support OTP. Relevant only for devices where `type` is MOBILE.
`devices[].pushStatus.status`	Whether or not the device can be used currently for push-based authentication. Value returned is ENABLED or DISABLED. Relevant only for devices where `type` is MOBILE.
`devices[].pushStatus.reason`	If the status is DISABLED, contains the reason that the device cannot be used for push-based authentication, for example, that the push option was disabled for the application in the MFA policy. Relevant only for devices where `type` is MOBILE.
`devices[].usableStatus.status`	Whether or not the device can be used currently for authentication. Value returned is ENABLED or DISABLED.
`devices[].usableStatus.reason`	If the status is DISABLED, contains the reason that the device cannot be used for authentication, for example, that the defined daily notifications limit has already been reached.
`user`	The link to the resource containing profile attributes of the actively signing-on or previously signed-on user.

Audit reporting events

To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.

Service	Event
FlowDefinitions	FLOW_DEFINITION.CREATED
FlowDefinitions	FLOW_DEFINITION.UPDATED
FlowDefinitions	FLOW_DEFINITION.DELETED
FlowExecutions	FLOW_EXECUTION.CREATED
FlowExecutions	FLOW_EXECUTION.UPDATED
FlowExecutions	FLOW_EXECUTION.DELETED
FlowExecutions	STEP_EXECUTION.CREATED
FlowExecutions	STEP_EXECUTION.UPDATED

Response codes

Code	Message
200	Successful operation.
201	Successfully created.
204	Successfully removed. No content.
400	The request could not be completed.
401	You weren’t authenticated to perform this operation.
404	The requested resource was not found.

Note: Flow endpoints use a session token cookie to associate an authenticated user with the flow session. For flows started through the authorize endpoint that call the read flow endpoint, a session token cookie is set only after the identity of the user has been partially established. For example, if the sign-on policy specifies identifier first and MFA actions, then the cookie is set after the user is identified through a user lookup action and provides the correct password. Conversely, for a flow initiated in a browser that already has a valid session token cookie, calling the flow requires the session token cookie, which can be passed in as a request header (for example, -H "Cookie: ST=12345174-cf3b-47e4-b22a-12a76d0116a5").

Custom login application developers can handle cookies through a browser or, for non-browser authentication flows, in the same manner as a browser, by saving the cookies when returned in an HTTP response from PingOne, and including them on subsequent requests. Also, application developers should use the cookie handling features of the development platform or HTTP client library (or both) whenever possible.

Check Assertion

Check One-Time Password (OTP)

Check Username/Password

Reset Flow

Reset Password

Select Device

Sign On with a Username

Sign On with Kerberos

Cancel Authentication Flow

Read Flow

Forgot Password

The forgot password endpoints provide the flow actions to recover a user's forgotten password. These flow actions allow the user to recover the account and set a new password.

Forgot Password

Send (Resend) Recovery Code

Recover Password

Registration and Verification

The registration and verification endpoints provide flow actions for the following authentication workflows:

Register new users.
Verify the newly registered user account.
Update user profiles.
Confirm user account information received from an external identity provider.
Prompt users to consent to (or reject) an agreement.

Register User

Send (Resend) Verification Code

User Profile Update

Confirm Account Information

Agreement Accept Consent

Verify User

Device Authorization Grant Flows

The device authorization grant endpoints provide the flow actions to verify a user's device user code and accept a consent agreement for the device. These flow actions address the flow states generated in a device code authentication flow.

Confirm Device Activation Code

Accept Device Authorization Grant Consent

Admin Invitations

The flows endpoint supports operations to accept administrator invitations sent to users.

Response codes

Code	Message
200	Successful operation.
204	Successfully removed. No content.
400	The request could not be completed.
401	You do not have access to this resource.
404	The requested resource was not found.

Accept Admin Invite

DaVinci Flow Executions

The flow execution APIs called to initiate a DaVinci flow depend on whether the flow is a PingOne flow or a DaVinci (non-PingOne) flow. PingOne flows use the PingOne authorize endpoint /as/authorize to initiate the authentication workflow. DaVinci flows use the /policy/{{davinciFlowPolicyID}}/start endpoint to initiate the flow.

The PingOne initiated flows provide two configuration options that determine the data structure of the responses:

Default flow execution

The authorize request and flow endpoints return concise and trimmed JSON responses with only functional details. Flow execution results in a valid session.
Detailed responses in flow execution

The authorize request and the flow endpoints return verbose responses that include properties such as the frontend HTML and scripts to build the interface forms. Like the scenario above, the flow execution results in a valid session.

See PingOne Initiated Flows for configuration details.

DaVinci native flows do not use the PingOne authorize request to start the flow.

Direct flow executions using DaVinci APIs

Direct flow executions use the DaVinci /start request to initiate the flow. This scenario is often used for flows that do not require user interactive steps. It supports use cases where you need flexibility in sending custom JSON responses to the client, whether flow execution succeeds or fails. For these flows, successful flow execution may not require obtaining a valid session as a result.

See DaVinci Direct Flow Executions for configuration details.

PingOne Initiated Flows

When you use a PingOne authorize request to initiate DaVinci flow execution, you can choose between the following configuration options:

Default flow execution

This scenario uses a PingOne OIDC application and a DaVinci flow designated as a PingOne flow. Flow execution is initiated by a PingOne authorize request (POST {{authPath}}/{{envID}}/as/authorize) that specifies pi.flow as the response mode and the X-Requested-With HTTP header set to ping-sdk. The flow endpoints return concise and trimmed JSON responses with only functional details. Flow execution results in a valid session. (Note: This configuration supports using the same flow for web-based user interactive and headless flow execution.)

See Default Approach for configuration details.
Detailed responses in flow execution

This scenario has similar characteristics to the one above. Flow execution is initiated by a PingOne authorize request (POST {{authPath}}/{{envID}}/as/authorize) that specifies pi.flow as the response mode. However, in this scenario, it omits the X-Requested-With HTTP header from the PingOne authorize request. The flow endpoints return verbose responses that include properties such as the frontend HTML and scripts to build the interface forms. Like the scenario above, the flow execution results in a valid session, and supports user interactive and headless flow execution.

See Detailed Responses for configuration details.

Default Approach

PingOne flows use the PingOne authorize endpoint to start the flow. The authorize request must include the response_mode property set to pi.flow, which tells the authorization server to return a 200 OK response with a payload that can be either verbose (HTML and scripts to render the sign-on forms) or minimal (concise JSON responses that show the data properties and their values). Configuring your responses to return JSON gives you the flexibility to parse the response data, collect the information you need, and process it to suit your workflow.

To return JSON, the authorize request and every subsequent flow action request must include the X-Requested-With HTTP header with the value set to ping-sdk.

For example, the PingOne authorize request with X-Requested-With set to ping-sdk returns the following JSON response:

{
    "interactionId": "0964a6a0...",
    "connectorId": "api",
    "interactionToken": "e578ecc5c0f1b...",
    "success": true,
    "startUiSubFlow": true,
    "_links": {
        "next": {
            "href": "https://auth.pingone.asia/{{envID}}/davinci/connections/{{connectionInstanceID}}/capabilities/customHTMLTemplate"
        }
    },
    "eventName": "continue",
    "isResponseCompatibleWithMobileAndWebSdks": true,
    "id": "65u7m8cm28",
    "companyId": "424d6ac2...",
    "flowId": "1041e80...",
    "connectionId": "867ed4...",
    "capabilityName": "customHTMLTemplate",
    "formData": {
        "value": {
            "username": "",
            "password": ""
        }
    },
    "form": {
        "name": "Sign On Form",
        "description": "Prompt for username and password",
        "category": "CUSTOM_HTML",
        "components": {
            "fields": [
                {
                    "type": "TEXT",
                    "key": "username",
                    "label": "Username"
                },
                {
                    "type": "PASSWORD",
                    "key": "password",
                    "label": "Password"
                },
                {
                    "type": "SUBMIT_BUTTON",
                    "label": "Sign On",
                    "key": "SIGNON"
                },
                {
                    "type": "FLOW_BUTTON",
                    "label": "No account? Register now!",
                    "key": "REGISTER"
                },
                {
                    "type": "FLOW_BUTTON",
                    "label": "Having trouble signing on?",
                    "key": "TROUBLE"
                }
            ]
        }
    }
}

Use cases

DaVinci and PingOne configuration requirements

In DaVinci, you must configure your application, the flow, and the flow policy to meet the requirements below:

A DaVinci application.
A DaVinci flow designated as a PingOne flow.
A DaVinci flow policy that includes the PingOne flow.
A PingOne OIDC application that is associated with the DaVinci flow policy.

Note: For PingOne flows, in addition to defining an application in DaVinci, you must also configure a PingOne OIDC application and map it to a DaVinci flow policy ID. The PingOne application ID is the client_id parameter value in the authorize request. For information about DaVinci configuration, see Launching a flow with a Ping SDK.

Flow execution

To execute a PingOne flow using APIs and receive JSON responses (instead of the usual HTML responses returned by DaVinci endpoints), follow these steps:

Step 1: Initiate the flow through a PingOne authorize request

Use the PingOne /as/authorize OIDC endpoint to initiate authorization.
In the authorize request, set the response_mode property value to pi.flow. The pi.flow value specifies a non-redirect flow where the redirect_uri parameter is not required and authorization response parameters are encoded as a JSON object and returned directly to the client.
Set the client_id (the PingOne application client ID mapped to the DaVinci flow policy), the response_type, and scopes properties for the authorize request. For information about PingOne authorize endpoint properties, see Authorization.
Add the X-Requested-With HTTP header and set the value to ping-sdk. The JSON response from the authorization server returns a next link that provides the request URL to proceed to the next step of the flow.

Step 2: Execute the next flow action

Use the next link returned in the response (example shown below) to execute subsequent steps of the flow. For information about building the next link's request body, see DaVinci Flow Capabilities.

"_links": {
        "next": {
            "href": "{{authPath}}/{{envID}}/davinci/connections/{{connectionInstanceID}}/capabilities/{{capabilityName}}"
        }
    },

Note: The capability specified by {{capabilityName}} in the next link determines the action of the node in the flow. The flow uses the customHTMLTemplate or customForm capabilities to create an HTML page (or form) to prompt for required information to complete the flow action. The flow returns the following capabilities in the response JSON, depending on the success or failure of the sign-on action:

returnSuccessResponseRedirect

If the action is successful, this capability (returned in the response's next link) redirects to the next action in the flow.
customErrorMessage

If the action fails, this capability returns a JSON error response.

Add the X-Requested-With HTTP header to each next request, and set its value to ping-sdk to ensure that the response returns JSON.

Note: The APIs pause execution only at user-interactive steps, such as nodes that use the customHTMLTemplate or customForm capability.

Step 3: Complete the flow

On successful flow completion, the response includes the ST-Cookie and ST-NO-SS session cookies in the response headers to indicate that a session has been established.
The response returns the returnSuccessResponseRedirect capability and the following JSON structure to PingOne:

{
  "environment" : {
    "id" : "6baead75..."
  },
  "session" : {
    "id" : "8e918b54..."
  },
  "authorizeResponse" : {
    "access_token" : "eyJraWQiOiI3YT...",
    "id_token" : "eyJraWQiOiI3YTVh...",
    "token_type" : "Bearer",
    "expires_in" : 3600,
    "scope" : "openid profile"
  },
  "status" : "COMPLETED"
}

Note: The DaVinci SDK uses these APIs as a backend when the SDK is used to execute a DaVinci flow. At this time, the SDK supports only PingOne-designated DaVinci flows associated with PingOne applications that use the OpenID Connect protocol. For information and support considerations, see Launching a flow with a Ping SDK and Ping SDKs - DaVinci.

DaVinci flow capabilities data model properties

Property	Type?	Required?	Mutable?	Description
`authorizeResponse`	Object	N/A	Read only	The response from the authorization server.
`authorizeResponse.code`	String	N/A	Read only	The authorization code returned by the authorization server.
`companyId`	String	N/A	Read only	The company ID (same value as the PingOne environment ID).
`capabilityName`	String	N/A	Read only	The name of the associated capability used by the node.
`connectionId`	String	N/A	Read only	The connection ID of the connector used to send the event.
`environment`	Object	N/A	Read only	The environment object.
`environment.id`	String	N/A	Read only	The environment ID.
`eventName`	String	N/A	Read only	The event name.
`flowId`	String	N/A	Read only	The flow ID.
`form`	Object	Optional	Mutable	The form attributes object.
`form.name`	String	Optional	Mutable	The form name.
`form.description`	String	Optional	Mutable	The form description.
`form.category`	String	Optional	Mutable	The form category.
`form.components`	Object	Optional	Mutable	The form components object.
`form.components.fields`	Object	Optional	Mutable	The form fields object.
`id`	String	N/A	Read only	The resource ID.
`interactionId`	String	N/A	Read only	A unique identifier for the flow execution.
`interactionToken`	String	N/A	Read only	The flow execution interaction token.
`isResponseCompatibleWithMobileAndWebSdks`	Boolean	N/A	Read only	Specifies whether the response is compatible with the mobile and web SDKs.
`parameters`	Object	Required	Mutable	The form data attributes.
`parameters.eventType`	String	Required	Mutable	The event type. Options are `action`, and `submit`.
`parameters.data`	Object	Required	Mutable	The parameter data JSON object. Options are `action`, and `submit`.
`parameters.data.actionKey`	String	Required	Mutable	If the `parameters.eventType` is set to `action`, this property specifies the flow action.
`parameters.data.formData`	Object	Required	Mutable	The form data attributes.
`parameters.data.formData.{{attribute}}`	String	Required	Mutable	The form data attributes that are associated with fields in the form.
`resetCookie`	Boolean	N/A	Read only	Specifies whether the reset cookie feature is enabled.
`session`	Object	N/A	Read only	The session object.
`session.id`	String	N/A	Read only	The session ID.
`status`	String	N/A	Read only	The status of the DaVinci flow (for example, `COMPLETE`).
`subFlowSettings`	Object	N/A	Read only	The subflow settings JSON object.
`success`	Boolean	N/A	Read only	Specifies whether the flow was successful.

DaVinci Flow Capabilities

Detailed Responses

PingOne flows use the PingOne authorize endpoint to start the flow. The authorize request must include the response_mode property set to pi.flow, which tells the authorization server to return a 200 OK response with a payload that can be either verbose (HTML and scripts to render the sign-on forms) or minimal (concise JSON responses that show the data properties and their values). Configuring your responses to return HTML provides the frontend HTML you need to create the sign-on interface. It is the most direct way to render the interactive UI forms to collect user input.

To return HTML, the authorize request sets the response_mode property to pi.flow, but it omits the X-Requested-With HTTP header.

For example, the PingOne authorize request configured without the X-Requested-With HTTP header returns the following response:

{
  "id" : "howu8n9hsc",
  "companyId" : "499a5cea55...",
  "flowId" : "56cb88...",
  "connectionId" : "867ed43...",
  "capabilityName" : "customHTMLTemplate",
  "screen" : {
    "name" : "HTTP",
    "properties" : {
      "sktemplate" : {
        "type" : "string",
        "displayName" : "Template",
        "createdDate" : 1694542156374,
        "customerId" : "ecb9bf...",
        "companyId" : "singularkey"
      },
      "customHTML" : {
        "type" : "string",
        "displayName" : "HTML Template",
        "viewToggle" : true,
        "largePayload" : true,
        "value" : "<div class=\"app-container\" ..."
      },
      "validationRules" : {
        "type" : "object",
        "displayName" : "Form validation rules",
        "info" : "Rules to check to validate form inputs",
        "preferredControlType" : "validationRules"
      },
      "customCSS" : {
        "type" : "string",
        "displayName" : "CSS",
        "language" : "css",
        "maximizeToggle" : true,
        "largePayload" : true
      },
      "customScript" : {
        "type" : "string",
        "displayName" : "Script",
        "language" : "javascript",
        "maximizeToggle" : true,
        "info" : "Write custom JavaScript"."
      },
      "inputSchema" : {
        ...
      },
      "outputSchema" : {
        ...
      },
      "formFieldsList" : {
        "type" : "array",
        "constructType" : "formFieldsList",
        "displayName" : "Output Fields List",
        "preferredControlType" : "formFieldsList",
        "hideLabel" : false,
        "value" : [ {
          "preferredControlType" : "textField",
          "preferredDataType" : "string",
          "propertyName" : "username",
          "displayName" : "Username",
          "hashedVisibility" : false
        }, {
          "preferredControlType" : "textField",
          "preferredDataType" : "string",
          "propertyName" : "password",
          "displayName" : "Password",
          "hashedVisibility" : true
        }, {
          "preferredControlType" : "textField",
          "preferredDataType" : "string",
          "propertyName" : "buttonValue"
        } ]
      },
      "challenge" : {
        "type" : "string",
        "displayName" : "Challenge",
        "preferredControlType" : "textField",
        "enableParameters" : true
      },
      "button" : {
        "constructType" : "button",
        "displayName" : "Submit",
        "preferredControlType" : "button",
        "css" : {
          "backgroundColor" : "#1CAB42",
          "color" : "#ffffff"
        },
        "onClick" : {
          "constructType" : "skEvent",
          "eventName" : "continue",
          "eventType" : "post",
          "postProcess" : { }
        }
      },
      "showFooter" : {
        "value" : true
      },
      "returnRequestParameters" : {
        "value" : true
      },
      "messageTitle" : {
        "value" : "Information"
      },
      "message" : {
        "value" : ""
      },
      "showPoweredBy" : {
        "value" : false
      },
      "showContinueButton" : {
        "value" : false
      },
      "httpMethod" : {
        "value" : "GET"
      },
      "httpBody" : {
        "value" : "none"
      },
      "raw" : {
        "value" : ""
      },
      "signResponse" : {
        "value" : false
      },
      "additionalFieldsName" : {
        "value" : "additionalProperties"
      },
      "unsafeIgnoreTLSErrors" : {
        "value" : false
      },
      "delayTime" : {
        "value" : 50
      },
      "returnSuccess" : {
        "value" : true
      },
      "keepOutputIfNotValid" : {
        "value" : false
      },
      "fieldValidation" : {
        "value" : false
      },
      "outboundMtlsKey" : {
        "value" : "none"
      },
      "nodeTitle" : {
        "value" : "Username/Password Form"
      },
      "isLinkStyleSheetSupportEnabled" : {
        "value" : false
      }
    },
    "userViews" : [ {
      "screenTemplateName" : "CustomHTMLTemplate",
      "items" : [ {
        "propertyName" : "sktemplate"
      }, {
        "propertyName" : "customHTML"
      }, {
        "propertyName" : "validationRules"
      }, {
        "propertyName" : "customCSS"
      }, {
        "propertyName" : "customScript"
      }, {
        "propertyName" : "inputSchema"
      }, {
        "propertyName" : "outputSchema"
      }, {
        "propertyName" : "formFieldsList"
      }, {
        "propertyName" : "challenge"
      }, {
        "propertyName" : "button"
      } ]
    } ],
    "metadata" : {
      "colors" : {
        "canvas" : "#AFD5FF",
        "canvasText" : "#253746",
        "dark" : "#2E5EA6"
      },
      "logos" : {
        "canvas" : {
          "imageFileName" : "http.svg"
        }
      },
      "type" : "core",
      "vendor" : ""
    }
  },
  "interactionId" : "0344195d...7",
  "interactionToken" : "26bb08a75...",
  "skProxyApiEnvironmentId" : "us-west-2",
  "_links" : {
    "self" : {
      "href" : "https://auth.pingone.com/{{envID}}/davinci/policy/{{davinciFlowPolicyID}}/start"
    }
  }
}

Use cases

Davinci Flow Execution Detailed Responses

DaVinci and PingOne configuration requirements

In DaVinci, you must configure your application, the flow, and the flow policy to meet the requirements below:

A DaVinci application.
A DaVinci flow designated as a PingOne flow.
A DaVinci flow policy that includes the PingOne flow.
A PingOne OIDC application that is associated with the DaVinci flow policy.

Note: For PingOne flows, in addition to defining an application in DaVinci, you must also configure a PingOne OIDC application and map it to a DaVinci flow policy ID. The PingOne application ID is the client_id parameter value in the authorize request. For information about DaVinci configuration, see Launching a PingOne flow with a redirect.

Flow execution

To execute a PingOne flow using APIs and receive verbose responses, follow these steps:

Step 1: Initiate the flow through a PingOne authorize request

Use the PingOne /as/authorize OIDC endpoint to initiate authorization.
In the authorize request, set the response_mode property value to pi.flow. The pi.flow value specifies a non-redirect flow where the redirect_uri parameter is not required and authorization response data is returned directly to the client.
Set the client_id (the PingOne application client ID mapped to the DaVinci flow policy), the response_type, and scopes properties for the authorize request. For information about PingOne authorize endpoint properties, see Authorization.

Step 2: Execute the next flow action

Use the resource link returned in the response (example shown below) to execute subsequent steps of the flow.

"_links": {
            "href": "{{authPath}}/{{envID}}/davinci/connections/{{connectionInstanceID}}/capabilities/{{capabilityName}}"
    },

Note: In this link, the {{connectionInstanceID}} value is the "connectionId" capability property in the previous API response. The {{capabilityName}} is the "capabilityName" property returned in the previous API response.

Step 3: Complete the flow

On successful flow completion, the response includes the ST-Cookie and ST-NO-SS session cookies in the response headers to indicate that a session has been established.
The response returns the returnSuccessResponseRedirect capability and the following JSON structure to PingOne:

{
  "environment" : {
    "id" : "6baead75..."
  },
  "session" : {
    "id" : "8e918b54..."
  },
  "authorizeResponse" : {
    "access_token" : "eyJraWQiOiI3YT...",
    "id_token" : "eyJraWQiOiI3YTVh...",
    "token_type" : "Bearer",
    "expires_in" : 3600,
    "scope" : "openid profile"
  },
  "status" : "COMPLETED"
}

DaVinci flow capabilities data model properties

Property	Type?	Required?	Mutable?	Description
`authorizeResponse`	Object	N/A	Read only	The response from the authorization server.
`authorizeResponse.code`	String	N/A	Read only	The authorization code returned by the authorization server.
`companyId`	String	N/A	Read only	The company ID (same value as the PingOne environment ID).
`capabilityName`	String	N/A	Read only	The name of the associated capability used by the node.
`connectionId`	String	N/A	Read only	The connection ID of the connector used to send the event.
`environment`	Object	N/A	Read only	The environment object.
`environment.id`	String	N/A	Read only	The environment ID.
`eventName`	String	N/A	Read only	The event name.
`flowId`	String	N/A	Read only	The flow ID.
`form`	Object	Optional	Mutable	The form attributes object.
`form.name`	String	Optional	Mutable	The form name.
`form.description`	String	Optional	Mutable	The form description.
`form.category`	String	Optional	Mutable	The form category.
`form.components`	Object	Optional	Mutable	The form components object.
`form.components.fields`	Object	Optional	Mutable	The form fields object.
`id`	String	N/A	Read only	The resource ID.
`interactionId`	String	N/A	Read only	A unique identifier for the flow execution.
`interactionToken`	String	N/A	Read only	The flow execution interaction token.
`isResponseCompatibleWithMobileAndWebSdks`	Boolean	N/A	Read only	Specifies whether the response is compatible with the mobile and web SDKs.
`parameters`	Object	Required	Mutable	The form data attributes.
`parameters.eventType`	String	Required	Mutable	The event type. Options are `action`, and `submit`.
`parameters.data`	Object	Required	Mutable	The parameter data JSON object. Options are `action`, and `submit`.
`parameters.data.actionKey`	String	Required	Mutable	If the `parameters.eventType` is set to `action`, this property specifies the flow action.
`parameters.data.formData`	Object	Required	Mutable	The form data attributes.
`parameters.data.formData.{{attribute}}`	String	Required	Mutable	The form data attributes that are associated with fields in the form.
`resetCookie`	Boolean	N/A	Read only	Specifies whether the reset cookie feature is enabled.
`session`	Object	N/A	Read only	The session object.
`session.id`	String	N/A	Read only	The session ID.
`status`	String	N/A	Read only	The status of the DaVinci flow (for example, `COMPLETE`).
`subFlowSettings`	Object	N/A	Read only	The subflow settings JSON object.
`success`	Boolean	N/A	Read only	Specifies whether the flow was successful.

DaVinci Flow Capabilities

DaVinci Direct Flow Executions

DaVinci flows use the /start endpoint to initiate a non-PingOne flow that will return HTML in the response. You can integrate a non-PingOne flow in the following ways:

A redirect through PingOne. This method uses a call to a PingOne application to launch a flow with a redirect.
A redirect through PingOne using DaVinci as an external identity provider (IdP). This method uses a call to a PingOne application to launch a flow with a redirect using an external IdP configuration.
The widget. This method launches a flow inside of a widget on the current page.
An API call. This method launches a flow using an API call.

For more information, see Integrating Flows into Applications in the PingOne DaVinci guide.

Initiating flow policies

The /start endpoint initiates the flow (or flows) that are included in the flow policy specified by your DaVinci flow policy ID in the request URL. However, before you can initiate a flow policy, you must complete the following tasks:

Create a DaVinci application.
Create a flow.
Create a flow policy on the DaVinci application that specifies the flow you created in Step 2.

For more information, see Creating an application, How to create a flow, and Configuring a flow policy.

The /start API initiates a flow policy associated with an application, depending on the policy ID passed in with the request.

When you use the widget method to integrate DaVinci flow policies into your application, the /start request uses the endpoint from the auth.pingone.com resource server: The POST {{authPath}}/{{envID}}/policy/{{davinciFlowPolicyID}}/start.

For widget integration use cases, the code for the widget is embedded in the application's web page. In that scenario, the /start request should not use the application's API Key for security reasons. The application's API Key should be treated like a confidential secret; it cannot be exposed in a public web page. Instead, the POST {{authPath}}/{{envID}}/policy/{{davinciFlowPolicyID}}/start request uses a DaVinci SDK Token to authenticate the request and initiate the flow specified by the flow policy.

For more information about the widget application integration method, see Launching a flow with the widget in the PingOne admin documentation.

Using /start with the API integration method

When you use the API method to integrate DaVinci flow policies into your application, the /start request uses the endpoint from the orchestrate-api.pingone.com resource server: POST {{orchestratePath}}/v1/company/{{companyID}}/policy/{{davinciFlowPolicyID}}/start.

For API integration use cases, this method is used for headless flow execution in which no end user is involved. This workflow can pass in the application's API Key directly because it should be protected from public exposure.

For more information about the API application integration method, see Launching a flow with an API call in the PingOne admin documentation.

For sample requests and responses that use the POST {{orchestratePath}}/v1/company/{{companyID}}/policy/{{davinciFlowPolicyID}}/start endpoint, see Create Start Company Flow Policy.

Using an input schema with the flow

Flows can receive input parameters when invoked. It is good practice to configure the flow to validate input provided by users. Associating an input schema with the flow achieves input validation to ensure that the flow only allows input that meets your data criteria.

The following sample shows the request body for a /start request that uses input schema values in a user profile update flow. If input schema properties are designated as required, the flow invocation needs to pass in the required parameters to start the flow.

{
    "hostname": "bxhealth.devops.com",
    "dn": "uid=testpatient,ou=People,dc=bxhealth,dc=org",
    "modifications": [
        {
            "attributeName": "givenName",
            "modificationType": "set",
            "values": [
                "PatientFirst"
            ]
        },
        {
            "attributeName": "sn",
            "modificationType": "set",
            "values": [
                "PatientLast"
            ]
        }
    ]
}

PingOne Platform Auth APIs

PingOne Platform Auth APIs

Authorization server

Flows

OAuth 2 and OpenID Connect

SAML 2.0

Additional PingOne resources

OpenID Connect/OAuth 2