Applications


Applications

Application resources define the connection between PingOne for Customers and the actual application (also known as a client connection). The applications service implements functions to create, read, update, delete, and search for applications resources.

This service also provides endpoints to get an application’s connection settings, such as the application id and secret, which are used to submit an authorization request to the PingOne authorization server.

Applications API operations

The Applications endpoints support the following operations:

Applications SAML attribute endpoints

Applications resource grant endpoints

Applications sign-on policy assignments endpoints

For hands-on experience with the Applications API endpoints, click the Run in Postman button below to download a Postman collection that you can import and open in your local Postman application.

Applications data model

Property Description
description A string that specifies the description of the application.
enabled A string that specifies the current enabled state of the application. Options are ENABLED or DISABLED.
environment A string that specifies the environment associated with the application.
icon The HREF and the ID for the application icon.
id A string that specifies the application ID.
loginPageUrl A string that specifies the custom login page URL for the application.
name A string that specifies the name of the application. This is a required property.
protocol A string that specifies the protocol for the Application. Options are OPENID_CONNECT or SAML.
type A string that specifies the type associated with the application. This is a required property. Options are WEB_APP, NATIVE_APP, SINGLE_PAGE_APP, and SERVICE.

Applications OIDC settings data model

Property Description
grantTypes A string that specifies the grant type for the authorization request. This is a required property. Options are authorization_code, refresh_token, implicit, and client_credentials.
postLogoutRedirectUris A string that specifies the URLs that the browser can be redirected to after logout.
redirectUris A string that specifies the callback URI for the authentication response.
responseTypes A string that specifies the code or token type returned by an authorization request. Options are token, id_token, code, and refresh_token.
secret A string that specifies the secret ID that is used to sign access tokens. The secret value has a minimum length of 64 characters per SHA-512 requirements when using the HS512 algorithm to sign ID tokens using the secret as the key.
tokenEndpointAuthMethod A string that specifies the client authentication methods supported by the token endpoint. This is a required property. Options are none, client_secret_basic, and client_secret_post.

Applications SAML settings data model

Property Description
acsUrls A string that specifies the assertion consumer service URLs.
assertionDuration An integer that specifies the maximum amount of time that an assertion is valid.
name A string that specifies the name of SAML attribute and must be unique within an application. The saml_subject name is a reserved case-insensitive name which indicates the mapping to be used for the subject in an assertion. This is a required property.
required A boolean that indicates if the attribute is mandatory to include the attribute in SAML assertion response. If true, and the attribute does have a value when building the assertion, the SSO flow will fail.
sloEndpoint A string that specifies the SAML single logout endpoint URL. This property is required.
sloResponseEndpoint A string that specifies the single logout response URL. This property is optional.
spEntityId A string that specifies the service provider’s entity ID.
value A string that specifies the string constants or expression for mapping the attribute path against a specific source. The expression format is: {.<attribute_path>}. The only supported source is user (for example, {user.id}). This is a required property.

Applications resource grant data model

Property Description
application.id A string that specifies the application resource ID.
createdAt The time the resource was created .
id A string that specifies the application resource grant ID.
resource.id A string that specifies the ID of the protected resource associated with this grant. This is a required property.
scopes.id A array that specifies the IDs of the scopes associated with this grant. This is a required property.
updatedAt The time the resource was last updated.

Applications sign-on policy assignments data model

Property Description
application.id The identifier of the resource referenced by this relationship
environment.id A string that specifies the environment resource’s unique identifier associated with the sign-on policy.
id A string that specifies the sign-on policy assignment resource’s unique identifier.
priority The order in which the policy referenced by this assignment is evaluated during an authentication flow relative to other policies. An assignment with a lower priority will be evaluated first.
signOnPolicy.id A string that specifies the sign-on policy resource’s unique identifier associate with this sign-on policy assignment.

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request was invalid. Check that the UUID for Environment is correct.
401 You weren’t authenticated to perform this operation.
403 You lack either the necessary permissions or the licensing to perform this operation.
404 No applications exist. Check the UUID for the Environment.
409 An application of this name already exists in the identified Environment.
500 An unexpected error occurred.

Note: You need the Client Application Developer role to perform operations on application resources.

Endpoint examples

Get applications

The GET /environments/{environmentId}/applications endpoint returns a list of all application resources for the specified environment resource.

curl -X "GET" "https://api.pingone.com/v1/environments/{environmentId}/applications" \
-H 'Authorization: Bearer jwtToken'

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications"
        }
    },
    "_embedded": {
        "applications": [
            {
                "_links": {
                    "self": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/1e894703-52db-41a9-acb8-7bb5afa442ef"
                    },
                    "environment": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c"
                    },
                    "secret": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/1e894703-52db-41a9-acb8-7bb5afa442ef/secret"
                    },
                    "grants": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/1e894703-52db-41a9-acb8-7bb5afa442ef/grants"
                    },
                    "openidConnect": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/1e894703-52db-41a9-acb8-7bb5afa442ef/client"
                    }
                },
                "name": "Adobe Acrobat",
                "enabled": false,
                "type": "SERVICE",
                "protocol": "OPENID_CONNECT",
                "environment": {
                    "id": "02d37832-476a-431b-8a60-d77cecd7005c"
                },
                "id": "1e894703-52db-41a9-acb8-7bb5afa442ef"
            },
            {
                "_links": {
                    "self": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/42077bdc-ce61-4005-950b-4d5a1670db8b"
                    },
                    "environment": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c"
                    },
                    "secret": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/42077bdc-ce61-4005-950b-4d5a1670db8b/secret"
                    },
                    "grants": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/42077bdc-ce61-4005-950b-4d5a1670db8b/grants"
                    },
                    "openidConnect": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/42077bdc-ce61-4005-950b-4d5a1670db8b/client"
                    }
                },
                "name": "Adobe Connect",
                "enabled": true,
                "type": "SERVICE",
                "protocol": "OPENID_CONNECT",
                "environment": {
                    "id": "02d37832-476a-431b-8a60-d77cecd7005c"
                },
                "id": "42077bdc-ce61-4005-950b-4d5a1670db8b"
            },
            {
                "_links": {
                    "self": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/7ce83e9d-fc62-4fae-a62f-86e422e411b6"
                    },
                    "environment": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c"
                    },
                    "secret": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/7ce83e9d-fc62-4fae-a62f-86e422e411b6/secret"
                    },
                    "grants": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/7ce83e9d-fc62-4fae-a62f-86e422e411b6/grants"
                    },
                    "openidConnect": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/7ce83e9d-fc62-4fae-a62f-86e422e411b6/client"
                    }
                },
                "name": "Safari",
                "enabled": false,
                "type": "SERVICE",
                "protocol": "OPENID_CONNECT",
                "environment": {
                    "id": "02d37832-476a-431b-8a60-d77cecd7005c"
                },
                "id": "7ce83e9d-fc62-4fae-a62f-86e422e411b6"
            },
            {
                "_links": {
                    "self": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/df5ee1b0-593c-46a5-a88b-30e2de4b3887"
                    },
                    "environment": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c"
                    },
                    "secret": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/df5ee1b0-593c-46a5-a88b-30e2de4b3887/secret"
                    },
                    "grants": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/df5ee1b0-593c-46a5-a88b-30e2de4b3887/grants"
                    },
                    "openidConnect": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/df5ee1b0-593c-46a5-a88b-30e2de4b3887/client"
                    }
                },
                "name": "SalesForce",
                "enabled": true,
                "type": "SERVICE",
                "protocol": "OPENID_CONNECT",
                "environment": {
                    "id": "02d37832-476a-431b-8a60-d77cecd7005c"
                },
                "id": "df5ee1b0-593c-46a5-a88b-30e2de4b3887"
            },
            {
                "_links": {
                    "self": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/c6edbb84-74f0-45be-ad91-36141f4d0235"
                    },
                    "environment": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c"
                    },
                    "secret": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/c6edbb84-74f0-45be-ad91-36141f4d0235/secret"
                    },
                    "grants": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/c6edbb84-74f0-45be-ad91-36141f4d0235/grants"
                    },
                    "openidConnect": {
                        "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/c6edbb84-74f0-45be-ad91-36141f4d0235/client"
                    }
                },
                "name": "WebEx",
                "enabled": true,
                "type": "SERVICE",
                "protocol": "OPENID_CONNECT",
                "environment": {
                    "id": "02d37832-476a-431b-8a60-d77cecd7005c"
                },
                "id": "c6edbb84-74f0-45be-ad91-36141f4d0235"
            }
        ]
    },
    "size": 5
}

To minimize the number of application resources returned in the search, you can apply a filtering expression to fine-tune the response data. For example, to return a list of applications resources that are enabled, you can add a filter to the request URL.

The following sample returns a list of application resources with the enabled attribute value set to true:

curl -X "GET" "https://api.pingone.com/v1/environments/{environmentId}/applications?filter=enabled%20eq%20%22true%22" \
-H 'Authorization: Bearer jwtToken'

The response data shows only the application resources with an enabled status of true.

Get one application

To get data for a single application resource, the GET /environments/{environmentId}/applications/{applicationId} operation returns data only for the application resource with the specified ID.

curl -X GET "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}" \
-H "Authorization: Bearer jwtToken"

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/7ce83e9d-fc62-4fae-a62f-86e422e411b6"
        },
        "environment": {
            "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c"
        },
        "secret": {
            "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/7ce83e9d-fc62-4fae-a62f-86e422e411b6/secret"
        },
        "openidConnect": {
            "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/7ce83e9d-fc62-4fae-a62f-86e422e411b6/client"
        },
        "grants": {
            "href": "https://api.pingone.com/v1/environments/02d37832-476a-431b-8a60-d77cecd7005c/applications/7ce83e9d-fc62-4fae-a62f-86e422e411b6/grants"
        }
    },
    "name": "Safari",
    "enabled": false,
    "type": "SERVICE",
    "environment": {
        "id": "02d37832-476a-431b-8a60-d77cecd7005c"
    },
    "id": "7ce83e9d-fc62-4fae-a62f-86e422e411b6"
}

Add applications

The POST /environments/{environmentId}/applications operation adds a new application resource to the specified environment.

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/applications" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d $'{
  "name": "Imaging Services",
  "description": "Digital printing services.",
  "enabled": true,
  "type": "SERVICE",
  "loginPageUrl": "http://example.com",
  "protocol": "OPENID_CONNECT",
  "responseTypes": [
    "TOKEN",
    "ID_TOKEN"
  ],
  "grantTypes": [
    "IMPLICIT",
    "REFRESH_TOKEN"
  ],
  "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
  "postLogoutRedirectUris": [
    "https://example.com"
  ],
  "redirectUris": [
    "http://localhost:3000/response",
    "http://localhost:3000/code/response",
    "https://example.com",
    "https://www.getpostman.com/oauth2/callback"
  ]
}'

In addition to the required name attribute, the request body also specifies a value of “true” for the enabled attribute. All other attribute values are optional for the POST request. If a value is not specified for the enabled attribute, it is set to false by default.

Note: If you set the protocol attribute to OPENID_CONNECT, you must provide values for the following OIDC settings:

  • responseTypes
  • grantTypes
  • tokenEndpointAuthMethod
  • postLogoutRedirectUris
  • redirectUris

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/0bda42bc-d54f-449f-8d46-d5b8990c43ba/applications/4d5293f4-08a0-4fc6-a767-bf049230f5fe"
        },
        "environment": {
            "href": "https://api.pingone.com/v1/environments/0bda42bc-d54f-449f-8d46-d5b8990c43ba"
        }
    },
    "name": "Imaging Services",
    "description": "Digital printing services.",
    "enabled": true,
    "type": "SERVICE",
    "loginPageUrl": "http://example.com",
    "protocol": "OPENID_CONNECT",
    "responseTypes": [
      "TOKEN",
      "ID_TOKEN"
    ],
    "grantTypes": [
      "IMPLICIT",
      "REFRESH_TOKEN"
    ],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "postLogoutRedirectUris": [
      "https://example.com"
    ],
    "redirectUris": [
      "http://localhost:3000/response",
      "http://localhost:3000/code/response",
      "https://example.com",
      "https://www.getpostman.com/oauth2/callback"
    ]
    "environment": {
        "id": "0bda42bc-d54f-449f-8d46-d5b8990c43ba"
    },
    "id": "4d5293f4-08a0-4fc6-a767-bf049230f5fe"
}

The following table shows the relationships between the application type attribute and the default grantTypes, response_type, and tokenEndpointAuthMethod attributes.

Application type Grant type Response type Token endpoint authentication method
Non-interactive client_credentials token client_secret_basic
Native authorization_code, implicit, refresh_token token, id_token, code none
Web authorization_code, refresh_token code client_secret_basic
Single-page implicit token, id_token none

Note: For any application type (except non-interactive), you can specify either none, client_secret_basic, or client_secret_post as the tokenEndpointAuthMethod attribute value. Non-interactive applications use the client_credentials grant type, which does not support a tokenEndpointAuthMethod value of none.

If you set the protocol attribute to SAML, you must provide values for the following SAML settings:

  • spEntityId
  • acsUrls
  • assertionDuration
  • sloEndpoint
  • sloResponseEndpoint (optional)

The request looks like this:

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/applications" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d $'{
    "name": "Imaging Services",
    "description": "Digital printing services.",
    "enabled": true,
    "#loginPageUrl": "http://example.com",
    "type": "SERVICE",
    "protocol": "SAML",
    "#icon": {
        "id": "04ad537e-c9cd-45c3-abfb-f41946cfe374",
        "href": "https://upload.wikimedia.org/wikipedia/commons/a/a8/logo.jpg"
    },
    "assertionDuration": 30,
    "acsUrls": [
        "http://example.com"
    ],
    "sloEndpoint": "http://example.com/SLOService.php",
    "sloResponseEndpoint": "http://example.com/SLOServiceResponse.php",
    "spEntityId": "test"
}'

Update applications

To update a property value associated with a selected application resource, use the PUT /environments/{environmentId}/applications/{applicationId} operation to modify the specified attribute values. For example, you can change the description attribute value of the application.

curl -X "PUT" "https://api.pingone.com/v1/{environmentId}/applications/{applicationId}" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d $'{
  "description": "Digital printing and document scanning services."
}'

The request body specifies an updated property value for the description attribute to provide additional information about the application.

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/0bda42bc-d54f-449f-8d46-d5b8990c43ba/applications/4d5293f4-08a0-4fc6-a767-bf049230f5fe"
        },
        "environment": {
            "href": "https://api.pingone.com/v1/environments/0bda42bc-d54f-449f-8d46-d5b8990c43ba"
        }
    },
    "name": "Imaging Services",
    "description": "Digital printing and document scanning services.",
    "enabled": true,
    "type": "SERVICE",
    "loginPageUrl": "http://example.com",
    "protocol": "OPENID_CONNECT",
    "responseTypes": [
      "TOKEN",
      "ID_TOKEN"
    ],
    "grantTypes": [
      "IMPLICIT",
      "REFRESH_TOKEN"
    ],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "postLogoutRedirectUris": [
      "https://example.com"
    ],
    "redirectUris": [
      "http://localhost:3000/response",
      "http://localhost:3000/code/response",
      "https://example.com",
      "https://www.getpostman.com/oauth2/callback"
    ]
    "environment": {
        "id": "0bda42bc-d54f-449f-8d46-d5b8990c43ba"
    },
    "id": "4d5293f4-08a0-4fc6-a767-bf049230f5fe"
}

Get an application secret

An application resource’s secret is a required parameter when you submit a client_credentials request to the PingOne authorization server. The application’s secret attribute value has a minimum length of 64 characters according to SHA-512 requirements when using the HS512 algorithm to sign ID tokens using the secret as the key.

The GET /environments/{environmentId}/applications/{applicationId}/secret operation returns the specified application resource’s secret attribute.

curl -X GET "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/secret" \
-H "Authorization: Bearer jwtToken"

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/0bda42bc-d54f-449f-8d46-d5b8990c43ba/applications/4d5293f4-08a0-4fc6-a767-bf049230f5fe/secret"
        },
        "environment": {
            "href": "https://api.pingone.com/v1/environments/0bda42bc-d54f-449f-8d46-d5b8990c43ba"
        },
        "application": {
            "href": "https://api.pingone.com/v1/environments/0bda42bc-d54f-449f-8d46-d5b8990c43ba/applications/4d5293f4-08a0-4fc6-a767-bf049230f5fe"
        }
    },
    "environment": {
        "id": "0bda42bc-d54f-449f-8d46-d5b8990c43ba"
    },
    "secret": "l2tO2tfqRWZ~DLZ1Dfi8rptBNgKzcJHtOPiqjJ0iJwaRXufnU5tzR51acNkzl5Hy"
}

Update an application secret

The following sample shows the POST /environments/{environmentId}/applications/{applicationId}/secret operation to generate a new client_secret value for the specified application resource. This request does not take any parameters in the request body. The application ID is specified in the request URL.

curl -X POST "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/secret" \
-H "Authorization: Bearer jwtToken"

Get SAML attributes

The GET /environments/{environmentId}/applications/{applicationId}/attributes endpoint returns a list of all SAML attributes for the application specified by its ID in the request URL.

curl -X "GET" "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/attributes" \
-H 'Authorization: Bearer jwtToken'

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/912588d4-0d58-4cff-8e3b-cf9b7325b9f7/applications/a813421c-170b-49de-8627-0c3fbbe8a646/attributes"
        }
    },
    "_embedded": {
        "attributes": [
            {
                "_links": {
                    "self": {
                        "href": "https://api.pingone.com/v1/environments/912588d4-0d58-4cff-8e3b-cf9b7325b9f7/applications/a813421c-170b-49de-8627-0c3fbbe8a646/attributes/9ad3f0ad-2d89-492b-8a82-ad9d51a5ed30"
                    }
                },
                "name": "username",
                "value": "{user.id}",
                "required": false,
                "id": "9ad3f0ad-2d89-492b-8a82-ad9d51a5ed30",
                "environment": {
                    "id": "912588d4-0d58-4cff-8e3b-cf9b7325b9f7"
                },
                "application": {
                    "id": "a813421c-170b-49de-8627-0c3fbbe8a646"
                }
            }
        ]
    },
    "size": 1
}

If the application does not include any SAML attributes, the response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/912588d4-0d58-4cff-8e3b-cf9b7325b9f7/applications/a813421c-170b-49de-8627-0c3fbbe8a646/attributes"
        }
    },
    "_embedded": {
        "attributes": []
    },
    "size": 0
}

Get one SAML attribute

To get data for a single SAML attribute associated with an application resource, the GET /environments/{environmentId}/applications/{applicationId}/attributes/{attributeId} operation returns data only for the application resource with the specified ID.

curl -X GET "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/attributes/{attributeId}" \
-H "Authorization: Bearer jwtToken"

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/912588d4-0d58-4cff-8e3b-cf9b7325b9f7/applications/a813421c-170b-49de-8627-0c3fbbe8a646/attributes/9ad3f0ad-2d89-492b-8a82-ad9d51a5ed30"
        },
        "application": {
            "href": "https://api.pingone.com/v1/environments/912588d4-0d58-4cff-8e3b-cf9b7325b9f7/applications/a813421c-170b-49de-8627-0c3fbbe8a646"
        }
    },
    "name": "username",
    "value": "{user.username}",
    "required": false,
    "id": "9ad3f0ad-2d89-492b-8a82-ad9d51a5ed30",
    "environment": {
        "id": "912588d4-0d58-4cff-8e3b-cf9b7325b9f7"
    },
    "application": {
        "id": "a813421c-170b-49de-8627-0c3fbbe8a646"
    }
}

Add SAML attributes

The POST /environments/{environmentId}/applications/{applicationId}/attributes operation adds a new SAML attribute to the application resource specified by its ID in the request URL.

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/attributes" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d $'{
	"name": "username",
	"value": "{user.username}",
	"required": false
}'

In the request body, the name and value attributes are required. All other attribute values are optional for the POST request.

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/912588d4-0d58-4cff-8e3b-cf9b7325b9f7/applications/a813421c-170b-49de-8627-0c3fbbe8a646/attributes/9ad3f0ad-2d89-492b-8a82-ad9d51a5ed30"
        },
        "application": {
            "href": "https://api.pingone.com/v1/environments/912588d4-0d58-4cff-8e3b-cf9b7325b9f7/applications/a813421c-170b-49de-8627-0c3fbbe8a646"
        }
    },
    "name": "username",
    "value": "{user.username}",
    "required": false,
    "id": "9ad3f0ad-2d89-492b-8a82-ad9d51a5ed30",
    "environment": {
        "id": "912588d4-0d58-4cff-8e3b-cf9b7325b9f7"
    },
    "application": {
        "id": "a813421c-170b-49de-8627-0c3fbbe8a646"
    }
}

Update SAML attributes

The PUT /environments/{environmentId}/applications/{applicationId}/attributes/{attributeId} operation updates the SAML attribute specified by its ID in the request URL.

curl -X "PUT" "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/attributes/{attributeId}" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d $'{
	"name": "username",
	"value": "{user.id}",
	"required": true
}'

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/912588d4-0d58-4cff-8e3b-cf9b7325b9f7/applications/a813421c-170b-49de-8627-0c3fbbe8a646/attributes/9ad3f0ad-2d89-492b-8a82-ad9d51a5ed30"
        },
        "application": {
            "href": "https://api.pingone.com/v1/environments/912588d4-0d58-4cff-8e3b-cf9b7325b9f7/applications/a813421c-170b-49de-8627-0c3fbbe8a646"
        }
    },
    "name": "username",
    "value": "{user.id}",
    "required": true,
    "id": "9ad3f0ad-2d89-492b-8a82-ad9d51a5ed30",
    "environment": {
        "id": "912588d4-0d58-4cff-8e3b-cf9b7325b9f7"
    },
    "application": {
        "id": "a813421c-170b-49de-8627-0c3fbbe8a646"
    }
}

Delete SAML attributes

To delete a SAML attribute associated with an application resource, you need to specify the the application resource ID and the attribute ID. The DELETE /environments/{environmentId}/applications/{applicationId}/attributes/{attributeId} operation deletes the identified SAML attribute from the specified application.

curl -X "DELETE" "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/attributes/{attributeId}" \
-H 'Authorization: Bearer jwtToken'

For successful delete operations, a 204 NO CONTENT message is returned by the request.

Delete an application

To delete an application resource, you need to specify the environment ID and the application resource ID. The DELETE /environments/{environmentId}/applications/{applicationId} operation deletes the identified application resource.

curl -X "DELETE" "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}" \
-H 'Authorization: Bearer jwtToken'

For successful delete operations, a 204 NO CONTENT message is returned by the request.

Get application grants

The GET /environments/{environmentId}/applications/{applicationId}/grants endpoint returns a list of all resource access grants for the application specified in the request URL.

curl -X "GET" "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/grants" \
-H 'Authorization: Bearer jwtToken'

Get one application grant

To get data for a single application resource grant, the GET /environments/{environmentId}/applications/{applicationId}/grants/{grantId} operation returns data only for the application resource grant with the specified ID.

curl -X GET "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/grants/{grantId}" \
-H "Authorization: Bearer jwtToken"

Add an application grant

The POST /environments/{environmentId}/applications/{applicationId}/grants operation creates a new resource access grant for the application specified in the request URL. You must specify the resource property ID to create the resource access grant. You must also identify the scopes from the resource being granted. The scopes property allows a list of scopes to associate with the resource access grant.

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/applications" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d '{
    "resource": {
        "id": "<resourceID>"
    },
    "scopes": [
        {
        	"id": "<scopeID>"
        }
    ]
}'

Update an application grant

To update a property value associated with a selected application resource grant, use the PUT /environments/{environmentId}/applications/{applicationId}/grants/{grantId} operation to modify the attribute values for the specified grant resource. For example, you can change the scopes attribute value to add another scope ID.

curl -X "PUT" "https://api.pingone.com/v1/{environmentId}/applications/{applicationId}/grants/{grantId}" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d '{
    "resource": {
        "id": "<resourceID>"
    },
    "scopes": [
        {
        	"id": "<scopeID>"
        }
        {
        	"id": "<anotherscopeID>"
        }
    ]
}'

Delete an application grant

To delete an application resource grant, you need to specify the environment ID, the application ID, and the grant ID. The DELETE /environments/{environmentId}/applications/{applicationId}/grants/{grantId} operation deletes the identified application resource grant.

curl -X "DELETE" "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/grants/{grantId}" \
-H 'Authorization: Bearer jwtToken'

For successful delete operations, a 204 NO CONTENT message is returned by the request.

Get sign-on policy assignments

The GET /environments/{environmentId}/applications/{applicationId}/signOnPolicyAssignments endpoint returns a list of all sign-on policy resources assigned to an application.

The following sample returns the list of sign-on policy resources associated with the application ID specified in the request URL:

curl -X "GET" "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/signOnPolicyAssignments" \
-H 'Authorization: Bearer jwtToken'

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/e4d7bcd3-7a00-4c4d-9ce0-88f4b1954474/applications/d64f66de-1502-4398-96a1-02f0d2a86f9c/signOnPolicyAssignments
        }
    },
    "_embedded": {
        "signOnPolicyAssignments": [
        {
              "_links": {
                  "self": {
                     "href": "https://api-staging.pingone.com/v1/environments/e4d7bcd3-7a00-4c4d-9ce0-88f4b1954474/applications/d64f66de-1502-4398-96a1-02f0d2a86f9c/signOnPolicyAssignments/ede42c6c-a97a-4c2c-aaeb-9cb38f13bb13"
              },
              "environment": {
                 "href": "https://api-staging.pingone.com/v1/environments/e4d7bcd3-7a00-4c4d-9ce0-88f4b1954474"
              },
              "application": {
                 "href": "https://api-staging.pingone.com/v1/environments/e4d7bcd3-7a00-4c4d-9ce0-88f4b1954474/applications/d64f66de-1502-4398-96a1-02f0d2a86f9c"
              },
              "signOnPolicy": {
                 "href": "https://api-staging.pingone.com/v1/environments/e4d7bcd3-7a00-4c4d-9ce0-88f4b1954474/signOnPolicies/54f11a8b-0e09-4f76-8cdc-2efa2c9c499e"
              }
          },
        "id": "ede42c6c-a97a-4c2c-aaeb-9cb38f13bb13",
        "environment": {
            "id": "e4d7bcd3-7a00-4c4d-9ce0-88f4b1954474"
         },
        "application": {
            "id": "d64f66de-1502-4398-96a1-02f0d2a86f9c"
        },
        "signOnPolicy": {
            "id": "54f11a8b-0e09-4f76-8cdc-2efa2c9c499e"
        },
        "priority": 1
       }
     }
   ]
},
"count": 1,
"size": 1
}

Get one sign-on policy assignment

To get data for a specific sign-on policy assignment, the GET /environments/{environmentId}/applications/{applicationId}/signOnPolicyAssignments/{assignmentId} operation returns data for the sign-on policy assignment resource with the specified ID.

curl -X GET "https://api.pingone.com/v1/environments/environments/{environmentId}/applications/{applicationId}/signOnPolicyAssignments/{assignmentId}" \
-H "Authorization: Bearer jwtToken"

Create sign-on policy assignments

The POST /environments/{environmentId}/applications/{applicationId}/signOnPolicyAssignments operation creates a new sign-on policy assignment resource. The id for the signOnPolicy property and the priority property are required in the request body.

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/signOnPolicyAssignments" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d $'{
    "signOnPolicy": {
      "id": "54f11a8b-0e09-4f76-8cdc-2efa2c9c499e"
    },
    "priority": 1
}'

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api-staging.pingone.com/v1/environments/e4d7bcd3-7a00-4c4d-9ce0-88f4b1954474/applications/d64f66de-1502-4398-96a1-02f0d2a86f9c/signOnPolicyAssignments/ede42c6c-a97a-4c2c-aaeb-9cb38f13bb13"
        },
        "environment": {
            "href": "https://api-staging.pingone.com/v1/environments/e4d7bcd3-7a00-4c4d-9ce0-88f4b1954474"
        },
        "application": {
            "href": "https://api-staging.pingone.com/v1/environments/e4d7bcd3-7a00-4c4d-9ce0-88f4b1954474/applications/d64f66de-1502-4398-96a1-02f0d2a86f9c"
        },
        "signOnPolicy": {
            "href": "https://api-staging.pingone.com/v1/environments/e4d7bcd3-7a00-4c4d-9ce0-88f4b1954474/signOnPolicies/54f11a8b-0e09-4f76-8cdc-2efa2c9c499e"
        }
    },
    "id": "ede42c6c-a97a-4c2c-aaeb-9cb38f13bb13",
    "environment": {
        "id": "e4d7bcd3-7a00-4c4d-9ce0-88f4b1954474"
    },
    "application": {
        "id": "d64f66de-1502-4398-96a1-02f0d2a86f9c"
    },
    "signOnPolicy": {
        "id": "54f11a8b-0e09-4f76-8cdc-2efa2c9c499e"
    },
    "priority": 1
}

Update sign-on policy assignments

The PUT /environments/environments/{environmentId}/applications/{applicationId}/signOnPolicyAssignments/{assignmentId} operation modifies the sign-on policy assignment resource specified by its ID in the request URL.

curl -X "PUT" "https://api.pingone.com/v1/environments/environments/environments/{environmentId}/applications/{applicationId}/signOnPolicyAssignments/{assignmentId}" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d $'{
    "signOnPolicy": {
      "id": "54f11a8b-0e09-4f76-8cdc-2efa2c9c499e"
    },
    "priority": 2
}'

Delete sign-on policy assignments

The following sample shows the DELETE /environments/environments/{environmentId}/applications/{applicationId}/signOnPolicyAssignments/{assignmentId} operation to delete the sign-on policy assignment.

curl -X DELETE "https://api.pingone.com/v1//environments/environments/{environmentId}/applications/{applicationId}/signOnPolicyAssignments/{assignmentId}" \
-H "Content-type: application/json" \
-H "Authorization: Bearer jwtToken" \

When successful, the DELETE request returns a code 204 No Content message.