PingOne Authorize
PingOne Authorize provides customers with a fine-grained, attribute-based, dynamic authorization decisioning capability. PingOne Authorize moves per-transaction authorization logic from customer applications to PingOne, enabling centralized control of authorization policy and reuse of policy across applications and contexts.
This service provides the following operations:
Runtime evaluation
- Runtime evaluation of decision requests against a given policy decision resource. For more information, refer to Policy Decision Authorization.
Decision endpoint management
-
Creation of decision endpoints that allow efficient evaluation of policies developed in the PingOneAuthorize Policy Editor Service.
-
Control over which version of the policies are deployed to each decision endpoint, giving your organization control over how and when policies are rolled out.
For more information, refer to Policy Decision Management.
Authorization Decisions
PingOne Authorize provides customers with a fine-grained, attribute-based, dynamic authorization decisioning capability. PingOne Authorize moves per-transaction authorization logic from customer applications to PingOne, enabling centralized control of authorization policy and reuse of policy across applications and contexts.
This service provides the following operations:
Runtime evaluation
- Runtime evaluation of decision requests against a given policy decision resource. For more information, refer to Policy Decision Authorization.
Decision endpoint management
-
Creation of decision endpoints that allow efficient evaluation of policies developed in the PingOneAuthorize Policy Editor Service.
-
Control over which version of the policies are deployed to each decision endpoint, giving your organization control over how and when policies are rolled out.
For more information, refer to Policy Decision Management.
Decision Endpoints
The PingOne policy decision service provides operations to create, read, update and delete decision policy versions in PingOne.
Policy decision service data model
| Property | Type? | Required? | Mutable? | Description |
|---|---|---|---|---|
alternateId |
UUID | Optional | Mutable | A string that specifies alternative unique identifier for the endpoint, which provides a method for locating the resource by a known, fixed identifier. |
authorizationVersion.id |
UUID | Optional | Mutable | A string that specifies the ID of the Authorization Version deployed to this endpoint. Versioning allows independent development and deployment of policies. If omitted, the endpoint always uses the latest policy version available from the policy editor service. |
authorizationVersion.href |
String | Optional | Mutable | A string that specifies the request URL for the authorization version endpoint. |
authorizationVersion.title |
String | Optional | Mutable | A string that specifies the title for the authorization version response. |
authorizationVersion.type |
String | Optional | Mutable | A string that specifies the content type for the authorization version response. |
description |
String | Required | Mutable | A string that specifies the description of the policy decision resource. |
id |
UUID | Required | Mutable | A string that specifies the resource's unique identifier. |
name |
String | Required | Mutable | A string that specifies the policy decision resource name. |
owned |
Boolean | Optional | Mutable | A boolean that when true restricts modifications of the endpoint to PingOne-owned clients. |
policyId |
UUID | Optional | Mutable | A string that specifies the ID of the root policy configured for this endpoint. If omitted, the policy editor service decides on a suitable default. |
recentDecisionsEnabled |
Boolean | Optional | Mutable | A boolean that specifies whether to show recent decisions. |
recentDecisions.href |
String | Optional | Mutable | A string that specifies the request URL for the recent decisions endpoint. |
recentDecisions.title |
String | Optional | Mutable | A string that specifies the title for the recent decisions response. |
recentDecisions.type |
String | Optional | Mutable | A string that specifies the content type for the recent decisions response. |
recordRecentRequests |
Boolean | Required | Mutable | A boolean that specifies whether to record a limited history of recent decision requests and responses, which can be queried through a separate API. |
Policy decision management events generated
Refer to Audit Reporting Events for the events generated.
Response codes
| Code | Message |
|---|---|
| 200 | Successful operation. |
| 201 | Successfully created. |
| 204 | Successfully removed. No content. |
| 400 | The request could not be completed. |
| 401 | You do not have access to this resource. |
| 403 | You do not have permissions or are not licensed to make this request. |
| 404 | The requested resource was not found. |
Create Decision Endpoint
Read All Decision Endpoints
Read One Decision Endpoint
Read One Recent Decision
Read Recent Decisions
Read All Policy Decision Service Configuration Data
Read One Policy Decision Service Configuration Data
Update Decision Endpoint
Delete Decision Endpoint
Decision Evaluation
The PingOne policy decision service provides an action for runtime evaluation of decision requests against a given policy decision resource.
Policy decision evaluation request data model
| Property | Type? | Required? | Mutable? | Description |
|---|---|---|---|---|
parameters |
Object | Required | Mutable | An object that specifies the evaluation parameters required by the policy. |
userContext.user.id |
UUID | Optional | Mutable | A string that specifies the user's unique identifier. |
Policy decision evaluation response data model
| Property | Type? | Required? | Mutable? | Description |
|---|---|---|---|---|
authorizationVersion.id |
UUID | Optional | Mutable | A string that specifies the ID of the authorization version deployed to this endpoint. Versioning allows independent development and deployment of policies. If omitted, the endpoint always uses the latest policy version available from the policy editor service. |
id |
UUID | Required | Mutable | A string that specifies the resource's unique identifier. |
correlationId |
UUID | Optional | Mutable | A string that specifies the decision evaluation correlation ID. |
decision |
String | Required | Mutable | A string that specifies the decision result. Options are PERMIT, DENY, NOT_APPLICABLE, and INDETERMINATE. |
elapsedMicroseconds |
Integer | Optional | Mutable | An integer that specifies the evaluation duration in microseconds. |
status.code |
String | Optional | Mutable | A string that specifies the status. Options are OKAY, MISSING_ATTRIBUTE, TYPE_CONVERSION_ERROR, PROCESSING_ERROR, and TIMEOUT. |
status.message |
String | Optional | Mutable | A string that specifies the description of the error. |
statements.id |
UUID | Required | Mutable | A string that specifies the statement's unique identifier. |
statements.name |
String | Required | Mutable | A string that specifies the statement name. |
statements.code |
UUID | Optional | Mutable | A string that specifies the the statement code. Options are ANSWER. |
statements.payload |
Object | Optional | Mutable | An object that specifies statement payload. |
timestamp |
String | Optional | Mutable | A string that specifies the time the evaluation was executed. |
Policy decision evaluation related resource links
| Link | Description |
|---|---|
profile |
A string that specifies the URL for the decision request's associated profile. |
authorizationVersion.href |
A string that specifies the URL for the authorization version endpoint. |
authorizationVersion.profile |
A string that specifies the URL for the authorization version profile. |
policy.href |
A string that specifies the URL for the policy endpoint. |
policy.profile |
A string that specifies the URL for the policy profile. |
statements.href |
A string that specifies the URL for the statements endpoint. |
statements.profile |
A string that specifies the URL for the statements profile. |
Policy decision authorization events generated
Refer to Audit Reporting Events for the events generated.
The decision event format returned by a DECISION_ENDPOINT.DECISION_REQUEST_EVALUATED event uses terse keys to reduce storage requirements. The following table explains the meaning of each key returned in the decision event response.
| Key | Description |
|---|---|
enm |
The name of the endpoint against which the decision request was evaluated. |
eid |
The ID of the endpoint against which the decision request was evaluated. |
pid |
The ID of the PingOne Authorize Policy that was deployed to the endpoint at the time the decision request was evaluated. |
ver |
The ID of the version that was deployed to the endpoint at the time the decision request was evaluated. |
dec |
The overall decision produced. |
sce |
The JSON object describing the scenario (the decisions produced by individual policies and rules that contributed to the overall decision). |
sce.P |
The list of the IDs of the policies and rules that produced the decision PERMIT. |
sce.D |
The list of the IDs of the policies and rules that produced the decision DENY. |
sce.I |
The list of the IDs of the policies and rules that produced the decision INDETERMINATE. |
exe |
The time taken to evaluate the decision request (in microseconds). |
svc |
The JSON array giving the names and values of PingOne Authorize Services that were invoked as part of the decision request evaluation. |
svc.n |
The service name. |
svc.v |
The service value. |
Response codes
| Code | Message |
|---|---|
| 200 | Successful operation. |
| 400 | The request could not be completed. |
| 401 | You do not have access to this resource. |
| 403 | You do not have permissions or are not licensed to make this request. |
| 404 | The requested resource was not found. |
Evaluate a Decision Request
API Access Management
The PingOne Authorize API access management service provides tools to externalize the management and evaluation of access control policies for HTTP-based APIs. The access control policies defined in the API Service configuration are enforced through an API gateway, which delegates policy evaluation using a Ping Identity-provided integration kit that connects with the PingOne API.
The integration kit installed in your API gateway authenticates to PingOne. You configure a gateway and obtain a gateway credential. This credential is used to configure the API gateway integration kit. For more information, refer to PingOne Authorize API Gateway Integration Kits.
To create a gateway resource, refer to Create API Gateway Integration. In addition, API access management also uses the gateways credentials service. For more information, refer to Gateway Credentials.
API Services
The PingOne /environments/{{envID}}/apiServers endpoint provides operations to create, read, update, and delete API services in PingOne. An API service models a customer's APIs, which are then protected by the PingOne API access management service.
API service data model
| Property | Type? | Required? | Mutable? | Description |
|---|---|---|---|---|
accessControl.custom |
Object | Optional | Mutable | Defines if the operation will use custom policy rather than the "Group" or "Scope" accessControl requirement. |
accessControl.custom.enabled |
Boolean | Optional | Mutable | If TRUE, custom policy will be used for the endpoint. Defaults to FALSE. |
authorizationServer |
Object | Required | Mutable | A container for properties related to the authorization server that will issue access tokens used to access the APIs. |
authorizationServer.externalOAuthServer |
Object | Optional | Mutable | A container object for fields related to the API service's external OAuth 2 authorization server. Must not be provided if authorizationServer.type is PINGONE_SSO. |
authorizationServer.externalOAuthServer.audience |
String | Required | Mutable | The expected audience for incoming access tokens issued by the External OAuth Server. The runtime will reject bearer tokens not issued for this audience by checking for a matching value in the aud claim. The maximum length is 1024. |
authorizationServer.externalOAuthServer.id |
UUID | Required | Mutable | The ID of the related External OAuth Server. |
authorizationServer.resource |
Relationship | Required | Mutable | The resource defines the characteristics of the OAuth 2.0 access tokens used to get access to the APIs on the API service such as the audience and scopes. Must not be provided if authorizationServer.type is EXTERNAL. |
authorizationServer.resource.id |
String | Required | Mutable | The UUID of the custom PingOne resource. This property must identify a PingOne resource with a type property value of CUSTOM. |
authorizationServer.type |
String | Optional | Mutable | The type of authorization server that will issue access tokens. Valid options are PINGONE_SSO or EXTERNAL. Defaults to PINGONE_SSO. Must be the same value as the directory.type. If PINGONE_SSO, the authorizationServer.externalOAuthServer field must not be provided. If EXTERNAL, the authorizationServer.resource field must not be provided. |
baseUrls |
Array | Required | Mutable | The possible base URLs that an end-user will use to access the APIs hosted on the customer's API service. Multiple base URLs may be specified to support cases where the same API may be available from multiple URLs (for example, from a user-friendly domain URL and an internal domain URL). Base URLs must be valid absolute URLs with the https or http scheme. If the path component is non-empty, it must not end in a trailing slash. The path must not contain empty backslash, dot, or double-dot segments. It must not have a query or fragment present, and the host portion of the authority must be a DNS hostname or valid IP (IPv4 or IPv6). The length must be less than or equal to 256 characters. |
directory |
Object | Optional | Mutable | A container object for fields related to the user directory used to issue access tokens for accessing the APIs. If not provided, the directory.type will default to PINGONE_SSO. |
directory.type |
String | Required | Mutable | The type of directory that will be used to issue access tokens. Valid options are PINGONE_SSO or EXTERNAL. Defaults to PINGONE_SSO. Must be the same value as the authorizationServer.type. |
id |
String | Optional | Mutable | The resource's unique identifier. |
name |
String | Required | Mutable | The API service resource name. The name value must be unique among all API services, and it must be a valid resource name. |
policy.id |
String | Optional | Read-only | The ID of the root policy. |
Path parameter pattern syntax
If a path pattern has a type of PARAMETER, the following syntax rules apply to the parameter expression:
-
The pattern must start with a slash.
-
A single
*(wildcard) matches any character except a/. -
A double
**matches the rest of the path. It cannot be followed by any characters in the pattern. -
A path segment can be captured with syntax like
/{variable}. -
Nested captures are not allowed, meaning
{name1{name2}}is an invalid expression. -
Partial path segment matches are not allowed, meaning
/part1{part2}is an invalid expression. -
A literal left curly bracket, right curly bracket, backslash, or wildcard can be matched by preceding the character with a backslash:
\{, \{, \\, \*. -
The following characters are not allowed in parameter names:
'{', '}', '\', '/'. -
Parameter names must be unique within an expression, meaning
/{name1}/resource/{name1}is an invalid expression. -
ASCII control characters are invalid anywhere in the pattern.
Limiting and filtering data
You can limit the number of results returned on the Read API Services request with the limit parameter. Refer to Pagination for more information about use of the limit parameter, as well as other methods of controlling pagination.
You can filter response data by applying a SCIM filtering expression to the Read API Services request. These SCIM operators can be applied to the following attributes:
-
eq(equals)Supported attributes:
authorizationServer.externalOAuthServer.id
Response codes
| Code | Message |
|---|---|
| 200 | Successful operation. |
| 201 | Successfully created. |
| 204 | Successfully removed. No content. |
| 400 | The request could not be completed. |
| 401 | You do not have access to this resource. |
| 403 | You do not have permissions or are not licensed to make this request. |
| 404 | The requested resource was not found. |
Create API Service
Read API Services
Read One API Service
Update API Service
Delete API Service
API Operations
The PingOne /environments/{{envID}}/apiServers/{{apiServerID}}/operations endpoint provides operations to create, read, update, and delete API service operations in PingOne. Each operation is defined by one or more paths, and each path must have a unique pattern.
Path parameter pattern syntax
If a path pattern has a type of PARAMETER, the following syntax rules apply to the parameter expression:
-
The pattern must start with a slash.
-
A single
*(wildcard) matches any character except a/. -
A double
**matches the rest of the path. It cannot be followed by any characters in the pattern. -
A path segment can be matched using a named parameter, with syntax like
/{variable}. -
Nested named parameters are not allowed, meaning
{name1{name2}}is an invalid expression. -
Partial path segment matches are not allowed, meaning
/part1{part2}is an invalid expression. -
A literal left curly bracket, right curly bracket, backslash, or wildcard can be matched by preceding the character with a backslash:
\{, \{, \\, \*. -
The following characters are not allowed in parameter names:
'{', '}', '\', '/'. -
Parameter names must be unique within an expression, meaning
/{name1}/resource/{name1}is an invalid expression. -
ASCII control characters are invalid anywhere in the pattern.
API service operations data model
| Property | Type? | Required? | Mutable? | Description |
|---|---|---|---|---|
id |
String | N/A | Read-only | The ID of the API service operation. This is randomly generated when the operation is created. |
name |
String | Required | Mutable | The name of the API service operation. |
accessControl |
Object | Optional | Mutable | The access control configuration for the operation. |
accessControl.authentication |
Object | Optional | Mutable | Defines the authentication requirements for this operation. One or both of the acrs or maxAge fields must be provided. |
accessControl.authentication.acrs |
Array | Optional | Mutable | The acrs array is currently limited to a single entry. |
accessControl.authentication.acrs.element |
Object | Required | Mutable | The relationship reference to a PingOne authentication policy. |
accessControl.authentication.acrs.element.id |
String | Required | Mutable | The ID of the authentication policy. |
accessControl.authentication.acrs.element.type |
String | Required | Mutable | Identifies the authentication policy type. Valid values are PINGONE, which identifies a sign-on policy, and DAVINCI, which identifies a flow policy. |
accessControl.authentication.maxAge |
Number | Optional | Mutable | Specifies the maximum acceptable time in seconds since the user was last authenticated. If provided, the value must be a nonzero positive integer. |
accessControl.group |
Object | Optional | Mutable | The group membership requirements for the operation. The groups array must be non-empty when the group object is included. The groups array must not contain more than 25 elements. |
accessControl.group.groups |
Array | Required | Mutable | The list of groups that define the access requirements for the operation. The end user must be a member of one or more of these groups to gain access to the operation. This is a required property if accessControl.group is set. The ID must reference a group that exists at the time the data is persisted. There is no referential integrity between a group and this configuration. If a group is subsequently deleted, the access control configuration will continue to reference that group. |
accessControl.group.groups.element |
Relationship | Required | Mutable | The ID of the group, wrapped in an object, for future extensibility. This is a required property if operations.value.accessControl.group is set. |
accessControl.group.groups.element.id |
String | Required | Read-only | A UUID that specifies the group ID. This is a required property if accessControl.group is set. |
accessControl.permission |
Object | Optional | Mutable | Defines the application permission requirements for the operation. |
accessControl.permission.id |
string | Required | Mutable | An application permission ID that defines the access requirements for the operation. The end user must be entitled to the specified application permission to gain access to the operation. This is a required property if accessControl.permission is set. |
accessControl.scope |
Object | Optional | Mutable | Defines the scope membership requirements for the operation. |
accessControl.scope.matchType |
String | Optional | Mutable | An enumeration defining the match type of the scope rule. ALL means the client must be authorized with all scopes configured in the scopes array to obtain access. ANY means the client must be authorized with one or more of the scopes. |
accessControl.scope.scopes |
Array | Required | Mutable | A list of scopes that define the access requirements for the operation. The client must be authorized with ANY or ALL of the scopes to be granted access, depending on the matchType configuration. |
accessControl.scope.scopes.element |
Object | Required | Mutable | The relationship reference to a PingOne scope. |
accessControl.scope.scopes.element.id |
String | Required | Read-only | The ID of the scope. |
methods |
Array | Optional | Mutable | The methods that define the operation. No duplicates are allowed. Each element must be a valid HTTP token, according to RFC 7230, and cannot exceed 64 characters. An empty array is not valid. To indicate that an operation is defined for every method, the methods array should be set to null. The methods array is limited to 10 entries. |
methods.element |
String | Optional | Mutable | The name of the HTTP method. This value is case-sensitive. |
paths |
Array | Required | Mutable | The paths that define the operation. The same literal pattern is not allowed within the same operation (the pattern of a paths element must be unique as compared to all other patterns in the same paths array). However, the same literal pattern is allowed in different operations (for example, OperationA, /path1, OperationB, /path1 is valid). The paths array is limited to 10 entries. |
paths.element |
Object | Required | Mutable | The defined pattern that identifies the parent operation. |
paths.element.pattern |
String | Required | Mutable | The pattern used to identify the path or paths for the operation. The semantics of the pattern are determined by the type. For any type, the pattern can contain characters that are otherwise invalid in a URL path. Invalid characters are handled by performing matching against a percent-decoded HTTP request target path. This allows an administrator to configure patterns without worrying about percent encoding special characters. When the type is PARAMETER, the syntax outlined in the table below is enforced. Additionally, the pattern must contain a wildcard, double wildcard or named parameter. When the type is EXACT, the pattern can be any byte sequence except for ASCII control characters such as line feeds or carriage returns. The length of the pattern cannot exceed 2048 characters. The path pattern must not contain empty path segments such as /../, //, and /./. |
paths.element.type |
String | Required | Mutable | The type of the pattern. Options are EXACT (the verbatim pattern is compared against the path from the request using a case-sensitive comparison) and PARAMETER (the pattern is compared against the path from the request using a case-sensitive comparison, using the syntax below to encode wildcards and named parameters). |
policy.id |
String | Optional | Read-only | The ID of the root policy. |
Response codes
| Code | Message |
|---|---|
| 200 | Successful operation. |
| 201 | Successfully created. |
| 204 | Successfully removed. No content. |
| 400 | The request could not be completed. |
| 401 | You do not have access to this resource. |
| 403 | You do not have permissions or are not licensed to make this request. |
| 404 | The requested resource was not found. |
Create API Server Operation
Read API Service Operation
Read All API Service Operations
Update API Service Operation
Delete API Service Operation
API Server Deployment
The PingOne /environments/{{envID}}/apiServers/{{apiServerID}}/deployment endpoint provides operations to read and deploy an API service resource.
To create, modify, or delete an API service resource, refer to API services.
API service deployment data model
| Property | Type? | Required? | Mutable? | Description |
|---|---|---|---|---|
accessControl.custom |
Object | Optional | Mutable | Defines if the operation will use custom policy rather than the "Group" or "Scope" accessControl requirement. |
accessControl.custom.enabled |
Boolean | Optional | Mutable | If TRUE, custom policy will be used for the endpoint. Defaults to FALSE. |
authorizationVersion.id |
String | Optional | Read-only | The UUID of the last deployed policy authorization version. This is present only if custom polcies are enabled and the API service has been deployed at least once. |
decisionEndpoint.id |
String | Required | Read-only | The UUID of the decision endpoint. |
deployedAt |
Date | Optional | Read-only | The time of most recent successful deployment. Null if the API service has never been successfully deployed. |
policy.id |
String | Optional | Read-only | The ID of the root policy. |
status.code |
String | Required | Read-only | The deployment status code. For possible values, refer to Deployment status codes. |
status.error |
Object | Optional | Read-only | Error details returned if the last deployment request failed. |
status.error.id |
String | Required | Read-only | A unique identifier for the error. |
status.error.code |
String | Required | Read-only | A general fault code that identifies the the type of error. Refer to Error codes. |
status.error.message |
String | Required | Read-only | A short human-readable description of the error. |
API service deployment codes
| Status code | Description |
|---|---|
POLICIES_CREATE_IN_PROGRESS |
The policy bundle for the API service's managed policies is being created. |
DECISION_ENDPOINT_CREATE_IN_PROGRESS |
A decision endpoint is being created for the API service. |
DECISION_ENDPOINT_UPDATE_IN_PROGRESS |
The API service's decision endpoint is being updated. |
DEPLOYMENT_SUCCESSFUL |
The API service's policies have been successfully deployed. |
DEPLOYMENT_FAILED |
HAP-MGMT was unable to deploy the API service's policies. |
DEPLOYMENT_UNINITIALIZED |
A deployment has not yet been attempted. |
Deploy API Service
Retrieve Deployment Status
External OAuth Servers
The PingOne /environments/{{envID}}/externalOAuthServers endpoint provides operations to create, read, update, and delete external OAuth server resources in PingOne.
Refer to Using an external authorization server in PingOne Authorize AAM in the PingOne Admin Guide for more information.
External OAuth server data model
| Property | Type | Required? | Mutable? | Description |
|---|---|---|---|---|
description |
String | Optional | Mutable | A description of the External OAuth Server. Maximum length 1024. |
id |
UUID | Required | Immutable | The ID of the External OAuth Server. |
issuers |
Array of Strings | Optional | Mutable | Lists the expected issuer value(s) used by the External OAuth Server. The runtime will expect the value of a bearer token’s iss claim to match one of these expected issuer values. Array size must be between 1-8. Array elements must be between 1-1024. |
name |
String | Required | Mutable | The name of the External OAuth Server. Must be unique to the environment. Length must be between 1-256. |
type |
String | Required | Mutable | The type of External OAuth Server. The only accepted value is EXTERNAL, which indicates that the External OAuth Server is not PingOne SSO. |
validation |
Object | Required | Mutable | A container object for fields related to runtime validation of access tokens issued by the External OAuth Server. |
validation.clockSkewTolerance |
Number | Optional | Mutable | Specifies an allowable clock skew tolerance in seconds. When validating certain time-based token claims (nbf, exp), the runtime will tolerate time differences as specified by the value. The value must be zero or a positive integer. The default value is 0. |
validation.jwks |
String | Optional (see description) | Mutable | A JWKS document containing the External OAuth Server's public signing keys. Required if type is JWKS. Must be a valid JWKS per RFC 7517 and not exceed 16kB. |
validation.jwksUrl |
String | Optional (see description) | Mutable | The URL of the External OAuth Server's JWKS endpoint. Required if type is JWKS_URL. Length must be between 1-1024. Must use the HTTPS protocol scheme and satisfy an SSRF risk check. |
validation.type |
String | Required | Mutable | Indicates the validation strategy that will be used by the AAM runtime. Accepts only one of the following values: JWKS_URL, which indicates that the AAM runtime will retrieve JWK signing keys from a JWKS endpoint or JWKS, which indicates that the AAM runtime will use a set of JWK signing keys from a JWKS stored in the configuration. |
Limiting and filtering data
You can limit the number of results returned on the Read All External OAuth Servers request with the limit parameter. Refer to Pagination for more information about use of the limit parameter, as well as other methods of controlling pagination.
You can filter response data by applying a SCIM filtering expression to the Read All External OAuth Servers request. These SCIM operators can be applied to the following attributes:
-
co(contains)Supported attributes:
name
Response codes
| Code | Message |
|---|---|
| 200 | Successful operation. |
| 201 | Successfully created. |
| 204 | Successfully removed. No content. |
| 400 | The request could not be completed. |
| 401 | You do not have access to this resource. |
| 403 | You do not have permissions or are not licensed to make this request. |
| 404 | The requested resource was not found. |
Create External OAuth Server
Read All External OAuth Servers
Read One External OAuth Server
Update External OAuth Server
Delete External OAuth Server
Application Permissions
The PingOne Authorize application resources and roles service provides endpoints to define custom roles and permissions within PingOne to protect external application resources.
To create and manage application roles and permissions, see:
-
Provides endpoints to list the representations of external applications in PingOne. For create, update, and delete operations for application resources, refer to Application Resources.
-
Application resource permissions
Provides endpoints to define and manage permissions on the application resource.
-
Provides endpoints to define and manage application roles in PingOne. Roles contain application permissions. Application roles can be assigned to PingOne users.
-
Provides endpoints to define and manage access control permissions, expected to be defined by a customer application developer. An application permission is comprised of an action and a protected resource, such as
read:accounts. When a permission is added to a role, it creates a role entry. A subject assigned to a role is authorized for the permissions represented by the role's entries. -
Application role assignments by role
Provides an endpoint to read application role assignments by role. The endpoint specifies a role ID in the request URL and the operation returns the role assignments associated with the identified role.
-
User application role assignments
Provides endpoints to define and manage application role assignments associated with user resources.
Application Resources
The PingOne Authorize {{apiPath}}/environments/{{envID}}/applicationResources endpoint provides operations to read application resources in PingOne. For information about create, update, and delete operations for application resources, refer to Create Application Resource, Update Application Resource, and Delete Application Resource.
API application resources data model
| Property | Type? | Required? | Mutable? | Description |
|---|---|---|---|---|
description |
String | Optional | Mutable | The application resource's description. |
id |
String | N/A | Read only | The resource's unique identifier. |
name |
String | Required | Mutable | The application resource name. The name value must be unique. |
parent |
Object | Required | Read only | The application resource's parent. |
parent.type |
String | Required | Read only | The application resource's parent type. Options are PING_ONE_RESOURCE. |
parent.id |
String | Required | Read only | The application resource's parent ID. |
Response codes
| Code | Message |
|---|---|
| 200 | Successful operation. |
| 201 | Successfully created. |
| 204 | Successfully removed. No content. |
| 400 | The request could not be completed. |
| 401 | You do not have access to this resource. |
| 403 | You do not have permissions or are not licensed to make this request. |
| 404 | The requested resource was not found. |
Read Application Resources
Read One Application Resource
Application Resource Permissions
The PingOne Authorize {{apiPath}}/environments/{{envID}}/applicationResources/{{appResourceID}}/permissions endpoint provides operations to create, read, update, and delete application resource permissions in PingOne.
Application resources permissions data model
| Property | Type? | Required? | Mutable? | Description |
|---|---|---|---|---|
action |
String | Required | Mutable | The action associated with this permission. |
description |
String | Optional | Mutable | The resource's description. |
environment.id |
String | N/A | Read-only | The unique identifier for the associated environment. |
id |
String | N/A | Read-only | The resource's unique identifier. |
key |
String | N/A | Read-only | The resource.name:action pair of the permission. |
resource |
Object | N/A | Read-only | An object that identifies the associated application resource. |
resource.id |
String | N/A | Read-only | The ID for the associated application resource. |
resource.name |
String | N/A | Read-only | The name of the associated application resource. |
Response codes
| Code | Message |
|---|---|
| 200 | Successful operation. |
| 201 | Successfully created. |
| 204 | Successfully removed. No content. |
| 400 | The request could not be completed. |
| 401 | You do not have access to this resource. |
| 403 | You do not have permissions or are not licensed to make this request. |
| 404 | The requested resource was not found. |
Create Application Permissions
Read Application Permissions
Read One Application Permission
Update Application Permission
Delete Application Permission
Application Roles
The PingOne Authorize {{apiPath}}/environments/{{envID}}/applicationRoles endpoint provides operations to create, read, update, and delete application roles in PingOne.
Application roles data model
| Property | Type? | Required? | Mutable? | Description |
|---|---|---|---|---|
description |
String | Optoinal | Mutable | The description of the application role. |
id |
String | N/A | Read-only | The ID of the application role. |
name |
String | Required | Mutable | The name of the application role. |
Response codes
| Code | Message |
|---|---|
| 200 | Successful operation. |
| 201 | Successfully created. |
| 204 | Successfully removed. No content. |
| 400 | The request could not be completed. |
| 401 | You do not have access to this resource. |
| 403 | You do not have permissions or are not licensed to make this request. |
| 404 | The requested resource was not found. |
Create Application Role
Read Application Roles
Read Application Role Users
Read One Application Role User
Read One Application Role
Update Application Role
Delete Application Role
Application Role Permissions
The PingOne Authorize {{apiPath}}/environments/{{envID}}/applicationRoles/{{appRoleID}}/permissions endpoint provides operations to add, read, and delete the permissions associated with application roles.
Application roles permissions data model
| Property | Type? | Required? | Mutable? | Description |
|---|---|---|---|---|
action |
String | N/A | Read-only | The action associated with this permission. |
description |
String | N/A | Read-only | The permission description. |
id |
String | N/A | Read-only | The permission's unique identifier. |
key |
String | N/A | Read-only | The resource.name:action pair of the permission. |
resource |
Object | N/A | Read-only | An object that identifies the associated application resource. |
resource.id |
String | N/A | Read-only | The ID of the resource associated with this role. |
resource.name |
String | N/A | Read-only | The name of the resource associated with this role. |
Response codes
| Code | Message |
|---|---|
| 200 | Successful operation. |
| 201 | Successfully created. |
| 204 | Successfully removed. No content. |
| 400 | The request could not be completed. |
| 401 | You do not have access to this resource. |
| 403 | You do not have permissions or are not licensed to make this request. |
| 404 | The requested resource was not found. |
Create Application Role Permission
Read Application Role Permissions
Delete Application Role Permission
Application Role Assignments
The PingOne Authorize{{apiPath}}/environments/{{envID}}/applicationRoles/{{appRoleID}}/assignments endpoint provides operations to read application role assignments in PingOne.
Appliction role assignments data model
| Property | Type? | Required? | Mutable? | Description |
|---|---|---|---|---|
id |
String | N/A | Read-only | The ID of the API server operation. This is randomly generated when the operation is created. |
role |
Object | N/A | Read only | The role associated with the role assignment. |
subject |
Object | N/A | Read only | The user associated with the role assignment. |
Response codes
| Code | Message |
|---|---|
| 200 | Successful operation. |
| 400 | The request could not be completed. |
| 401 | You do not have access to this resource. |
| 403 | You do not have permissions or are not licensed to make this request. |
| 404 | The requested resource was not found. |
Read Application Role Assignments by Role
Working with PingOne APIs
If you want to start building your own workflows with PingOne APIs, the Workflow Library provides step-by-step workflows with linked Postman collections to help you start using the PingOne APIs in your Postman environment. For information about how PingOne secures APIs, resources, and data, and what you can do to implement security measures for your PingOne deployment and applications, refer to Platform security.
PingOne API domains
This section discusses how PingOne API regional endpoints are entered in the domain name system (DNS). In DNS, and in our endpoints, the domain part of the uniform resource locator (URL) comprises three parts separated by periods, such as api.pingone.com: one of our service-specific subdomains, our PingOne domain name of pingone, and one of our top level domains.
We use Postman variables to manage this variety of domain parts in PingOne API endpoints. The later discussion is correct regarding the domain part that the variables evaluate to. However, to ease maintenance, the Postman environment template you get when you download a collection uses variables to isolate the TLD from the rest of the domain part and to isolate the domain part from the rest of the endpoint.
The environment template has a path variable for each subdomain. Each path variable uses another variable, {{tld}}, for the top level domain (TLD). Such as https://api.pingone.{{tld}}/v1 for {{apiPath}}. The tld variable is first in the environment template that you downloaded.
The table below shows the top level domain value for each region. To change your region, simply change the default {{tld}} value from com to your region's TLD.
| Region | Code | Top level domain |
|---|---|---|
| North America region (excluding Canada) | NA | com (default) |
| Canada region | CA | ca |
| European Union region | EU | eu |
| Australia region | AU | com.au |
| Singapore region | SG | sg |
| Asia-Pacific region | AP | asia |
The PingOne API includes the following domains:
| Domain | Postman path variable | Description |
|---|---|---|
api.pingone.{{tld}} |
{{apiPath}} |
The primary domain for calling PingOne Management API resource server. |
auth.pingone.{{tld}} |
{{authPath}} |
The authorization and authentication server domain called to request the access token required to authenticate PingOne API requests. |
orchestrate-api.pingone.{{tld}} |
{{orchestratePath}} |
The primary domain for calling the PingOne DaVinci Management API resource server. |
scim-api.pingone.{{tld}} |
{{scimPath}} |
PingOne API service for Cross-domain Identity Management (SCIM). |
The {{...Path}} variable in the sample requests stand for the PingOne service endpoint. Refer to Public endpoints in the PingOne for Developers Foundations guide for more information.
The Try a Request feature
Our documentation for the PingOne APIs includes an interactive Try a Request feature. Try a Request enables you to configure and send a PingOne API request and get a response from within the documentation. This is a quick way to interactively test a PingOne API request without needing to use either Postman or the command line.
Requests in Authentication and Authorization APIs do not have the Try a Request feature due to a Cross-Origin Resource Sharing (CORS) constraint.
Calling the PingOne APIs from the command line
Each PingOne API request in the documentation includes an example request and response. By default, the example request is displayed using cURL. However, a number of coding languages are available in the associated drop-down list. If you want to run a request from the command line, you can select the coding language and copy the displayed request. You'll need to replace any variables in the request with the appropriate values before running the request.
Using Postman collection-level authorization
Most APIs require authorization to ensure that client requests access data securely. Postman can pass along whatever authorization details necessary for the method demanded by the endpoint. You can manually include authorization data in the header, body, or as parameters to a request. However, the easiest way is to use the Authorization tab in Postman. Select an authorization Type on that tab and Postman offers a dialog to gather the information required by that Type. When you run a request, Postman uses the information from the Authorization tab to automatically add the necessary authorization header, body, or parameters to the request. Postman offers the Authorization tab on requests, folders, and collections.
In PingOne collections, the authorization method is defined at the collection level. Only those requests that require a specific authorization method have authorization defined on the request (roughly 10% of PingOne requests). This allows you to easily change the authorization used for most requests. Refer to Postman Collection-Level Authorization for more information.
Postman and the PingOne APIs
We use Postman to create our PingOne DaVinci Admin API docs, and have supplied our Postman collections for you to download. There's also an accompanying Postman Environment template already populated with the variables used in the collections.
If you aren't currently using Postman, you can install the free version. Refer to Download Postman to install Postman, either locally, or in your browser.
Refer to The PingOne DaVinci Admin API Postman collections for the collections you can download or fork.
For more information about our Postman environment variables, refer to The PingOne Postman environment template.
You'll also find all of the Postman collections for our documented PingOne use cases in our Workflow Library.
The PingOne Postman collections
You can get the PingOne Authorize API Postman collection by following either of these methods for retrieving a Postman collection into your workspace:
-
Fork the collection into your workspace. Postman retains an association between the source and your fork. If we update the source collection, you can pull those changes into the fork in your workspace.
-
Import the collection into your workspace. This is a one-time transfer and retains no association to the source collection.
To retrieve a collection
Refer to The PingOne Authorize API collections on this page.
-
Click the collection's Run In Postman button.
-
At the prompt, click Fork Collection at the bottom of the dialog or click import a copy near the bottom of the dialog.
-
Follow the on-screen instructions to fork or import the collection. You're prompted to select a Postman workspace for the retrieved collection.
When you fork a Postman collection, you create a copy of it in a selected workspace. Forking a collection creates a linked version that synchronizes with its source collection. This synchronization is apparent when you click the three dots icon on the forked collection - you'll see Pull changes on the context menu. When you click Pull changes, Postman compares the fork to the source collection. If changes are available, you can pull those changes into your fork. If you also elect to watch the collection, you'll receive notifications when the source changes.
If you import a collection, a copy is created in the selected workspace with no link back to the source. The collection is static. This may be desirable for some use cases. For example, if you intend to keep and use only some requests in a collection, a link back to the source is not needed.
You're not limited to choosing one method or the other. You can fork a copy to track the source and import a copy for experimentation, if you like.
The PingOne Authorize API collections
These Postman collections include requests for all create, read, update, and delete (CRUD) operations for the PingOne Authorize APIs.
| Collection | Description | Retrieve |
|---|---|---|
| PingOne Authorize | Postman requests for the PingOne Authorize API. Includes all environment variables. No example responses to make it easy to get started. |  |
| PingOne Authorize | Postman requests for the PingOne Authorize API. Includes all PingOne Platform API Reference documentation and example responses. No environment variables are included. | |
For more information about the Postman environment variables included when you download or fork one of our Postman collections, refer to The PingOne Postman environment template.
The PingOne Postman environment template
Our Postman collections use variables in the request URLs to specify the UUIDs for PingOne resources. When you click the Run in Postman button for a collection, these environment variables are included in your download or fork. Use these environment variables as a template to assign your PingOne resource UUIDs with the common variables used in many of the requests.
For more information about using Postman environments, refer to the following topic in the Postman documentation: Environments in Postman.
POST requests in the PingOne Authorize API Postman collections that create a resource and return a resource ID include a Postman script. This script automatically adds a resource variable to your active Postman environment, and uses the newly created ID as the value.
For example, the following request creates a new Authorize variable. This request URL contains variables for the API path and environment ID:
POST {{apiPath}}/environments/{{envID}}/variables
To run this request, you must ensure the {{apiPath}} in the Postman environment template has the regional top-level domain (TLD) associated with your organization. Refer to Variables you must value for more information.
Almost every request in PingOne requires an environment ID. If you are working primarily in one environment for testing purposes, you'll want to add your environment's UUID to your active Postman environment as the value for the {{envID}} variable.
Requests to PingOne Management API endpoints require a valid access token to authenticate the request. In the PingOne Postman collections, the token value is represented in the Postman environment template as the variable {{accessToken}}.
With the {{tld}} and {{envID}} variables defined in your Postman template, and with a valid token value defined in the {{accessToken}} variable, you can run the request shown above:
POST {{apiPath}}/environments/{{envID}}/variables
If the request is successful, Postman adds a {{variableID}} variable to the current Postman environment automatically, and associates the new user's id property value (the UUID of the new user) with this variable.
Notes about environment variables and security
It's important to understand how Postman allows you to Store and reuse values using variables. Postman has two values for each environment variable: an Initial value and a Current value. You'll want to pay particular attention to differences between Initial and current values. Initial values are saved to Postman's cloud, and available to anyone who has access to the environment. Current values are saved only locally and available only to you. Postman uses only the current value in requests. If an environment variable has an initial value but no current value, Postman doesn't copy it to the current value or use the initial value in the request, the request simply fails. In this case, you need to manually copy the initial value to the current value.
When you create a new variable with an initial value and save the environment, Postman autofills the current value. However, that is the only time that Postman autofills the current value. If you subsequently delete the current value, the variable is no longer valued in a request.
Saving initial values to the Postman cloud impacts security. These initial values are available to anyone who has access to the workspace. If a workspace is public, you have a security issue.
Postman's recommended solution to exposing secrets is to Store secrets in your Postman Vault. Remember that Postman uses only current values in requests.
Variables you must value
When you download or fork a PingOne Postman collection, your workspace receives a set of Postman environment variables for you to use as a template. The variables that represent a resource in PingOne automatically receive a value when you create a new PingOne resource using Postman. Our script associated with the request (shown on the request's Scripts tab) inserts the identifier of the resource it creates as the value of the variable associated with that resource. However, some variables essential to using Postman with PingOne do not have their values inserted automatically. You must manually add the correct value to these variables before making any requests in Postman:
| Postman variable | PingOne resource |
|---|---|
adminAppID |
The Client ID of the Worker app you created Create an admin Worker app connection. |
adminAppSecret |
The Client Secret of the Worker app created. |
adminEnvID |
The ID for the environment in which your Worker app resides. |
envID |
The ID for the environment in which you are running your Postman API requests. |
orgID |
The ID for your organization. In the PingOne admin console, select Environment and click Properties to view your organization ID. |
tld |
The top-level domain to use for your environment. This is used in URLs containing apiPath, authPath, orchestratePath, and scimPath. |
apiPath |
The regional domain for the PingOne management server (https://api.pingone.{{tld}}/v1). |
authPath |
The regional domain for the PingOne authorization and authentication server (https://auth.pingone.{{tld}}). |
orchestratePath |
The regional domain for the PingOne DaVinci management server (https://orchestrate-api.pingone.{{tld}}/v1). |
scimPath |
The regional domain for the PingOne SCIM management server (https://scim-api.pingone.{{tld}}). |