PingOne Platform API Reference

PingOne is a cloud-based framework for secure identity access management. The PingOne API gives developers the tools to integrate enterprise and third-party applications with the PingOne platform.

This document describes a number of PingOne services, including the Management API services, the Authentication API services, and the Multi-factor Authentication services. There is also material in this document that refers to the integrations between the PingOne platform and other Ping products that facilitate extended functionality beyond PingOne.

New to PingOne?

If you're new to PingOne, the following topic links will help you learn more and start working with the PingOne API.

  • Getting started with the PingOne APIs

    This collection of topics helps you create your first application connection using the PingOne admin console application and get a JSON Web Token for the application you created. With your admin access token, you can make calls to the Pingone resource server.

  • Download the PingOne Postman collections

    This topic includes downloads for the PingOne Platform API Postman master collection as well as targeted collections the PingOne MFA APIs, and the PingOne Protect APIs.

  • Workflow library

    The PingOne use cases provide workflows for common PingOne configurations and sign-on flows. Each use case includes a Postman collection linked to a Run in Postman button, enabling you to load (and run) the use case collections into your Postman workspace.

  • PingOne authorization and authentication APIs

    These topics provide a deeper dive into PingOne platform authorization and authentication concepts and workflows. It includes detailed information about access tokens, ID tokens, user scopes, platform roles, and sign-on flows.

  • PingOne native SDKs

    You'll find here the documentation for the PingOne mobile SDKs. Currently, this includes the PingOne MFA SDKs, the PingOne Neo SDKs, and the PingOne Protect SDKs.

Changelog

The following changes have been made to the PingOne APIs or the associated SDKs.

Release Date Description
Aug 29, 2024 When retrieving verified data with Read All User Verified Data, you can use the attempt query parameter to limit the number of retries returned and thus reduce the size of the response.
Aug 19, 2024 PingOne Protect now has a risk predictor called Traffic Anomaly intended to detect traffic anomalies in terms of variables such as users, devices, and sessions. The Traffic Anomaly predictor will eventually include a variety of rules, some of which you can select to enable or disable. Currently, the predictor detects situations where there are a large number of risk evaluations requested for a single user within a short period of time, and optionally can also detect situations where the number of users per device during a given period is suspicious. When a risk level of High is calculated for a Traffic Anomaly predictor, the recommendedAction field in the risk evaluation response has the value DENY, indicating that you should probably deny access. To create a Traffic Anomaly predictor, set the type parameter to the new value TRAFFIC_ANOMALY. If you want to also check the number of users per device, use the objects described in the traffic anomaly risk predictor data model. For details, see Risk Predictors and Risk evaluations.
Aug 5, 2024 When creating composite predictors, you can now include conditions that check what PingOne user groups the user belongs to. For details, see the Composite Risk Predictors section in Risk Predictors and the relevant example.
Aug 5, 2024 The Bot Detection predictor now has an option that you can enable to expand the range of bot activity that PingOne Protect can detect. For details, see the new field includeRepeatedEventsWithoutSdk under Risk Predictors.
Jul 22, 2024 For MFA, there is now an option to use dynamic linking to attach a unique identifier to the registration of a FIDO device. For details, see MFA devices.
Jul 15, 2024 MFA is now enforced for environment administrators during registration. You can read and update admin sign-on settings using the new Administrator Security endpoints. For details, see Administrator Security.
Jul 3, 2024 The Suspicious Device predictor now includes an option to specify that any risk policies that include the predictor will require that the Signals SDK payload be provided as a signed JWT whose signature will be verified before proceeding with risk evaluation. For details, see Risk Predictors.
Jun 27, 2024 We've added the new role "Application Owner", enabling you to restrict administrator access to specific applications. Use this role to assign application developers permissions only to the applications they manage. For details, see Roles.
Jun 18, 2024 When creating risk evaluations, you can now provide additional detail about the context of the flow by providing a value for flow.subtype in addition to flow.type. For details, see Risk evaluations.
Jun 17, 2024 A new endpoint, riskFeedback, has been added to allow you to provide feedback on the accuracy of specific risk evaluations that were carried out. Each such call can include feedback for up to 100 risk evaluations, and for each you can specify a feedback category and a reason for including the evaluation in that category, For details, see Providing feedback for risk evaluations.
Jun 4, 2024 For MFA, there is now an option to use dynamic linking to attach a unique identifier to a FIDO transaction. For details, see Create a request property JWT and Device authentications data model.
Jun 3, 2024 When creating or updating MFA policies, you can now include a field called promptForNicknameOnPairing to allow users to provide nicknames for devices during pairing. For details, see Device Authentication Policies.
May 28, 2024 The Forms service now supports a social login button as a field type option. For details, see Forms.
May 6, 2024 The platform now supports the AU (Australia/Asia Pacific) region. The platform continues to support the AP (Asia Pacific) region. However, if your environments use the AP region designation (api.pingone.asia domain) for Asia-Pacific countries, be aware that this region does not support the migration of PingID customers (or the PingID product) to the PingOne platform. To get PingID platform support for your Asia-Pacific environments, use the AU region designation (api.pingone.com.au domain) when creating your new environments. For details, see Working with PingOne APIs.
Apr 24, 2024 The Resources service now provides a property to add application permissions to access tokens. For details, see Resources.
Apr 8, 2024 Simplify changing your PingOne regional domain with an environment variable, tld, in the public PingOne environment template that represents the top level domain (TLD) for your PingOne domain, such as com or eu. All the {{...Path}} variables, such as {{apiPath}} and {{authPath}}, reference {{tld}}. To change your region's top level domain, merely change the value of {{tld}}. See PingOne API domains for more information.
Apr 4, 2024 With Managed Credential Issuance, client applications can issue and update credentials using Create Credential Type (managed) rather than an Issuance Rule.
Apr 3, 2024 You can submit a redirect URL and redirect message, used and seen by users when submitting verification documents, in the body of Create Verify Transaction.
Apr 3, 2024 You can issue and update user credentials via a Create a User Credential or Update a User Credential call rather than an Issuance Rule.
Apr 3, 2024 When you create a trusted email domain, PingOne now prepares an additional text record that reflects the association of the domain with the specific PingOne environment. If you add this new record to your DNS, any "sender" email address belonging to the domain is set to active status as soon as you create it, with no need for a verification email. For details, see Trusted Email Domains.
Apr 2, 2024 FIDO policies now include an option called aggregateDevices that you can use to specify that the displayed list of available authentication methods should include only a single generic entry for FIDO2 devices, even if the user has multiple paired FIDO2 devices. For details, see FIDO Policies. With the introduction of this feature, responses to requests that use the deviceAuthentications and flows endpoints may now include a field called aggregateFido2Devices, indicating whether the available authentication method list should include only a single generic FIDO2 option.
Mar 12, 2024 We've added the new LDAP Gateway attribute userTypes.updateUserOnSuccessfulAuthentication. When enabled, on user sign on, user attributes are updated based on responses from the LDAP server. For details, see Gateway LDAP data model.
Mar 4, 2024 The external IdP service now supports PKCE. A new pkceMethod property has been added to the base IdP data model. For details, see Identity Provider Management.
Mar 4, 2024 PingOne Protect now has a new risk predictor called Email Reputation to detect the use of disposable email addresses during registration. The value of the type parameter for this predictor is EMAIL_REPUTATION. For details, see Risk Predictors. For risk evaluations based on policies that include an email reputation predictor, the response may include a value of TEMP_EMAIL_MITIGATION for the result.recommendedAction field. For details, see Risk evaluations.
Mar 4, 2024 For risk evaluations that use a risk policy with the New Device predictor, the response now includes the field details.device.lastSeen, which represents the date and time that the device was last seen. If an externally-maintained device ID was provided in the risk evaluation request, the response will include externalLastSeen for the date and time that the device was last seen. For details, see Risk evaluations.
Feb 28, 2024 For situations where a user did not receive the one-time passcode (OTP) that was sent for pairing a device, you can now use the devices endpoint to resend the OTP. For details, see Resend Pairing Code.
Feb 21, 2024 The platform now supports the device_code device authorization grant type on an application configuration, and it also provides endpoints to initiate and manage a device authorization flow. For details, see Device Authorization Grant.
Feb 20, 2024 A new field, fidoUserVerification, was added to the information that can be included in MFA device reports generated with the dataExplorations endpoint. For details, see Reporting.
Feb 14, 2024 PingOne now supports the CLIENT_SECRET_JWT and PRIVATE_KEY_JWT token endpoint authentication methods for OIDC applications. For details, see the jwks and jwksUrl properties in Application Operations, the client_assertion and client_assertion_type properties in OpenID Connect/OAuth 2, Token (authorization_code) (CLIENT_SECRET_JWT), Token (authorization_code) (PRIVATE_KEY_JWT), and Configure CLIENT_SECRET_JWT as the Token Auth Method.
Feb 12, 2024 PingOne Protect now has a new risk predictor to prevent Adversary-in-the-Middle (AitM) attacks. To create an AitM predictor, set the type parameter to the new value ADVERSARY_IN_THE_MIDDLE and use the whiteList parameter to specify the legitimate domains that your users will access for your restricted resources. For details, see Risk Predictors.
Feb 5, 2024 PingOne Verify no longer reads or uses verifyStatus on the user. The PingOne Neo Verify Verify Status endpoint, /environments/{{envID}}/users/{{userID}}/verifyStatus and its two operations, Read User Verification Status and Update User Verification Status at the same URL, are deprecated. The endpoint and requests will be removed February 2025.
Jan 19, 2024 We've added the icon property to the Environments service, enabling you to assign an icon to a PingOne environment. See the Environments data model for details.
Jan 16, 2024 The platform's client secret configuration now supports optional parameters to designate the replaced secret as a "previous" secret that remains valid for a specified period, up to 30 days. For details, see Update Application Secret and Create Resource Client Secret.
Jan 11, 2024 The platform supports the PingOne Authorize application resources and roles services, which provide endpoints to define custom resources, roles, and permissions to protect external application resources. For details, see PingOne Authorize Application Resources and Roles.
Jan 8, 2024 The platform supports reduced self-service scopes when the mfa authentication method is not included as an amr claim value in the token. For details, see PingOne self-management scopes.
Jan 7, 2024 Changes have been made to the steps required to retrieve MFA device reports generated as files. This is reflected in the responses to the relevant requests. For details, see Reporting. Note that the .zip file containing the report is now password-protected and cannot be opened without the password that is returned.
Jan 4, 2024 A field called device.externalId has been added to the Event data model for risk evaluations. You can use this field to send an externally-maintained device ID to the risk evaluation. If you provide such an ID, that is the device ID that will be used rather than the device ID provided by the Signals SDK. For details, see Risk evaluations.
Jan 3, 2024 We've added a corsSettings object to support applications using cross-origin resource sharing (CORS). See Cross-origin resource sharing, and the corsSettings properties in the Applications data models for OIDC, SAML, and WS-Federation.
Dec 15, 2023 You can now set and get the default identity provider (IdP) for a population. See Update Population Default IdP and Read One Population Default IdP for details.
Dec 8, 2023 PingOne Platform API collections in the PingOne public workspace now use Postman Collection-Level Authorization of type bearer. All requests that use bearer token authorization are now set to Inherit authorization from parent.
Dec 4, 2023 The PingOne Neo Verify User Data endpoint, /environments/{{envID}}/users/{{userID}}/verifyTransactions/{{transactionID}}/userData and its only operation, Read User Verification Data at the same URL, are deprecated. The endpoint and request will be removed December 2024.
Dec 4, 2023 The New Device Paired notification template now has an optional variable called report.fraud. If you include this variable, the notification will include a link for reporting fraudulent pairing attempts. For details, see Notifications Templates.
Nov 16, 2023 We've added documentation for the supported password encoding schemes. See Password encoding for more information.
Oct 24, 2023 You can now assign admin roles to user groups. See Group Role Assignments.
Oct 12, 2023 PingOne now supports outbound mutual TLS (mTLS) authentication with webhooks. You can upload a key with a usageType of OUTBOUND_MTLS and pass the ID to the tlsClientAuthKeyPair.id property when creating or updating a webhook. For more information, see Subscriptions (webhooks).
Oct 4, 2023 Added the displayName, sourceId, and sourceType parameters to allow querying of external user groups. See Groups.
Sep 19, 2023 When creating composite predictors, it is now possible to create additional sets of conditions to form an if / else if structure. To facilitate this, the composition object has been replaced with an array called compositions. To ensure backward compatibility, requests that contain the single composition object are still supported. For details, see Risk Predictors.
Sep 18, 2023 When providing the flow type as input for a risk evaluation, you can now use other types in addition to AUTHENTICATION. The new flow types supported are: REGISTRATION, ACCESS, AUTHORIZATION, and TRANSACTION. See Risk Evaluations.
Sep 18, 2023 In the MFA Settings for an environment, you can now specify whether MFA should be enabled by default for a user when their account is created. For details, see users.mfaEnabled in MFA settings.
Sep 14, 2023 If you create a pairing key that is shared by multiple applications, but define different pairing key lifetimes for the different applications, all the applications using the pairing key now use the most strict setting that you specified for key lifetime (shortest time).
Sep 7, 2023 We've added a Correlation-Id setting in the header of Phone Delivery Settings requests to the custom provider enabling you to track notifications sent by the custom provider using the Correlation-Id value. See Phone Delivery Settings.
Sep 5, 2023 We've added information regarding how to handle client secret updates for external identity providers. See Update Identity Provider.
Sep 5, 2023 You can now specify Elliptical Curve Digital Signature Algorithm (ECDSA) signing certificate algorithms for your SAML identity providers and applications. See Create Identity Provider (SAML) and SAML Application Settings Data Model.
Aug 10, 2023 You can now use the RequestedAuthnContext parameter to specify lower-priority application flow policies for SAML applications. See Application Flow Policy Assignments.
Jul 31, 2023 Added a new endpoint to PingOne Authorize to manage API service deployment. See API Service Deployment.
Jul 26, 2023 We've added the new roles DaVinci Admin and DaVinci Read-Only Admin. Currently, you cannot assign these roles to a Worker app. For details, see Roles.
Jul 5, 2023 A new field called newDeviceNotification has been added for MFA policies to allow you to specify that users should receive an SMS or email notification when a new device is added to their account. For details, see Device Authentication Policies.
Jul 5, 2023 New fields were added to the information that can be included in MFA device reports generated with the dataExplorations endpoint: deviceIntegrityStateCompromised, deviceIntegrityStateReason, deviceIntegrityStateTimestamp, deviceIntegrityStateAdvice, extension, fidoBackupEligibility, fidoBackupState, lastDeviceTrxTime. For details, see Reporting.
Jun 30, 2023 Two new risk predictors - Bot Detection and Suspicious Device - have been added. For details, see Risk Predictors and Risk Evaluations.
Jun 30, 2023 For including data from the Signals SDK in risk evaluations, the data in now sent using the sdk.signals.data property rather than sending the data in the header of the request. For details, see Risk Evaluations.
Jun 20, 2023 In MFA policies, you can now disable pairing for specific authentication methods. You can use this option if you want to phase out an existing authentication method but want to allow users to continue using the method for authentication for existing devices. See pairingDisabled in Device Authentication Policies.
Jun 19, 2023 To provide support for passkeys, Fido policies have been expanded significantly. For details, see FIDO Policies. Note that FIDO policy requests now use the endpoint environments/{{envID}}/fido2Policies and not environments/{{envID}}/fidoPolicies. In the framework of these changes, support was added for a new MFA device type called FIDO2. For details, see MFA Devices.
Jun 15, 2023 Requests that use the flows endpoint and the deviceAuthentications endpoint now include additional device status information in the response: usableStatus, pushStatus, and otpStatus. For details, see Flows and MFA Device Authentications.
Jun 12, 2023 PingOne MFA has moved to Firebase Cloud Messaging for sending push messages. This impacts the credentials you must enter when enabling push notifications for Google Play-based mobile applications. For details, see Application MFA Push Credentials.
Jun 1, 2023 We've fixed an issue with the Try a Request feature in the documentation. We've re-enabled this feature for all endpoints except the authorization endpoints (identified by the {{authPath}} variable). The Try a Request feature has always been blocked for these endpoints, due to a CORS constraint.
May 18, 2023 You can now choose to include the IP address of an actor and the user-agent HTTP header of an event in the source section of a subsciption audit event. See Create Subscriptions.
May 8, 2023 It is now possible to have one-time passwords delivered via voice to phone numbers that include extensions. For details on enabling support for phone numbers with extensions, see MFA Settings.
Apr 28, 2023 PingOne now supports a Language Translations service, which provides operations to view the custom string translations for a specified language and to update localized strings for specified user interface elements. For details, see Language Translations.
Apr 25, 2023 DaVinci no longer ignores the pi.flow OAuth property. For details about pi.flow, see the OpenID Connect/OAuth2 data model.
Apr 23, 2023 When creating notification policies, you can now use the quotas array to limit the use of email messages for pairing and authentication. For details, see Notification Policies.
Apr 19, 2023 For integrity checking on Android devices, PingOne MFA now uses Google's Play Integrity API. This requires you to provide additional information from your Google service account if you want to create or update an application that uses integrity checking. For the details of the new mandatory fields, see the Applications OIDC settings data model table in Application Operations and the Create Application (OIDC Protocol - Native App) sample.
Apr 14, 2023 PingOne now supports the Forms service, which provides tools for administrators to create custom forms presented to users during the authentication workflow. For details, see Forms and Forms Recaptcha.
Apr 3, 2023 When creating notification policies, you can now use the countryLimit object to limit the countries where you can use SMS and voice notifications. For details, see Notification Policies.
Mar 27, 2023 PingOne now supports the SCIM 2.0 identity management standard for provisioning users into PingOne Directory. Currently we support the /Users endpoint with basic SCIM to PingOne Directory attribute mapping. For details, see SCIM.
Mar 27, 2023 When creating or updating New Device risk predictors, you can now use the activationAt parameter to specify a date on which the learning process for the predictor should be restarted. This can be used in conjunction with the fallback setting (default.result.level) to force strong authentication when moving the predictor to production. For details, see Risk Predictors.
Mar 26, 2023 In addition to combining existing predictors, you can now include the following risk factors in your composite predictors: country, state, IP range, IP domain organization, ISP, target resource (application). For details, see Risk Predictors.
Mar 16, 2023 We've added new Sessions endpoints to Reset the Authentication Session by Session ID or Reset the Authentication Session by Session Token.
Mar 13, 2023 When defining the settings for mobile applications in an MFA policy, you can now use the new pairingKeyLifetime object to specify how long an issued pairing key can be used until it expires. For details, see Device Authentication Policies.
Mar 13, 2023 You can now define the number of consecutive push notifications that can be ignored or rejected by a user within a defined period before push notifications are blocked for an application. Use this setting to prevent attacks based on repeated push notifications that may lead users to eventually accept the authentication request. For details, see the documentation for the pushLimit object in Device Authentication Policies.
Feb 01, 2023 The platform now supports properties for enumerated values and regular expression validation in the schema data model. For details, see Schemas.
Jan 10, 2023 You can now configure Android applications to use Huawei Mobile Services. For details, see Application Operations and Application MFA Push Credentials.
Jan 10, 2023 You can now use the dataExplorations endpoint to generate reports of MFA devices. For details, see Reporting.
Jan 10, 2023 For notification templates of type "Push", it is now possible to specify a push category to control the type of banner that is displayed to the user. For details, see Notification Templates.
Jan 3, 2023 You can now use the riskPredictors endpoint to create New Device predictors, which allow your risk policy to take into account the risk associated with users trying to access applications from unknown devices or devices that have not been used in the recent past. For details, see Risk Predictors.
Jan 3, 2023 In MFA policies, it is now possible to specify how much time users have to respond to a push notification before it expires. This period can be defined separately for each mobile application included in the MFA policy. For details, see Device Authentication Policies.
Jan 3, 2023 The default method to use for MFA is now set at the MFA policy level rather than at the environment level. For details, see Device Authentication Policies.
Jan 3, 2023 It is now possible to block a user's MFA device, and to unblock a device that is currently blocked. For details, see MFA Devices.
Dec 15, 2022 It is now possible to use the API to unlock a device that was locked-out due to too many failed MFA attempts, even if the defined waiting period has not yet elapsed. For details, see MFA Devices.
Dec 15, 2022 It is now possible to use the gateways endpoint to create a RADIUS gateway. For details, see Gateway Management.
Dec 8, 2022 We've added properties to support applications using WS-Federation. See the Applications base data model and the Applications WS-Federation settings data model for more information.
Dec 2, 2022 We've added an email verification endpoint to verify a user's email through a verification code. See User Email Verification.
Nov 22, 2022 You can now use the hiddenFromAppPortal property to hide an application in the application portal, overriding your configured group membership access policy. See Applications base data model.
Oct 26, 2022 You can now use the nameFormat property to define the naming format for attributes other than Subject. See Applications attribute mapping data model.
Oct 26, 2022 We've added the initiateLoginUri and targetLinkUri properties to the Applications OIDC data model.
Oct 25, 2022 The Token Introspection Endpoint now supports authentication with a Resource ID and Secret. See POST Token Introspection (Resource ID and Secret) and Resource Secret.
Oct 21, 2022 You can now allow a wildcard character in the Redirect URI for OIDC applications. See Applications OIDC settings data model.
Oct 19, 2022 PingOne Risk now includes an SDK that allows you to obtain additional risk-related data and pass the data to the risk evaluation, resulting in improved detection. The riskEvaluations endpoint can now take the data provided by the SDK in a header called X-SDK-DATA-PAYLOAD. For details, see the documentation for creating risk evaluations.
Sep 28, 2022 To simplify automated testing of your applications, you can now create dedicated testing devices. When you use the API to send authentication requests to such a device, the OTP is not sent to the actual device, but instead is returned as part of the body of the response. See MFA Devices.
Sep 15, 2022 We've added support for the WS-Federation protocol to the Application Management service. This supports Microsoft's Office365 and Azure integration with PingOne. See Create Application (WS-Federation Protocol) for more information.
Aug 31, 2022 When using the mfaSettings endpoint to update MFA settings, you can now use pairing.pairingKeyFormat to specify the type of pairing keys that should be used - 12-digit numeric keys or 16-character alphanumeric keys. Existing environments will continue to use the 12-digit numeric keys unless changed. New environments will use the 16-character keys by default.
Aug 31, 2022 It is now possible to create composite predictors - for situations where you are interested in combining a number of risk predictors into a single predictor. See Risk Predictors.
Aug 26, 2022 The platform now supports adding custom claims to an OpenID Connect scope. See Resource Scopes.
Aug 18, 2022 We've added a default property to the Populations endpoint, enabling you to assign a default population to an environment. See Populations.
Aug 14, 2022 When creating or editing an MFA policy, you can now use the field mobile.applications[].integrityDetection to specify how registration and authentication attempts should be handled if a response is not received for device integrity: continue with the flow or block the user. For details, see Device Authentication Policies.
Aug 14, 2022 When defining a mobile application, you can now use mobile.integrityDetection.excludedPlatforms in conjuction with mobile.integrityDetection.mode to enable device integrity checking only for Android or only for iOS. For details, see Application Operations.
Aug 2, 2022 You can now use Kerberos to sign-on users. See Gateway LDAP data model in Gateway Management and the Sign On with Kerberos request.
Aug 2, 2022 You can now force a reset of the password identified by the user ID and environment ID without the administrator supplying a password. See Force Change Password request.
Aug 2, 2022 It is now possible to use the API to create and manage FIDO policies, which can then be included in device authentication policies. For details, see FIDO Policies and Device Authentication Policies.
Aug 1, 2022 It is now possible to use the riskPolicySets endpoint with conditions of type AGGREGATED_SCORES to create score-based policies. See Risk Policies.
Jul 18, 2022 For sign-on policies in PingOne, MFA steps are added now by referencing an existing MFA policy rather than having to define the specific authentication methods that are allowed for the policy. For details, see Sign-On Policy Actions.
Jul 14, 2022 The platform now includes PingFederate admin roles, allowing admins to SSO from PingOne into PingFederate with the appropriate permissions for their role. See Roles.
Jul 10, 2022 For organizations that prefer to maintain their own user device information, it is now possible to initiate authentication while providing the information necessary for contacting the user. See the documentation for the selectedDevice object in MFA Device Authentications.
Jul 7, 2022 It is now possible to create passwordless authentication flows that require only FIDO2 authentication with no need for the user to provide their username. To use this feature, use the rp.id property in the request body for deviceAuthentications. For details, see MFA Device Authentications.
Jun 6, 2022 You can now define notification policies to limit the use of SMS and voice messages for pairing and authentication. For details, see Notification Policies.
Apr 28, 2022 The platform now includes the PingOne Authorize API access management service, which provides tools to externalize the management and evaluation of access control policies for HTTP-based APIs. See PingOneAuthorize API Access Management.
Apr 25, 2022 MFA Native SDK v1.7.0 now supports authentication code flows for Android and iOS operating systems. See Authentication code flow. SDK v1.7.0 also supports elliptic-curve cryptography (ECC) for signing and verifying mobile requests. This feature uses iOS secure enclave capabilities.
Apr 25, 2022 The platform now includes endpoints that initiate an authentication code flow. See MFA Authentication Code. The platform includes a new uriPrefix property on the application's mobile object that specifies a valid app/universal link or app schema to enable direct triggering of the mobile application when scanning a QR code. See Application Operations.
Mar 11, 2022 The platform now requires a minimum password length of 8 - 32 characters. For more information, see Password Policies.
Mar 07, 2022 The platform now supports a hybrid flow authorization request, in which some tokens are returned from the authorization endpoint, and others are returned from the token endpoint. For more information, see GET Authorize (hybrid) and POST Authorize (hybrid).
Feb 09, 2022 The platform now supports a policy.id property for MFA devices that specifies the device authentication policy ID associated with the device resource. For more information, see MFA Devices and MFA Pairing Keys.
Feb 04, 2022 The platform now supports a PingFederate-SSO platform application, which is created automatically if the PingOne environment includes PingFederate. For more information, see Application Management.
Jan 13, 2022 Custom risk predictors cannot be referenced as an attribute in a placeholder details list (${details.<attribute>}). See Custom risk predictor conditions in Risk Predictors for more information.
Dec 27, 2021 The platform now supports configuring the whiteList property on a per risk predictor basis. For information about risk predictors that support the whiteList property, see Risk Predictors.
Dec 27, 2021 The platform now supports the User Location Anomaly risk predictor. See Risk Predictors.
Dec 23, 2021 For authorization requests that return an invalid request object error, the error message now includes additional details about the INVALID_VALUE. For example, the old detail message stated this: "The request parameter contains an invalid Request Object". The new detail message provides specific information about the validation error: "The request parameter contains an invalid Request Object: The token signature is invalid.".
Dec 17, 2021 The Integration Catalog has been updated to easily retrieve application integration information and assets.
Dec 17, 2021 The image service API now returns a regionalized URL for any new images uploaded. For example, if you are in the EU and use pingone.eu, then uploaded images will now be in this format "https://uploads.pingone.eu/environments/..." instead of "https://uploads.pingone.com/environments/..." . This regionalization is also applicable to uploaded images in the .asia and .ca regions. Old image URLs will still work as expected. For more information, see Images.
Dec 16, 2021 The platform now supports configuration of policies for MFA enrollment and authentication transactions in PingOne Flows.
The apiPath/environments/envID/deviceAuthenticationPolicy endpoint is deprecated, but still supported. No immediate code change are required, but it's recommended to change to the new apiPath/environments/envID/deviceAuthenticationPolicies endpoint.
See Device authentication policies that now supports the following operations:
Dec 15, 2021 The platform now includes endpoints that initiate and complete an MFA action without requiring a call to the PingOne authorize service. For more information, see MFA Device Authentications.
Dec 15, 2021 The platform now supports the ability to configure short codes and toll-free origination numbers to send SMS and voice notifications to recipients in multiple countries.
See the supportedCountries property in the Custom provider phone number properties table.
Dec 12, 2021 The platform now supports configuration of untrusted sender email addresses at the email notification template content level, when using a custom email sender.
See Content properties.
Dec 08, 2021 The platform now provides easier integration with custom providers' remote gateways, including support for dispatching voice notifications.
This implementation uses the GET and POST operations and customizable body and headers.
Basic and bearer authentication methods are supported.
See Phone delivery settings.
Dec 07, 2021 The platform now includes decision endpoints that allow efficient evaluation of policies developed in the PingOneAuthorize Policy Editor Service. For more information, see PingOneAuthorize Policy Decision Service.
Nov 08, 2021 The platform now supports a JSON array PATCH action to update targeted elements on a user object. For more information, see Update User (Patch JSON Array).
Oct 25, 2021 The notifications settings property, notificationsSettings.defaultLanguage, has been removed from the platform. When required, notifications use the environment's default language, which is set using the /environments/{{envID}}/languages endpoint. For information about notification content and language selection, see Runtime logic for content selection. For information about an environment's default language, see Language Management.
Oct 04, 2021 Ping Identity has added a Canada regional data center, that will provide enhanced performance and response on services for Canadian customers accounts hosted on this data center.
Canada data center domains:
  • Management APIs: api.pingone.ca
  • Authentication and authorization APIs: auth.pingone.ca
Sep 30, 2021 The platform now supports the Identity Data Read Only Admin role. See Roles.
Sep 30, 2021 The platform now supports custom risk predictors. See Risk Predictors.
Sep 2, 2021 The platform now supports connecting to external LDAP directories to validate user credentials. See Gateway Management.
Aug 31, 2021 The platform now supports configuration of your own provider for dispatching SMS notifications. See Phone delivery settings.
The phoneDeliverySettings.provider field now supports the new CUSTOM_PROVIDER valid value.
The new POST Create Phone Delivery Settings and PUT Update Phone Delivery Settings operations use the new custom provider phone delivery settings properties:
  • name
  • provider
  • authentication object
  • requests object
  • numbers object

Note: This implementation uses the POST operation and non-customizable body and headers. It requires customers to create a gateway that receives these requests in their simple, static format, and translates those requests into their custom provider’s supported SMS format.
Aug 12, 2021 From MFA Native SDK v1.6.0, the platform supports mobile device integrity checks.
  • The native device’s rooted property is deprecated, and is replaced by deviceIntegrityState. See Native Device Properties in MFA devices.
  • The application’s packageName and bundleId properties have been moved to the new mobile object. See Application Operations.
  • The pairing key object has a new error property, and the status property has the new FAILED value. See MFA pairing keys.
Jul 29, 2021 The following properties have been added to the risk evaluations details data model: state, city, previousSuccessfulTransaction.state, previousSuccessfulTransaction.city. See Risk evaluations.
Jul 26, 2021 The platform now supports the Credentials Issuance service, enabling you to create custom verifiable credentials for users. See Credentials Issuance.
Jul 14, 2021 The platform now supports configuration of your MFA authentication methods according to your security policies, including passcode refresh time (mobile applications), passcode retry attempts, passcode lifetime duration, and device block duration times. See Device authentication policies.
Jun 30, 2021 The platform now supports dispatching SMS and voice notifications via your organization's own Syniverse account in place of Ping Identity's account or your own Twilio account.
The phoneDeliverySettings.provider field now supports the new CUSTOM_SYNIVERSE valid value.
The fallback option uses the smsProvidersFallbackChain property. For more information see Phone delivery settings. To configure an SMS and voice provider fallback chain see Notifications settings.
Jun 30, 2021 The platform now supports pairing a phone number as an MFA method using a voice call OTP, and subsequent voice call OTP authentication notifications to paired phone numbers.
The following new operations were added:Existing services have been extended to include voice OTP:
  • Support for voice OTP as an MFA method in a sign-on policy. See the voice and voice.enabled properties in the MULTI_FACTOR_AUTHENTICATION action data model in Sign-On Policy Actions.
  • Support for voice as one of the Notification Template's deliveryMethods, and custom notification with the creation of an SMS, voice or email MFA device. For more information, see Custom device pairing notification with device creation.
May 06, 2021 The platform now supports just-in-time provisioning of new users who authenticate with a registered authoritative external identity provider. See Identity Provider Management and Users.
May 05, 2021 The platform now provides the number of OTP attempts remaining in the error message detail as part of the Check One-Time Passcode action and Activate MFA User Device action.
Apr 13, 2021 The platform now provides a Risk Advanced Predictors endpoint to include advanced predictor criteria for risk policies. For more information, see PingOne Risk, Risk Advanced Predictors, and Risk Policies.
Apr 08, 2021 If you attempt to create or update a custom content for an existing combination of template, locale, deliveryMethod and variant, you now get an INVALID_DATA/UNIQUENESS_VIOLATION error.
Mar 24, 2021 The platform now provides a sign-on policy action that bypasses the PingOne sign-on screen and immediately redirects the user to an external identity provider's sign-on workflow to authenticate. For more information, see Sign-On Policy Actions and External Authentication.
Mar 19, 2021 The platform now provides a user account management endpoint to unlock a user account. For more information, see User Accounts, Users, Sign-On Policy Actions, MFA Settings, and Flows.
Feb 23, 2021 The platform now supports the ability to prompt end users with your own legal text during registration and sign on. The platform records a user's active consent to the document before proceeding with the flow. For more information, see Agreement Management, User Agreement Consents, Sign-On Policy Actions, and Flows.
Feb 23, 2021 The platform now supports text and language customization for all end user interfaces and notifications. In this initial release, it supports the new Agreements (terms of service) feature. For more information, see Language Management.
Feb 03, 2021 The platform now supports groups for users. For more information, see Groups.
Feb 03, 2021 The platform now includes optional accessControl properties on applications that, when set, specify the conditions that must be met by an authenticating actor to access the application. For more information, see Control access to applications through roles and groups.
Feb 02, 2021 The platform now supports multiple custom contents for each template + deliveryMethod + locale combination with the variant property. For more information, see Notifications templates.
Feb 02, 2021 The platform now supports a custom notification with the creation of an email or SMS MFA device. For more information, see Custom device pairing notification with device creation.
Feb 1, 2021 The platform now includes the PingOne Verify APIs, and the PingOne Verify native SDKs.
Jan 19, 2021 The platform now includes endpoints to read and update MFA settings. For more information, see MFA Settings.
Jan 19, 2021 The platform includes support for FIDO2 bound biometrics devices and FIDO2 or U2F security key devices. For more information, see FIDO2 Devices.
Jan 11, 2021 The platform now supports device ordering to create a default active device. For more information, see Device order.
Jan 08, 2021 The platform now supports external registration, which provides a sign-on action to register a user using an external identity provider's registration workflow. For more information, see Flows and Sign-On Policy Actions.
Dec 30, 2020 The platform now supports a maximum allowed devices setting for paired devices and a device nickname property used during authentication. For more information, see Maximum allowed devices and Device properties.
Dec 14, 2020 The platform now supports risk policy sets and risk evaluations. For more information, see PingOne Risk.
Dec 14, 2020 The platform now supports using the token endpoint so that the client can make a token exchange request to the PingOne authorization server. For more information, see Token Exchange (Gateway Credential).
Dec 09, 2020 The application protocol data model property no longer supports the NONE option. For more information, see Application Operations.
Dec 03, 2020 Notifications content variables are now case insensitive. For more information, see Notifications Templates.
Oct 15, 2020 The platform now supports an alerting service that delivers high-level email warnings about resource states. For more information, see Alerting.
Oct 13, 2020 The platform now supports a Time-based One-time Password (TOTP) authenticator application device type. For more information, see Create MFA User Device (TOTP) and Sign-on Policy Actions.
Sep 29, 2020 The platform now supports the PingOne MFA product. For more information, see Getting Started with PingOne MFA.
Sep 22, 2020 The platform now supports the ability to select and customize the branding themes that you can apply to your sign-on screens. For more information, see Branding.
Sep 21, 2020 The platform now supports self-management access control scopes that allow organizations to specify which user profile attributes are accessible to end users. For more information, see Access services through scopes and roles and Resource scopes.
Sep 14, 2020 The platform now includes endpoints to manage Yahoo, Microsoft, GitHub, and PayPal external identity provider configurations. For more information, see Identity providers.
Jul 21, 2020 The platform now supports the ability to configure a trusted email domain for each environment. A trusted email domain with its associated email addresses enable PingOne to send emails on your organization’s behalf. For more information see Trusted email domains and Trusted email addresses.
Jul 07, 2020 The platform now supports configuration of sign-on policies to determine whether MFA is required for authentication requests detected as originating from an anonymous network such as an unknown VPN, proxy or anonymity communication tool such as Tor. It is possible to exclude specific IP addresses using a whitelist. See the anonymousNetwork condition in the Condition Variables table in the Sign-on Policy Actions page.
Jun 25, 2020 The platform now includes endpoints to manage Apple external identity provider configurations. For more information, see Identity providers.
Jun 24, 2020 The platform now includes endpoints to manage Amazon external identity provider configurations. For more information, see Identity providers.
Jun 24, 2020 The platform now includes endpoints to manage Twitter external identity provider configurations. For more information, see Identity providers.
Jun 16, 2020 The platform now supports despatching SMS notifications via your organization's own Twilio account in place of Ping Identity's account. This also allows for the option of falling back to Ping's account in the event of notification failure, using the new smsProvidersFallbackChain property. For more information see Phone delivery settings. See Notifications settings to configure an SMS provider fallback chain.
Jun 16, 2020 The platform now supports transaction approval when strong authentication is required for elevated security for a high value transaction, or high risk resource or service. This includes use of the new request property in the following OIDC operations: GET Authorize (authorization_code), POST Authorize (authorization_code), GET Authorize (implicit) and POST Authorize (implicit). Transaction approval also permits use of the new allowDynamicVariables property in Notifications templates.
Jun 16, 2020 From Native SDK v1.3.0, the platform supports extra verification on device authorization. For more information see the extraVerification property in Sign-on policy actions.
May 05, 2020 The platform now provides an interface for third-party auditing tools to subscribe to and consume PingOne audit activity events. For more information, see Subscriptions (webhooks).
Apr 30, 2020 The platform now supports a token revocation endpoint. For more information, see Token revocation.
Apr 15, 2020 The platform now supports an identity-provider initiated SAML authentication single sign-on flow. For more information, see SAML 2.0.
Apr 15, 2020 The sign-on policy service now includes an IDENTIFIER_FIRST sign-on policy action. For more information, see Sign-on policy actions.
Apr 03, 2020 The sign-on policy service now includes a PROGRESSIVE_PROFILING sign-on policy action. For more information, see Sign-on policy actions.
Apr 03, 2020 The licenses and capabilities services now include properties that designate whether the license allows the creation of custom domains. For more information, see Licensing and Capabilities.
Apr 03, 2020 The flow service has changed so that a session token cookie is set only after the identity of the user has been partially established. For more information, see Identity providers.
Apr 03, 2020 The platform now includes endpoints to manage OpenID Connect external identity provider configurations. For more information, see Identity providers.
Mar 31, 2020 The platform now supports configuration of sign-on policies to determine whether MFA is required for authentication requests detected as having high-risk IP reputation and geovelocity anomalies. See the geovelocity and IP reputation Condition variables on the Sign-on policy actions page.
Mar 31, 2020 From Native SDK v1.2.0, the platform includes the ability to get logs from authenticating user native devices for investigation and support. See Devices API operations on the Devices page.
Mar 31, 2020 From Native SDK v1.2.0, the platform includes the ability to send logs from authenticating user native devices to the PingOne server, for investigation and support.
Mar 31, 2020 From Native SDK v1.2.0, the platform supports automatic device authentication. See PingOne Native SDK flows.
Mar 13, 2020 The platform now includes an identity propagation API that provides for configurable and audit-capable propagation of identities and their attributes between identity stores owned or managed by a customer. For more information, see Identity propagation.
Mar 11, 2020 The platform now includes an identity provider discovery login flow that initiates actions to identify the user and determine the applicable authentication methods for this user. For more information, see Identifier first action and Get a flow.
Mar 11, 2020 The platform now includes a progressive profiling authentication flow that prompts users to provide additional data at sign on. For more information, see Progressive profiling action and Submit profile data.
Feb 19, 2020 The set password action now includes an optional bypassPolicy property that specifies whether the user's password policy should be ignored. For more information, see Set password.
Feb 10, 2020 The platform now includes an endpoint to view and license capabilities. For more information, see Capabilities.
Jan 13, 2020 The platform now includes an endpoint to view and update the name property value for a license. For more information, see Licensing.
Dec 17, 2019 The platform now supports a token introspection endpoint. For more information, see Token introspection.
Dec 10, 2019 The platform now supports password policy customization. For more information, see Password policies.
Dec 10, 2019 The platform now supports configuration of a Proof Key for Code Exchange (PKCE) authorization workflow. For more information, see OpenID Connect/OAuth 2 and Configure a PKCE authorization workflow.
Dec 10, 2019 The platform now supports custom domains. For more information, see Custom domains.
Dec 10, 2019 The platform now includes endpoints to manage LinkedIn external identity provider configurations. For more information, see Identity providers.
Dec 10, 2019 The platform now includes endpoints to customize ID tokens for a OIDC applications. For more information, see Attribute mapping.
Dec 09, 2019 The Native SDK supports automatic enrollment through OIDC authentication.
Oct 10, 2019 The Native SDK sample app for Android now has notification banners.
Oct 10, 2019 The Native SDK Android component dependencies have been updated: the Nimbus library has been replaced by Jose4J. See Pingone Native SDK > Android > Set up a native app using the PingOne SDK sample code > Add the PingOne SDK component into your existing project.
Oct 10, 2019 The iOS Native SDK API now requires Swift 5.1. See Pingone Native SDK > iOS > Set up a native app using the PingOne SDK sample code > Xcode integration for software prerequisites.
Oct 10, 2019 Logs appeared in the Android developer console. This has been resolved so that they no longer appear. (P14CMFA-3242)
Oct 03, 2019 The platform now includes endpoints to view authentication statistics on a per application basis. For more information, see Authentications per application.
Aug 30, 2019 The platform now includes endpoints to manage Google external identity provider configurations. For more information, see Identity providers.
Aug 30, 2019 The platform now supports access token customization. For more information, see Access token customization.
Aug 19, 2019 The platform now includes a basic password policy to allow for maximum customer flexibility. For more information, see Password policies.
Aug 14, 2019 Sign-on policy action condition attributes now require camelCase syntax for attribute names (for example, ipRange, secondsSince). For more information, see Sign-on policy actions.
Jul 31, 2019 The platform now supports the refresh_token grant type. For more information, see Access tokens and ID tokens and Obtain an access token.
Jul 31, 2019 The platform now supports a native SDK that allows developers to send push notifications to custom native applications for multi-factor authentication (MFA). For more information, see Pairing keys, Android PingOne Native SDK API, and iOS PingOne Native SDK API.
Jul 31, 2019 The following template IDs (see Notifications templates) have changed:
  • offline_pairing has been renamed to device_pairing
  • offline_authentication has been renamed to strong_authentication
Calls to the GET /environments/{{envID}}/templates endpoint will return the new template IDs, instead of the old ones. The deprecated offline_pairing and offline_authentication template IDs are still supported for backward compatibility, but will be unsupported at a future date.
Jul 02, 2019 The platform now includes endpoints to manage external identity provider configurations that enable social login and inbound SAML login features in PingOne. It also includes endpoints to manage a user’s links to external identity provider accounts. For more information, see Identity providers and Linked accounts.
Jun 25, 2019 The platform now includes endpoints to get information about the licenses associated with an organization. For more information, see Licensing.
Jun 25, 2019 The platform now includes endpoints to get information about active identity counts and total identity counts. For more information, see Active identity counts and Total identities.
Jun 13, 2019 The file import feature is temporarily disabled. It will be enabled in a future release.
Apr 15, 2019 The platform now supports a passwordless authentication flow. For more information, see Sign-on with a username and Configure a passwordless sign-on policy.
Apr 01, 2019 PATCH requests that modify custom JSON user attributes are replaced completely. For more information, see Users: Partial update.
Apr 01, 2019 Sign on policy actions now support a policy condition language that allows both logical and data rules to construct a policy condition statement. For more information, see Sign-on policy action conditions.
Mar 25, 2019 Platform scopes, such as p1:read:env:user, p1:create:env:device, and p1:update:env:population, have been removed. In order to access platform APIs, you must create a new WORKER application type. For more information, see Access through scopes and roles.
Mar 25, 2019 Scopes with “self” in the name have been renamed. Example: p1:reset:self:userPassword is now p1:reset:userPassword. For more information, see Access through scopes and roles.
Mar 01, 2019 The SAML attribute mappings data model now includes a mappingType attribute to identify CORE, SCOPE and CUSTOM mapping types. For more information, see Attribute mapping.
Feb 18, 2019 The following templates are available for use with notifications templates: verification_code_template, recovery_code_template, offline_authentication, and offline_pairing. For more information, see Notifications templates and Notifications settings.
Jan 28, 2019 The flow service no longer uses the /step/{{stepID}} sub-resource, and it no longer shows multiple statuses and nested embedded resources. The status property in the flow response contains all information about the flow's current state. For more information, see Flows.
Jan 22, 2019 Audit reporting supports a POST operation to retrieve audit events without exposing sensitive or personal filtering information in a GET request URL. The required SCIM filtering expression is specified in the POST request body. For more information, see Get audit activities using POST.
Jan 21, 2019 The data model for SAML application settings requires a leading dollar sign ($) when specifying the expression in the value attribute. For example, "value": "${user.username}". For more information, see SAML application attribute mappings.
Jan 11, 2019 The GET /environments/{{envID}}/activities endpoint no longer supports the in (includes) SCIM operator. For more information, see Audit activities and events.

More information

For more information about PingOne product updates, see Release Notes.

Working with PingOne APIs

If you want to start building your own workflows with PingOne APIs, the Workflow Library provides step-by-step workflows with linked Postman collections to help you start using the PingOne APIs in your Postman environment.

PingOne API domains

The PingOne API includes the following regional domains.

  • api.pingone.com, api.pingone.ca, api.pingone.eu, api.pingone.asia, and api.pingone.com.au

    These are the primary domains for calling PingOne Management API resource server, with api.pingone.com used for environments in the North America region (excluding Canada), api.pingone.ca for environments in the Canada region, api.pingone.eu for environments in the European Union region, api.pingone.asia for environments in the Asia-Pacific region, and api.pingone.com.au for environments in the Australia region.

    The {{apiPath}} variable in the sample requests represents the regional domain for the PingOne server. This variable stands for https://api.pingone.com/v1 for environments in the North America region (excluding Canada), https://api.pingone.ca/v1 for environments in the Canada region, https://api.pingone.eu/v1 for environments in the European Union region, https://api.pingone.asia/v1 for environments in the Asia-Pacific region, and https://api.pingone.com.au/v1 for environments in the Australia region. Note that the trailing /v1 is required.

  • auth.pingone.com, auth.pingone.ca, auth.pingone.eu, auth.pingone.asia, and auth.pingone.com.au

    This is the authorization and authentication server domain called to request the access token required to authenticate PingOne API requests, with auth.pingone.com used for environments in the North America region (excluding Canada), auth.pingone.ca for the Canada region, auth.pingone.eu for the European Union region, auth.pingone.asia for the Asia-Pacific region, and auth.pingone.com.au for the Australia region.

    The {{authPath}} variable in the sample requests represents the regional domain for the PingOne authentication server. This variable stands for https://auth.pingone.com for the North America region (excluding Canada), https://auth.pingone.ca for the Canada region, https://auth.pingone.eu for the European Union region, https://auth.pingone.asia for the Asia-Pacific region, and https://auth.pingone.com.au for the Australia region. Note that nothing trails the domain in the {{authPath}} variable.

  • orchestrate-api.pingone.com, orchestrate-api.pingone.ca, orchestrate-api.pingone.eu, orchestrate-api.pingone.asia, and orchestrate-api.pingone.com.au

    These are the primary domains for calling the PingOne DaVinci Management API resource server, with orchestrate-api.pingone.com used for environments in the North America region (excluding Canada), orchestrate-api.pingone.ca for environments in the Canada region, orchestrate-api.pingone.eu for environments in the European Union region, orchestrate-api.pingone.asia for environments in the Asia-Pacific region, and orchestrate-api.pingone.com.au for environments in the Australia region.

    The {{orchestratePath}} variable in the DaVinci requests documentation represents the regional domain for the PingOne server. This variable stands for https://orchestrate-api.pingone.com/v1 for environments in the North America region (excluding Canada), https://orchestrate-api.pingone.eu/v1 for environments in the European Union region, https://orchestrate-api.pingone.ca/v1 for environments in the Canada region, https://orchestrate-api.pingone.asia/v1 for environments in the Asia-Pacific region, and https://orchestrate-api.pingone.com.au/v1 for environments in the Australia region. Note that the trailing /v1 is required.

  • scim-api.pingone.com, scim-api.pingone.ca, scim-api.pingone.eu, scim-api.pingone.asia, and scim-api.pingone.com.au

    These are the primary domains for calling the PingOne System for Cross-domain Identity Management (SCIM) API resource server, with scim-api.pingone.com used for environments in the North America region (excluding Canada), scim-api.pingone.ca for environments in the Canada region, scim-api.pingone.eu for environments in the European Union region, scim-api.pingone.asia for environments in the Asia-Pacific region, and scim-api.pingone.com.au for environments in the Australia region.

    The {{scimPath}} variable in the SCIM requests documentation represents the regional domain for the PingOne SCIM server. This variable stands for https://scim-api.pingone.com for environments in the North America region (excluding Canada), https://scim-api.pingone.eu for environments in the European Union region, https://scim-api.pingone.ca for environments in the Canada region, https://scim-api.pingone.asia for environments in the Asia-Pacific region, and https://scim-api.pingone.com.au for environments in the Australia region.

PingOne API region codes

For the relevant endpoint properties (as shown in the data models for the endpoint), the regions supported by the PingOne API are referenced using these region codes:

Region code Description
NA North America
CA Canada
EU Europe
AP Asia-Pacific

The Try A Request feature

Except for the authentication and authorization requests, our documentation for the PingOne APIs includes an interactive Try A Request feature. Try A Request enables you to configure and send a PingOne API request and get a response from within the documentation. This is a quick way to interactively test a PingOne API request without needing to use either Postman or the command line.

Calling the PingOne APIs from the command line

Each PingOne API request in the documentation includes an example request and response. By default, the example request is displayed using cURL. However, a number of coding languages are available in the associated drop-down list. If you want to run a request from the command line, you can select the coding language and copy the displayed request. You'll need to replace any variables in the request with the appropriate values before running the request.

Using Postman collection-level authorization

Most APIs require authorization to ensure that client requests access data securely. Postman can pass along whatever authorization details necessary for the method demanded by the endpoint. You can manually include authorization data in the header, body, or as parameters to a request. However, the easiest way is to use the Authorization tab in Postman. Select an authorization Type on that tab and Postman offers a dialog to gather the information required by that Type. When you run a request, Postman uses the information from the Authorization tab to automatically add the necessary authorization header, body, or parameters to the request. Postman offers the Authorization tab on requests, folders, and collections.

In PingOne collections, the authorization method is defined at the collection level. Only those requests that require a specific authorization method have authorization defined on the request (roughly 10% of PingOne requests). This allows you to easily change the authorization used for most requests. See Postman Collection-Level Authorization for more information.

Forward compatibility guidance for PingOne client developers

This section provides guidance on what PingOne API client developers should do to maintain forward compatibility of their client applications as PingOne APIs evolve. PingOne is a continuously developing platform, and developers must be aware of non-breaking changes to the APIs and how to prepare for these inevitable changes. PingOne will rarely, if ever, introduce a breaking change; however, when that happens, there will be notifications or deprecation messages to inform developers. For non-breaking changes, client developers must ensure that their apps will function as expected after the following API changes occur.

Non-breaking API changes

Client applications should be resilient to additions of new optional properties in request and response payloads. The following list of enhancements occur regularly to the Pingone platform API.

Related resource links

The addition of new related resource links added to responses should not cause application breaks in your client environments.

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6"
        },
        "organization": {
            "href": "https://api.pingone.com/v1/organizations/bed432e6-676a-4ebe-b5a5-6b3b54e46bda"
        },
        "license": {
            "href": "https://api.pingone.com/v1/organizations/bed432e6-676a-4ebe-b5a5-6b3b54e46bda/licenses/3f06970a-3235-46cb-b46f-cf6dfee2bb84"
        },

Almost all PingOne API responses include a _links section that lists related resources as HAL (Hypertext Application Language) links, and these lists change as the platform adds new resources (and new relationships). For common endpoints such as /environments or /users, the list of HAL links changes often.

New optional properties

The addition of new (optional) properties added to request and response payloads should not cause application breaks in your client environments.

PingOne API endpoints, even those that have been part of the platform since its inception, can receive additional optional data model properties as the platform matures. Client application developers must configure their client environments to accommodate new optional properties in requests and support new returned properties in endpoint responses.

New content-types or content-language formats

The addition of new content-types or content-language formats of the same resource should not cause application breaks in your client environments.

The platform API includes endpoints that support multiple content types. Client application developers must configure their application environments to accept supported media types for the endpoint. For example, the following request shows a new action on the /{{envID}}/flows/{{flowID}} endpoint that supports a device authorization grant. Your client environment should support the new content type, application/vnd.pingidentity.deviceAuthGrant.userCode.verify+json.


curl --location --request POST '{{authPath}}/{{envID}}/flows/{{flowID}}' \
--header 'Content-Type: application/vnd.pingidentity.deviceAuthGrant.userCode.verify+json' \
--data-raw '{
    "userCode": "{{userCode}}"
}'

New HTTP methods

The addition of new supported HTTP methods added to a resource should not cause application breaks in your client environments.

Client application developers must configure their application environments to accommodate new HTTP methods added to a platform service. For example, adding a new PATCH operation to an endpoint should be supported in your client environments.

Third-party libraries

Some third-party libraries deployed in your client environment can cause failures as a result of the non-breaking API changes listed above. In such cases, configuration of the library objects can resolve the issue.

For example, if your application environment uses the Jackson library to serialize or map Java objects to JSON, it is recommended that you update the object mapper setting responsible for deserializing API responses to prevent deserialization errors when new properties are added to the API response. The recommended setting is: new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);. (Jackson's default setting is true.)

As a backup, you can also annotate Jackson library objects with the @JsonIgnoreProperties(ignoreUnknown = true) property to prevent deserialization errors. Conservative developers may choose to employ both strategies.

Protocol for breaking changes

Ping Identity will only support the current release of the platform APIs.

APIs and resources that are made generally available to all customers for Ping Identity’s multi-tenant hosted service products are designed to evolve in a non-breaking fashion rather than rely on versioning to change. In the case of a breaking change that requires an API or a resource to be versioned, the following describes the Ping Identity version support lifecycle:

  • The current version of the API or resource will be supported;

  • Once a new version of the API or resource is released, the previous version will also be supported for one (1) year; and

  • After this one (1) year period, previous versions of the API or resource will no longer be supported.

Integrations

For information about integrating PingOne services with other Ping Identity products, see the following integration guides:

Integration Catalog API

The PingOne integration catalog API enables developers to discover and retrieve integration metadata and download integration kits as a compressed file. For more information, see Integration Catalog. For use cases, see Download an integration binary in PingOne for Developers.

Accounting for Latency

API clients can experience latency when creating resources across services in the PingOne platform multi-region architecture, where the newly created resource has not propagated through the system to allow for the successful completion of a follow-up request. For example, if you create a resource with one internal service, it is possible that other internal services might not be aware of that new resource in time for your code's next step. An immediate call to the second resource can fail. Given this potential for latency, all applications should be written to retry the request.

The primary areas that experience latency are:

  • Applications and Secrets

    Latency occurs when you create an application and then try immediately to retrieve the system-generated secret.

  • Applications and Scopes

    Latency occurs when you create an application and then try immediately to retrieve its resource access grants.

  • SAML configuration and attributes

    Latency occurs when you create a SAML configuration and then try immediately to retrieve its attribute mappings.

  • Environments, role assignments, and applications

    Latency occurs when you create an environment and then try immediately to retrieve its role assignments or add an application to the new environment.

  • Populations and role assignments

    Latency occurs when you create a population and then try immediately to retrieve its role assignments.

Authorization and Authentication APIs

The PingOne Authentication API provides services to query the authorization server, run authentication workflows, and receive access tokens from the authorization server. An authentication workflow can include local authentication actions (login), multi-factor authentication actions, and other external actions. The Authentication API includes the flow orchestration and action services needed to configure an authentication workflow.

The authorization service allows a resource owner (you) to share protected resources with a client (an application) without giving the application your password (or access to all your stuff). Instead, the resource owner interacts with an *authorization server (PingOne) that verifies your credentials and issues an access token to the client. The client uses the token to access only the protected resources stored on a resource server (your stuff) that you've granted, as specified by the scopes (permissions) defined in the token.

The flow service provides the authentication actions to complete the checks needed to confirm that it's you. For example, if the authentication flow requires a username/password check (a login action) and a one-time passcode check (an MFA action), then both actions must be completed successfully before the authorization server can issue an access token.

A typical flow starts with a request to the PingOne authorization server. The authorization server returns a flow ID that initiates the authentication flow. After the flow service completes, the session is passed back to the authorization service to generate the access token. The diagram below shows the steps.

Authorize and flow services

In the authorization and authentication API sample requests shown in this document, the {{authPath}} variable in the sample requests represents the regional domain for the PingOne authorization and authentication services. See PingOne API domains for more information.

The PingOne Authentication API includes the following entities.

Authorization server

The PingOne authorization server (as) service configures the authorization grants that are used to authenticate users and provide access to resources. This service includes the following entities:

  • authorize

    Queries PingOne (or an external resource owner) to get an authorization grant.

  • resume

    Continues the processing of an authorization request after the completion of an authentication flow.

  • userinfo

    Returns claims about the authenticated user resource.

  • token

    Obtains an access token by presenting its authorization grant.

  • jwks

    The JSON Web Key (jwks) is a JSON representation of the cryptographic key.

  • .well-known/openid-configuration

    The discovery endpoint, used in multi-tenant configurations to support multiple issuers per host.

  • signoff

    The end session endpoint called by the flow orchestration service to initiate the logout flow.

For more information, see OpenID Connect/OAuth 2 and Application authorization and authentication.

Flows

The PingOne flow orchestration service configures the steps required to authenticate the application or user that initiated the authentication request. The service is responsible for initiating the authentication session and making calls to specific actions required by the authentication workflow.

For more information, see Flows and PingOne flow states.

OAuth 2 and OpenID Connect

OpenID Connect is an authentication protocol that PingOne connected applications can use to authenticate users and get user data through claims. PingOne can also act as an OAuth 2 authorization server to authorize clients to access protected resources using access tokens. For example, PingOne uses OAuth 2 to protect access to PingOne management APIs.

The OAuth 2 framework defines several methods by which a client can obtain authorization to access protected resources using an access token. The access token represents authorization granted to the client for a set of scopes. Scopes are string identifiers understood by both the authorization server and the resource server to represent the specific boundaries of access. The client can use the access token as a credential for accessing data on a resource server.

For more information about access tokens, see Access tokens.

SAML 2.0

The SAML service provides support for the SAML protocol to authorize clients and allow clients to obtain a requestor’s authentication state. The SAML service implements functions to initiate SAML 2.0 single sign-on and single logout authentication flows.

For more information, see SAML 2.0.

Configuration options

The following topics provide information about the platform's advanced configuration options in authorize and token requests.

  • Redirect and non-redirect authentication flows

    Describes the authorize request's response_mode options, which include the query, fragment, and form_post options for redirecting back to the client. It also describes how to use the PingOne pi.flow custom response option for non-redirect flows, returning response parameters encoded as a JSON object directly to the client.

  • Create a login_hint_token JWT

    Describes the claims required by the login hint token, and how to sign the JWT using an application's client secret as the signing key.

  • Create a request property JWT

    Describes the claims required by the request property token, and how to sign the JWT using either the application's client secret or a private key as the signing key.

  • Create a client secret JWT

    Describes the claims required by a JWT used to authenticate the PingOne /token request, and how to sign the JWT using an application's client secret as the signing key.

  • Create a private key JWT

    Describes the claims required by a JWT used to authenticate the PingOne /token request, and how to sign the JWT using a private key as the signing key.

  • Create a private_key_jwt JWKS string

    Describes how to configure a JWKS string (or JWKS URL) to add to an application configuration to enable the use of a private key JWT as the authentication method for a PingOne /token request.

Redirect and non-redirect authentication flows

The response_mode authorization service property provides the mechanism for returning authorization response parameters from the authorization endpoint. In PingOne, the response_mode property's options are query, fragment, form_post, and pi.flow. The query, fragment, form_post options are defined in the OAuth 2.0 Multiple Response Type Encoding Practices specification.

When redirecting back to the client using the redirect_uri property:

  • query

    The response parameters are encoded in the query string added to the redirect_uri.

  • fragment

    The response parameters are encoded in the fragment added to the redirect_uri.

  • form_post

    The response returns a form_post encoded response, and after user approval, returns a result in an HTTP POST to the client.

The pi.flow option is a Ping Identity custom response mode to specify that the redirect_uri parameter is not required and authorization response parameters are encoded as a JSON object wrapped in a flow response and returned directly to the client with a 200 status. For example, with native mobile apps and SPAs that want to render the end-user interface, setting the response_mode property to pi.flow allows the app to authenticate using the flows API without needing to handle HTTP redirections. When authentication is complete, the app receives the auth code, access token, or ID token in a JSON response instead of a redirect.

Use cases for pi.flow

The following outlines several use cases for a non-redirect flow using the pi.flow option for the response_mode property. For application integration use cases (including PingFederate), a login_hint_token is also specified in the authorize request to specify the application ID and the associated user ID.

The login_hint_token must be a signed JWT in which the iss claim is the ID of an enabled application and the aud claim is the platform issuer URL. For example:

{
  "iss": "{{integratedAppID}}",
  "sub": "{{userID}}",
  "aud": "https://auth.pingone.com/{{envID}}/as",
  "iat": 1300819380,
  "exp": 1300819391
}

The JWT must be signed using the HS256, HS384, or HS512 algorithm and the application's client secret as the key.

Integrations with PingFederate

The PingFederate PingOne MFA adapter uses the response_mode property with the pi.flow option. For detailed information about integrating PingFederate and PingOne MFA, see PingOne MFA Integration Kit.

Non-redirect flow for mobile clients

A non-redirect flow for mobile clients implements custom flow interfaces with PingOne platform flow APIs but with native application interface components. PingOne can be used for complete authentication or MFA only by providing a login_hint_token with the already authenticated user context on the authorization request.

The following sample shows an authorize request for the non-redirect flow:

{{authPath}}/{{envID}}/as/authorize?response_type=token id_token&response_mode=pi.flow&scope=openid profile email&state={{string}}&login_hint_token={{loginHintJwt}}&client_id={{clientID}}
Transaction approval flows

PingOne supports transaction approval when strong authentication is required for elevated security for a high-value transaction, or high-risk resource or service. The authorize request includes the response_mode and request parameters. The request property value is a JWT that enables OIDC/OAuth2 request parameters to be passed as a single, self-contained parameter.

The following sample shows an authorize request for a transaction approval flow:

{{authPath}}/{{envID}}/as/authorize?response_type=token id_token&response_mode=pi.flow&scope=openid&state={{string}}&request={{requestString}}&client_id={{clientID}}

PingOne support for response_mode options

The following table shows the current support for response_mode options for specific response_type values in the authorize request.

response_mode response_type Supported option
omitted code query
omitted id_token fragment
omitted token fragment
omitted id_token token fragment
omitted code id_token fragment
omitted code token fragment
omitted code id_token token fragment
query code query
query id_token error
query token error
query id_token token error
query code id_token error
query code token error
query code id_token token error
fragment code fragment
fragment id_token fragment
fragment token fragment
fragment id_token token fragment
fragment code id_token fragment
fragment code token fragment
fragment code id_token token fragment
form_post code form_post
form_post id_token form_post
form_post token form_post
form_post id_token token form_post
form_post code id_token form_post
form_post code token form_post
form_post code id_token token form_post
pi.flow pi.flow

Create a login_hint_token JWT

A login_hint_token is a JWT that provides a way for the client to identify and authenticate the end-user without needing to encode the entire authentication request in a signed JWT. The following information describes the OIDC parameters and the steps for generating and signing the token.

Prerequisites
  1. Install a JWT token generator such as jwtgen globally using npm install -g jwtgen. This action requires npm.

  2. Retrieve the environment id property value associated with your worker application and user.

  3. Retrieve the clientId and clientSecret property values for the worker application.

  4. Retrieve the user ID id or username property value for whom this token will be associated.

Generate a signed token

The header parameters cty and enc must not be included in the login_hint_token JWT header. PingOne does not support nested signing or encryption operations here.

The command to generate the login_hint_token JWT takes the following parameters:

Parameter Description
-a Specifies the JWT signing algorithm. Options are HS256, HS384, and HS512.
-s Specifies the signing key, which is the application's clientSecret property value.
-e Specifies the expiration date, expressed as the number of seconds from the time of creation. The typical value is 3600 seconds.
--claims Specifies the claims required by the token:
  • iss: A string that specifies the application ID of the issuer creating the token
  • sub: A string that specifies the identifier for the authenticated user (for example, the id or username property value).
  • iat: An integer that specifies the timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token was originally issued.
  • exp: An integer that specifies the timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token will expire.
  • aud: A string that specifies the intended audience for this token.
  • nbf: (Optional) Indicates that the current date and time must be after or equal to this value. If included, this value is validated per RFC 7519 4.1.5.
  1. Run the jwtgen command.
jwtgen -a "HS256" -s "YOUR_CLIENT_SECRET" -e 3600 --claims '{
"iss":"YOUR_CLIENT_ID",
"sub":"YOUR_USER_ID_OR_USERNAME",
"iat":1300819380,
"exp":1300819391,
"aud":"https://auth.pingone.com/YOUR_ENVIRONMENT_ID/as"
}'
  1. Record the token returned successfully by the command to use as the value of the login_hint_token property in the authorize request.

Create a request property JWT

A request property JWT enables OIDC/OAuth2 request parameters to be passed as a single, self-contained parameter. Using a JWT enables integrity protection of parameters that are required for risk-based authentication or privacy and consent use cases.

You can create a request JWT using the following signing algorithms:

  • HS256, HS384, HS512

    Use this signing algorithm when an application's client secret is the signing key.

  • RS256, RS384, RS512

    Use this signing algorithm when an external private key is used as the signing key.

For example, the request JWT for a transaction approval action takes the following parameters:

Parameter Description
Signing algorithm Specifies the JWT signing algorithm. Options are HS256, HS384, HS512 and RS256, RS384, RS512.
Signing key Specifies the signing key, which is the application's clientSecret property value or an external private key.
--claims Specifies the claims required by the token:
  • iss: A string that specifies the application ID of the issuer creating the token
  • aud: A string that specifies the intended audience for this token.
  • pi.template: A string that specifies the template name and the variables required by the template. For information see Notifications Templates.
  • pi.clientContext: A string that specifies the name-value pairs that define the client context. For information see Device Authentictation.
  • pi.remoteIp: A string that specifies the user's IP address. This is an optional property used with authentication policies that include IP-based conditions.
  • pi.webAuthn.challenge: Include this parameter if you want to use dynamic linking to attach a unique identifier to a FIDO transaction. The value should be a custom challenge to replace the automatically-generated challenge sent with the authentication request. Must be a valid and unique Base64URL string that decodes to a data array of at least 32 bytes. You can generate a challenge that meets these criteria by adding a random nonce to the transaction details to ensure uniqueness and then using SHA-256 to hash the information.

Request property JWT signed using the client secret

This sample shows the information required in a transaction approval JWT in which the JWT is signed using the PingOne client secret with HS256 encryption:

"jwtHeader": {
  "alg": "HS256",
  "typ": "JWT"
},
"jwtBody":
{
  "aud": "https://auth.pingone.com/{{envID}}/as",
  "iss": "{{appID}}",
  "pi.template": {
    "name": "transaction",
    "variant": "{{variantName}}",
    "variables": {
      "sum": "1,000,000",
      "currency": "USD",
      "recipient": "Charlie Parker"
    }
  },
  "pi.clientContext": {
    "alert.color": "red"
  }
}

This sample demonstrates the use of the pi.webAuthn.challenge parameter for using dynamic linking to attach a unique identifier to a FIDO transaction:

"jwtHeader": {
  "alg": "HS256",
  "typ": "JWT"
},
"jwtBody":
{
  "aud": "https://auth.pingone.com/{{envID}}/as",
  "iss": "{{appID}}",
  "pi.webAuthn": {
    "challenge": "1cd774777136450c97e83267a52cecccb5f52d1adbc0f46c42e164edadb47fb3"
  }
}

The following information describes the OIDC parameters and the steps for generating and signing the token.

Prerequisites
  1. Install a JWT token generator.

  2. Retrieve the environment id property value associated with your application and user.

  3. Retrieve the clientId and clientSecret property values for the application.

  4. Retrieve the name of the transaction notification template that you want to use.

Generate a signed token
  1. Run JWT token generator, providing the information above.

  2. Record the token returned successfully by the command to use as the value of the request property in the authorize request.

Request property JWT signed using a private key and JWKS string

This sample shows the information required in a transaction approval JWT in which the JWT is signed using an external private key with RS256 encryption:

"jwtHeader": {
  "alg": "RS256",
  "typ": "JWT"
},
"jwtBody":
{
  "aud": "https://auth.pingone.com/{{envID}}/as",
  "iss": "{{appID}}",
  "pi.template": {
    "name": "transaction",
    "variant": "{{variantName}}",
    "variables": {
      "sum": "1,000,000",
      "currency": "USD",
      "recipient": "Charlie Parker"
    }
  },
  "pi.clientContext": {
    "alert.color": "red"
  }
}
Generate a keypair
  1. Use a keypair generator to create a keypair with the following configuration options.

    • Key size: 2048

    • Key use: signature

    • Algorithm: RS256

    • Key-ID: SHA-256

    • Show X.509: No

  2. Save the generated Public and Private Keypair and the Public Key.

    • Example public and private keypair

      {
      "p": "x1mRR-Y1_i8ZPTLe2sPmuif4hhIfaxSph8m_iACDEHvAfTh0RMV7SrExscRSUXzcWX_FbSIKE5tDm4c1qzImnmWz06z6SSQYUjl0iU6V439sebR662deH5kOF92Vbtj5OLk-mNdj-fm6CdwnWEp3vb36T9kOiKHGReluwJpG1I8",
      "kty": "RSA",
      "q": "tY0osG4YzkzTX_NCxN3QBFinw_hvJLX6zVXZ-PGHTOD0iFsdwCzmqa3o6_4-GtHUSiuoboTscx2ItbU824IDp41p99HLvSm0lZixszqlcG1JZSaQVj5_5rOBttTcovvAL5te4jq5Mi966WC3yT-V_ZLxE3jFNt5vNzW8ykxsAJ8",
      "d": "T_2qcj4Tb-wuMCvI3uOvBZza21PjzkCy5iTClT3QZ30Wlwm8A35x1b3MVHz7JGox3I_KvMClwQdrDMU2aibQaGzs_EunMH5Y1VhlKDg4RvuQBoyB9lpDT1TdrmDe7kHDPDERrB84gPQkrAm-RgJ0W_zPyJMR013pZjOwPKlxKYbsW1G02Jbg2Vl1zatNWBm1MFYQYEOYyaNQkt32WktNdgixYg0Qdt3Q160mbfNz5c9USLVqvCsye0J2t9DZPK7WzadQCC4S7ehdmQkGd87IfD4XyKuZND_nE8Nz5nbgOLNfuIwR6QH7ksOHT9ur1JVKkzEkX8P40_7LXdarwraiBQ",
      "e": "AQAB",
      "use": "sig",
      "kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us",
      "qi": "t06uC_ML8E01gKSeFPH7LNFxpumuIaYBc_Enr10dB-wqGpYfs6B5yqf5SjlXg1K89Z3QZFcU9AdJW0SYtr9T-A7b3csxeWUW98hOwfXentP8vcSv3dXJI753f64tAZqz5Mgd6jh0D8i1Fvg6d7Hqm_a5cfd-DO80QkW9c8u8rmk",
      "dp": "L95hFWvBQVUb8WcavltWNxNMCR2m77aZcuLOHCFLV5TvxuHcgXsOPQRJk4852RlrbA5TYP5Qfx7EYD9acs5rGZQAV27s9s01DeGAC0yUj3lUmfDtp0M-BcZh7PcnX-O4DJfm4RqvhiIiOyXjSL8w-5330l6jr8lw6-6-yn8BTR8",
      "alg": "RS256",
      "dq": "lFS9ftClEcCxHn7Y-ZGkyDhK8ZFD9YF9ZVCUY5GqksRk5hdTylSlLNL7L_0sbqsrQGJFHe8aZL8nmBZ4n3utUrL2dlSBmo69jVARN7ddvep8gdktKlmsFChrfZ6SmdMIZZ0Su9FwyDEEwjKUVifOezwYHWmZ78dypHASTFJ-F08",
      "n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q"
      }
      
    • Example public key

      {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us",
      "alg": "RS256",
      "n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q"
      }
      
Generate a signed JWT
  1. Create a signed JWT with Algorithm RS256 and header and payload information shown below.

    • Header

      {
       "alg": "RS256",
       "typ": "JWT"
      }
      
    • Payload (for the transaction approval example)

      {
       "aud": "https://auth.pingone.com/{{envID}}/as",
       "iss": "{{appID}}",
       "pi.template": {
         "name": "transaction",
         "variant": "{{variantName}}",
         "variables": {
           "sum": "1,000,000",
           "currency": "USD",
           "recipient": "Charlie Parker"
         }
      }
      
  2. Record the token returned successfully.

  1. Record the token returned successfully by the command to use as the value of the request property in the authorize request.
Create the JWKS string

You will use the generated keys to create a JWKS string object that can be used as the value in your PingOne application’s jwks property.

  1. Copy the Public Key and wrap it like this:

    {
    "keys": [
      <Your public key>
     ]
    }
    

    Which looks like this:

    {
    "keys": [
       {
         "kty": "RSA",
         "e": "AQAB",
         "use": "sig",
         "kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us",
         "alg": "RS256",
         "n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q"
       }
     ]
    }
    
  2. The string needs to be reduced to one line and the double quotes escaped.

    The JSON for the PingOne application POST (or PUT) to create the application looks like:

    {
      ...
      "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
       "jwks": "{ \"keys\": [ { \"kty\": \"RSA\", \"e\": \"AQAB\", \"use\": \"sig\", \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\", \"alg\": \"RS256\", \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\" } ]}",
      ...
    }
    
Configure the JWKS URL

To use the jwksUrl property in the PingOne application's configuration, the JWKS string must be hosted on a web server, accessible to the internet (using https://). For testing purposes, the following code sample shows a simple node server file (running on a local web server) that hosts the JWKS string.

const https = require("https");
const host = 'localhost';
const port = 3000;

const requestListener = function (req, res) {
    res.setHeader("Content-Type", "application/json");
    res.writeHead(200);    

    const jwksString = "{\r\n  \"keys\": [\r\n    {\r\n        \"kty\": \"RSA\",\r\n        \"e\": \"AQAB\",\r\n        \"use\": \"sig\",\r\n        \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\",\r\n        \"alg\": \"RS256\",\r\n        \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\"\r\n    }\r\n  ]\r\n}";

    res.end(jwksString);
};

const server = https.createServer(requestListener);
server.listen(port, host, () => {
    console.log(`Server is running on https://${host}:${port}`);
});

With the JWKS string in a known location, the application configuration JSON looks like this:

{
  ...
  "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
  "jwksUrl": "https://{{pathToJwksString}}",
  ...
}

Create a client secret JWT

The CLIENT_SECRET_JWT property is a supported value on the application's tokenEndpointAuthMethod property. This client authentication method uses the application's client secret to sign a JWT, which is passed in as a property to authenticate the token request.

For JWT-based client authentication, the token supports the following required and optional claims.

Claim Type Required Description
iss String Required A string that specifies the issuer. This value must match the application ID (client ID) of the PingOne application.
sub String Required A string that specifies the identifier for the authenticated user. This value must match the application ID (client ID) of the PingOne application.
aud URI Required A string that lists the audience, the resources for which this token is intended. Valid options are: (1) the token endpoint (/as/token), (2) the issuer uri (/as), (3) the endpoint being called (for example, /as/introspect). The value must be the full URL, including the PingOne domain, or custom domain.
exp Timestamp Required A timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token will expire, as defined in JWT RFC7519. This JWT must not be expired. Tokens that expire more than one hour from now are rejected.
nbf Timestamp Optional A "not before" timestamp. If present, the JWT must be valid. JWTs are rejected if nbf is in the future.

Other properties of the JWT are:

  • The optional iat and jti claims from the JSON Web Token (JWT) spec are not validated. See RFC7523 JWT Format and Processing Requirements.

  • The JWT can include other claims in addition to those listed above.

  • The JWT must be signed. For CLIENT_SECRET_JWT signing, the platform supports only the HS256, HS384, and HS512 symmetric keyed hashing algorithm.

  • The JWT must be valid.

Prerequisites and workflow

The following information describes the OIDC parameters and the steps for generating and signing the JWT.

  1. Retrieve the environment id property value associated with your application.

  2. Retrieve the clientId and clientSecret property values for the application.

  3. Install a JWT generator.

  4. Generate the signed JWT using the JWT generator. To create the client_secret_jwt JWT, the token generator will require values for the following parameters:

Parameter Description
Signing algorithm The JWT signing algorithm. Options for the client_secret_jwt JWT are HS256, HS384, and HS512.
Signing key The signing key for the client_secret_jwt JWT, which is the application's clientSecret property value.
Expiration The expiration date, expressed as the number of seconds from the time of creation. The typical value is 3600 seconds.
Claims The claims required by the token. Required claims are iss, sub, aud, and exp.
  1. Record the JWT returned successfully by the JWT generator.

Use the JWT in a token request

For applications that set the tokenEndpointAuthMethod to CLIENT_SECRET_JWT, the token request requires the following two properties:

  • client_assertion

    A JWT that contains a signed assertion with the application’s credentials. This is the JWT that you generated and signed with your application's client secret.

  • client_assertion_type

    A string that specifies the client assertion type. The value of this property must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.

For more information about the token request, see Token.

Create a private key JWT

The PRIVATE_KEY_JWT property is a supported value on the application's tokenEndpointAuthMethod property. This client authentication method uses an external private key to sign a JWT, which is passed in as a property to authenticate the token request.

For JWT-based client authentication, the token supports the following required and optional claims.

Claim Type Required Description
iss String Required A string that specifies the issuer. This value must match the application ID (client ID) of the PingOne application.
sub String Required A string that specifies the identifier for the authenticated user. This value must match the application ID (client ID) of the PingOne application.
aud URI Required A string that lists the audience, the resources for which this token is intended. Valid options are: (1) the token endpoint (/as/token), (2) the issuer uri (/as), (3) the endpoint being called (for example, /as/introspect). The value must be the full URL, including the PingOne domain, or custom domain.
exp Timestamp Required A timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token will expire, as defined in JWT RFC7519. This JWT must not be expired. Tokens that expire more than one hour from now are rejected.
nbf Timestamp Optional A "not before" timestamp. If present, the JWT must be valid. JWTs are rejected if nbf is in the future.

Other properties of the JWT are:

  • The optional iat and jti claims from the JSON Web Token (JWT) spec are not validated. See RFC7523 JWT Format and Processing Requirements.

  • The JWT can include other claims in addition to those listed above.

  • The JWT must be signed. For PRIVATE_KEY_JWT signing, the platform supports the RS256, RS384, and RS512 symmetric keyed hashing algorithm.

  • The JWT must be valid.

Generate a keypair

  1. Use a keypair generator to create a keypair with the following configuration options. This example uses the RS256 signing algorithm (RS384, and RS512 are also supported).

    • Key size: 2048

    • Key use: signature

    • Algorithm: RS256

    • Key-ID: SHA-256

    • Show X.509: No

  2. Save the generated Public and Private Keypair and the Public Key.

    • Example public and private keypair

      {
      "p": "x1mRR-Y1_i8ZPTLe2sPmuif4hhIfaxSph8m_iACDEHvAfTh0RMV7SrExscRSUXzcWX_FbSIKE5tDm4c1qzImnmWz06z6SSQYUjl0iU6V439sebR662deH5kOF92Vbtj5OLk-mNdj-fm6CdwnWEp3vb36T9kOiKHGReluwJpG1I8",
      "kty": "RSA",
      "q": "tY0osG4YzkzTX_NCxN3QBFinw_hvJLX6zVXZ-PGHTOD0iFsdwCzmqa3o6_4-GtHUSiuoboTscx2ItbU824IDp41p99HLvSm0lZixszqlcG1JZSaQVj5_5rOBttTcovvAL5te4jq5Mi966WC3yT-V_ZLxE3jFNt5vNzW8ykxsAJ8",
      "d": "T_2qcj4Tb-wuMCvI3uOvBZza21PjzkCy5iTClT3QZ30Wlwm8A35x1b3MVHz7JGox3I_KvMClwQdrDMU2aibQaGzs_EunMH5Y1VhlKDg4RvuQBoyB9lpDT1TdrmDe7kHDPDERrB84gPQkrAm-RgJ0W_zPyJMR013pZjOwPKlxKYbsW1G02Jbg2Vl1zatNWBm1MFYQYEOYyaNQkt32WktNdgixYg0Qdt3Q160mbfNz5c9USLVqvCsye0J2t9DZPK7WzadQCC4S7ehdmQkGd87IfD4XyKuZND_nE8Nz5nbgOLNfuIwR6QH7ksOHT9ur1JVKkzEkX8P40_7LXdarwraiBQ",
      "e": "AQAB",
      "use": "sig",
      "kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us",
      "qi": "t06uC_ML8E01gKSeFPH7LNFxpumuIaYBc_Enr10dB-wqGpYfs6B5yqf5SjlXg1K89Z3QZFcU9AdJW0SYtr9T-A7b3csxeWUW98hOwfXentP8vcSv3dXJI753f64tAZqz5Mgd6jh0D8i1Fvg6d7Hqm_a5cfd-DO80QkW9c8u8rmk",
      "dp": "L95hFWvBQVUb8WcavltWNxNMCR2m77aZcuLOHCFLV5TvxuHcgXsOPQRJk4852RlrbA5TYP5Qfx7EYD9acs5rGZQAV27s9s01DeGAC0yUj3lUmfDtp0M-BcZh7PcnX-O4DJfm4RqvhiIiOyXjSL8w-5330l6jr8lw6-6-yn8BTR8",
      "alg": "RS256",
      "dq": "lFS9ftClEcCxHn7Y-ZGkyDhK8ZFD9YF9ZVCUY5GqksRk5hdTylSlLNL7L_0sbqsrQGJFHe8aZL8nmBZ4n3utUrL2dlSBmo69jVARN7ddvep8gdktKlmsFChrfZ6SmdMIZZ0Su9FwyDEEwjKUVifOezwYHWmZ78dypHASTFJ-F08",
      "n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q"
      }
      
    • Example public key

      {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us",
      "alg": "RS256",
      "n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q"
      }
      

Generate a signed JWT

  1. Create a signed JWT with with a signing algorithm of RS256, RS384, or RS512 and header and payload information shown below.

    • Header

      {
       "alg": "RS256",
       "typ": "JWT"
      }
      
    • Payload

      {
       "iss": "{{appID}}",
       "sub": "{{appID}}",
       "exp": 1691085204,
       "aud": "https://auth.pingone.com/{{envID}}/as/token"
      }
      
  2. Record the token returned successfully.

Use the JWT in a token request

For applications that set the tokenEndpointAuthMethod to PRIVATE_KEY_JWT, the token request requires the following two properties:

  • client_assertion

    A JWT that contains a signed assertion with the application’s credentials. This is the JWT that you generated and signed with your private key.

  • client_assertion_type

    A string that specifies the client assertion type. The value of this property must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.

For more information about the token request, see Token.

Create a private_key_jwt JWKS string

In the PingOne application configuration, when the tokenEndpointAuthMethod property is set to PRIVATE_KEY_JWT, the configuration requires either the jwks property (specifying a JWKS string) or the jwksUrlproperty (specifying the location on a web server that hosts the JWKS string).

When using the jwksUrl property, the application configuration JSON looks like this. Note that the jwksUrl must be https://:

{
  ...
  "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
  "jwksUrl": "https://{{pathToJwksString}}",
  ...
}

The application configuration JSON for the JWKS string in the jwks property must be formatted as one line with double quotes escaped:

{
  ...
  "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
  "jwks": "{"jwks": "{ \"keys\": [ { \"kty\": \"RSA\", \"e\": \"AQAB\", \"use\": \"sig\", \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\", \"alg\": \"RS256\", \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\" } ]}",
  ...
}

The following information describes the steps for generating the JWKS for use with "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT".

Create the JWKS string

You will use the generated keys you created for your private key JWT (see Create a private key JWT) to generate a JWKS string object that can be used as the value in your PingOne application’s jwks property.

  1. Copy the Public Key and wrap it like this:

    {
    "keys": [
      <Your public key>
     ]
    }
    

    Which looks like this:

    {
    "keys": [
       {
         "kty": "RSA",
         "e": "AQAB",
         "use": "sig",
         "kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us",
         "alg": "RS256",
         "n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q"
       }
     ]
    }
    
  2. The string needs to be reduced to one line and the double quotes escaped.

    The JSON for the PingOne application POST (or PUT) to create the application looks like:

    {
      ...
      "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
      "jwks": "{\r\n  \"keys\": [\r\n    {\r\n        \"kty\": \"RSA\",\r\n        \"e\": \"AQAB\",\r\n        \"use\": \"sig\",\r\n        \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\",\r\n        \"alg\": \"RS256\",\r\n        \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\"\r\n    }\r\n  ]\r\n}",
      ...
    }
    

Configure the JWKS URL

To use the jwksUrl property in the PingOne application's configuration, the JWKS string must be hosted on a web server, accessible to the internet (using https://). For testing purposes, the following code sample shows a simple node server file (running on a local web server) that hosts the JWKS string.

const https = require("https");
const host = 'localhost';
const port = 3000;

const requestListener = function (req, res) {
    res.setHeader("Content-Type", "application/json");
    res.writeHead(200);    

    const jwksString = "{\r\n  \"keys\": [\r\n    {\r\n        \"kty\": \"RSA\",\r\n        \"e\": \"AQAB\",\r\n        \"use\": \"sig\",\r\n        \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\",\r\n        \"alg\": \"RS256\",\r\n        \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\"\r\n    }\r\n  ]\r\n}";

    res.end(jwksString);
};

const server = https.createServer(requestListener);
server.listen(port, host, () => {
    console.log(`Server is running on https://${host}:${port}`);
});

With the JWKS string in a known location, the application configuration JSON looks like this:

{
  ...
  "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
  "jwksUrl": "jwksUrl": "{{pathToJwksString}}",
  ...
}

External Authentication

The external authentication API provides endpoints for performing end user authentication with PingOne supported external identity providers. End users are redirected immediately to the authentication initialization endpoint at the external authentication service. After users authenticate at the provider, they are redirected back to the external authentication service's authentication callback endpoint, where the external authentication API validates the token or assertion returned from the external identity provider.

External authentication data model

Property Type Required? Mutable? Description
attributes Object N/A Read-only The mapped user attributes and their values from the external identity provider.
<attributename> Object N/A Read-only The name of the mapped user attribute from the external identity provider.
<attributename>.value String N/A Read-only The value for the mapped user attribute from the external identity provider.
<attributename>.update String N/A Read-only An enumeration that specifies the update behavior for this attribute based on identity provider configuration. Options are EMPTY_ONLY and ALWAYS.
externalId String N/A Read-only The identifier returned by the identity provider for the external user.
flow Object Required Immutable A reference to the PingOne flow associated with this external authentication.
flow.id String Required Mutable The flow UUID associated with this external authentication.
identityProvider Object Required Immutable A reference to the external identity provider that is used to authenticate the user.
identityProvider.id String Required Mutable The UUID of the external identity provider to which the user is redirected for sign-on.
status String N/A Read-only The status of the external authentication. Options are:
  • PROVIDER_RESPONSE_REQUIRED: Awaiting callback from provider with authentication results.
  • COMPLETED: External authentication request completed successfully.
  • FAILED: The identity provider returned an error.
error Object N/A Read-only When the status is FAILED, returns an error detail from the identity provider to the PingOne flow associated with this external authentication.
error.code String N/A Read-only The PingOne code for the error.
error.message String N/A Read-only The description of the error.

Audit reporting events

To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.

Service Event
external-authentications AUTHENTICATION.CREATED
external-authentications AUTHENTICATION.UPDATED

Response codes

Code Message
302 Found.
400 The request could not be completed.
401 You weren’t authenticated to perform this operation.
403 You do not have permissions or are not licensed to make this request.

Read External Authentication Initialization


Read External Authentication Callback


Read External Authentication Status

Flows

The flow endpoint is used to interact with the user in a sign-on workflow. Flow endpoint operations are used only to implement custom authentication UIs. OIDC/OAuth 2 and SAML requests initiate the flow and redirect the browser to the custom authentication UI (which is configured in the application through the application's loginPageUrl property).

Common sign-on actions

Login actions

The flow endpoint can initiate login actions that specify the operations required to authenticate with a username and password.

Multi-factor authentication actions

The flow endpoint can also initiate multi-factor authentication (MFA) actions that specify the operations required to complete authentication using a registered user device and a one-time password (OTP).

Identity first actions

The flow can initiate a discovery action used to identify the user by username and determine the applicable authentication methods for this user.

Progressive profiling actions

Progressive profiling actions prompt users to provide additional data at sign on. This action type does not authenticate users. It is used only to obtain additional profile data.

Agreement actions

Agreement actions enforce user consent to an agreement at sign on. This action type does not authenticate users. It is used only to obtain user consent to a terms of service agreement.

Identity provider actions

An action that bypasses the PingOne sign-on prompt and immediately redirects the user to an external identity provider's sign-on workflow to authenticate.

Use Cases

Flow status

In a sign-on workflow, the flow's status property value returned by the last action identifies the appropriate next action in the authentication process. For example, if an application uses the LOGIN sign-on policy, when a user initiates sign-on and starts the authentication flow, the response returned by the flow shows a status value that specifies the next required step to complete this flow successfully. For the LOGIN sign-on policy, the next action prompts the user to enter a username and password, as indicated by the USERNAME_PASSWORD_REQUIRED value in the status property.

"status" : "USERNAME_PASSWORD_REQUIRED"

The response data includes a link to the required action, which in this case is the usernamePassword.check:

{
  "_links" : {
    "self" : {
      "href" : "https://auth.pingone.com/{{envID}}/flows/{{flowID}}"
    },
    "session.reset" : {
      "href" : "https://auth.pingone.com/{{envID}}/flows/{{flowID}}"
    },
    "usernamePassword.check" : {
      "href" : "https://auth.pingone.com/{{envID}}/flows/{{flowID}}"
    }
  },


After the user submits a username and password, the flow calls the usernamePassword.check action to verify the username and password.

For more information about flow actions, see Flow API Actions.

Flow status values

An authentication flow can return one of the following status values in response to a sign-on action:

Status value Description
USERNAME_PASSWORD_REQUIRED This value specifies that a username and password is required. This status can initiate a usernamePassword.check action, a user.register action, a registration.external action, a password.forgot action, or an authenticate action to sign on using an external identity provider.
PASSWORD_REQUIRED This value specifies that a password is required. This status initiates a usernamePassword.check action.
SIGN_ON_REQUIRED This value specifies that a sign-on action is required. This status transitions to a user.lookup action and a registration.external action in a passwordless authentication flow.
RECOVERY_CODE_REQUIRED This value specifies that the user initiated a password.forgot action and a recovery code must be sent. This status calls the password.recover action.
VERIFICATION_REQUIRED This value specifies that the user's account must be verified. This status calls the user.verify action.
OTP_REQUIRED This value specifies that the user must complete a multi-factor authentication action. This status calls the otp.check action.
DEVICE_SELECTION_REQUIRED This value specifies that the user must complete a device selection multi-factor authentication action. This status calls the device.select action.
PASSWORD_EXPIRED This value specifies that a user's password has expired and must be updated. This status calls the password.reset action.
MUST_CHANGE_PASSWORD This value specifies that a temporary password must be changed or updated. This status calls the password.reset action.
ACCOUNT_LINKING_REQUIRED This value specifies that the external identity returned by the identity provider requires an account linking action to link the external account to an existing user. This status can initiate a usernamePassword.check to link to an existing user, a user.register action to create a link to a new user, a registration.external action, or a password.forgot to link to an existing user who has forgotten the password.
ACCOUNT_CONFIRMATION_REQUIRED This value specifies that the external identity information returned by the identity provider requires an account confirmation action to verify the account data. This status can initiate a user.confirm action to verify the account information.
EXTERNAL_AUTHENTICATION_REQUIRED This value specifies that account authentication is required through an external identity provider's authentication flow. The authenticate embedded resource link provides the location to redirect the browser to sign on with the specified identity provider.
PROFILE_DATA_REQUIRED This value specifies that user must submit the requested profile data in order to continue the authentication flow.
COMPLETED This value specifies that the entire flow is completed and initiates a browser redirect to the resumeUrl property to continue.
FAILED This value specifies that the entire flow has failed.
PUSH_CONFIRMATION_REQUIRED This value specifies that a push was sent to a native device to confirm the authentication. The client will have to poll this status using GET /{{envID}}/flows/{{flowID}} to check whether the native device answered the push.
PUSH_CONFIRMATION_TIMED_OUT This value specifies that a push was sent to a native device, but the native device didn't answer the push during the allowed timeframe.
ASSERTION_REQUIRED This value specifies that for a FIDO2 device type, an assertion generated by the browser from the provided webauthn public key credential request is required to continue the flow. The flow calls the assertion.check action.
AGREEMENT_CONSENT_REQUIRED This value specifies that users need to consent to an agreement. This status calls the user.consent action.
DAG_USER_CODE_REQUIRED This value specifies that an activation action is required to continue the flow. The flow calls the deviceAuthGrant.userCode.verify action.
DAG_CONSENT_REQUIRED This value specifies that users need to consent to a device authorization grant agreement. This status calls the deviceAuthGrant.consent action. After accepting consent, a record is stored in the user's OAuth Scope Consents.
COMPLETED_ACCEPTED This completed state is used for device authorization grants to transition to a completed state. Unlike the COMPLETED flow state, this state does not transition the flow to the resume URL.
COMPLETED_DECLINED This completed state is used for device authorization grants to transition to a completed state, and it generates a "device consent declined" audit event.

Flow status data model and embedded resources

The following sections show the parameters required by the flow status. In addition, the following links and embedded resources are returned in the flow response for the given flow status.

USERNAME_PASSWORD_REQUIRED

Property Type Required? Mutable? Description
username String Required Mutable A string that specifies the username or ID of the user to authenticate.
password String Required Mutable A string that specifies the password or ID of the user to authenticate.
Links Description
usernamePassword.check The link to initiate a sign-on action that allows users to login with a username and password. The request body requires the username and password attributes.
user.register The link to initiate a sign-on action to register a user. The request body requires the username, email, and password attributes needed to define a new user.
registration.external The link to redirect a sign-on action to register a user to an external identity provider's registration workflow.
password.forgot The link to initiate an action to recover a user’s forgotten password. The request body requires the username attribute to identify the user.
Embedded resources Description
socialProviders.authenticate The link to the external authentication resource to initiate authentication using an external identity provider's authentication flow. The response also returns the following information about the identity provider: id, name, and type. For more information, see Base identity providers data model.
passwordPolicy The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, see Password policies data model.

SIGN_ON_REQUIRED

Property Type Required? Mutable? Description
username String Required Mutable A string that specifies the username or ID of the user to sign on.
Links Description
user.lookup The link for existing users to sign on using their username.
registration.external The link to redirect a sign-on action to register a user to an external identity provider's registration workflow.

PASSWORD_REQUIRED

Property Type Required? Mutable? Description
username String Required Mutable A string that specifies the username or ID of the user to authenticate. If provided, must match the user currently associated with the session.
password String Required Mutable A string that specifies the password or ID of the user to authenticate.
Links Description
usernamePassword.check The link to initiate a sign-on action that allows users to log in with a username and password. The request body requires the username and password attributes.
password.forgot The link to initiate an action to recover a user’s forgotten password. The request body requires the username attribute to identify the user.
Embedded resources Description
socialProviders.authenticate The link to the external authentication resource to initiate authentication using an external identity provider's authentication flow. The response also returns the following information about the identity provider: id, name, and type. For more information, see Base identity providers data model.

PASSWORD_EXPIRED

Property Type Required? Mutable? Description
currentPassword String Required Mutable A string that specifies the current password, which must be verified before the new password is set.
newPassword String Required Mutable A string that specifies the new password to set.
Links Description
password.reset The link to initiate a sign-on action that allows users to reset their password. The request body requires the currentPassword and newPassword attributes.
Embedded resources Description
passwordPolicy The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, see Password policies data model.

MUST_CHANGE_PASSWORD

Property Type Required? Mutable? Description
currentPassword String Required Mutable A string that specifies the current password, which must be verified before the new password is set.
newPassword String Required Mutable A string that specifies the new password to set.
Links Description
password.reset The link to initiate a sign-on action that allows users to reset their password. The request body requires the currentPassword and newPassword attributes.
Embedded resources Description
passwordPolicy The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, see Password policies data model.

RECOVERY_CODE_REQUIRED

Property Type Required? Mutable? Description
recoveryCode String Required Mutable A string that specifies the recovery code sent to the user to recover the user's password.
newPassword String Required Mutable A string that specifies the new password to set.
Links Description
password.recover The link to initiate an action to recover the account and set a new password. The request body requires the recoveryCode and newPassword attributes.
password.sendRecoveryCode The link to send the one-time password (OTP) to the user.
Embedded resources Description
passwordPolicy The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, see Password policies data model.

VERIFICATION_CODE_REQUIRED

Property Type Required? Mutable? Description
verificationCode String Required Mutable A string that specifies the verification code to check.
Links Description
user.verify The link to initiate an action to verify the user account to continue the authentication flow.
user.sendVerificationCode The link to initiate an action to send the user a new account verification email.

DEVICE_SELECTION_REQUIRED

Property Type Required? Mutable? Description
device.id String Required Mutable A string that specifies the ID of the selected device.
Links Description
device.select The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.
Embedded resources Description
devices The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Device properties.

OTP_REQUIRED

Property Type Required? Mutable? Description
selectedDevice.id String Required Mutable A string that specifies the ID of the currently selected device.
Links Description
device.select The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.
otp.check The link to initiate an action to validate the OTP used in the multi-factor authentication flow.
Embedded resources Description
devices The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Device properties.

PUSH_CONFIRMATION_REQUIRED

Property Type Required? Mutable? Description
selectedDevice.id String Required Mutable A string that specifies the ID of the currently selected device.
Links Description
device.select The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.
Embedded resources Description
devices The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Device properties.

PUSH_CONFIRMATION_TIMED_OUT

Property Type Required? Mutable? Description
selectedDevice.id String Required Mutable A string that specifies the ID of the currently selected device.
Links Description
device.select The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.
Embedded resources Description
devices The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Device properties.

ACCOUNT_LINKING_REQUIRED

Links Description
user.register The link to initiate a sign-on action that initiates an action to register a user. The request body requires the username, email, and password attributes to define a new user.
registration.external The link to redirect a sign-on action to register a user to an external identity provider's registration workflow.
Embedded resources Description
matchedUsers An array of 0 or more users that match the external identity. The request returns the username, email, and lastSignedOnAt attributes needed to identify the user.
identityProviders The external identity provider used to authenticate. The request returns the name and type attributes needed to identify the identity provider used for authentication.

ACCOUNT_CONFIRMATION_REQUIRED

Links Description
user.confirm The link to initiate an action to verify the data returned by the external identity provider. The request body can include the returned attributes from the identity provider.
Embedded resources Description
attributes An array of attributes returned by the external identity provider.

EXTERNAL_AUTHENTICATION_REQUIRED

Property Type Required? Mutable? Description
name String Required Mutable A string that specifies the name of the identity provider.
type String Required Mutable A string that specifies the identity provider type.
Embedded resources Description
identityProvider.authenticate A string that specifies the URL for the external identity provider's sign-on screen to initiate authentication with the external identity provider.
identityProvider.loginButtonIcon A string that specifies the URL for the external identity provider's login button icon file.

PROFILE_DATA_REQUIRED

Property Type Required? Mutable? Description
displayName String Required Mutable A string that specifies the display name as defined in the user schema.
name String Required Mutable A string that specifies the attribute name/path as defined in the user schema (for example, email, address.postalCode).
required Boolean Required Mutable A boolean that specifies whether the user is required to provide a value for the attribute.
Links Description
user.update The link to update the specified user's profile with the user attribute values provided in the request.
Embedded resources Description
attributes An array of user attributes provided to update the user's profile.
attributes.name A string that specifies the attribute path, as defined in the user schema (for example, email, name.family, address.postalCode).
attributes.displayName A string that specifies the attribute's display name, as defined in the user schema. This property is optional.
attributes.required A boolean that specifies whether the user is required to provide a value for the attribute.
promptText A string that specifies text to display to the user when prompting for attribute values.

ASSERTION_REQUIRED

Response property Description
publicKeyCredentialRequestOptions A string that specifies the public key credential request options object generated for the selected device that should be used to call the navigator.credentials.get() on the browser to generate the assertion.
Property Type Required? Mutable? Description
assertion String Required Mutable A string that specifies the authenticator assertion response, which contains the signed challenge needed to complete the MFA action.
compatibility String Optional Mutable A string that specifies the browser compatibility to support webauthn. Options are FULL (compatible with FIDO2 biometrics and security key), SECURITY_KEY_ONLY (compatible with security key only), and NONE (browser is not compatible with the webauthn method).
origin String Required Mutable A string that specifies the server name where the fetch originates, providing the URI scheme and hostname (for example, https://apps.pingone.com).
Links Description
device.select The link to initiate an action to specify a device ID to use in the multi-factor authentication flow. For more information, see Select an MFA device.
assertion.check The link to initiate an action to validate the assertion used in the multi-factor authentication flow. For more information, see Check assertion.
Embedded resources Description
devices The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Devices model properties.

AGREEMENT_CONSENT_REQUIRED

Property Type Required? Mutable? Description
accept Boolean Required Mutable A boolean that specifies whether the user has consented to the agreement. This property is required for a user.consent action. The value is true if the user has consented to the agreement.
Links Description
user.consent The link to initiate an action in which the user accepts the agreement.

DAG_USER_CODE_REQUIRED

Parameters Description
userCode A string that specifies the user code value returned by the device authorization grant authorize request.
Links Description
deviceAuthGrant.userCode.verify The link to initiate an action to verify the end-user's user code.

DAG_CONSENT_REQUIRED

Parameters Description
accept A boolean that specifies whether the user has consented to the agreement. This property is required for a deviceAuthGrant.consent action. The value is true if the user has consented to the agreement.
Links Description
deviceAuthGrant.consent The link to initiate an action to complete the consent agreement. On accepting the agreement, the flow transitions to the COMPLETED_ACCEPTED flow state; otherwise, it transitions to COMPLETED_DECLINED.

Flows

The GET /{{envID}}/flows/{{flowID}} operation retrieves the flow specified by the flowID in the request URL. For more information about this flow action, see Get a flow.

Flow API actions

The flow endpoint operation, POST /{{envID}}/flows/{{flowID}}, supports several flow actions that are specified by the custom media type provided in the HTTP Content-Type request header. The following table lists the PingOne custom media types and their associated authentication flow actions:

Media type Flow action
application/vnd.pingidentity.session.reset+json Update or reset a flow
application/vnd.pingidentity.usernamePassword.check+json Sign on with a username and password
application/vnd.pingidentity.user.lookup+json Sign on with a username in a passwordless flow
application/vnd.pingidentity.password.forgot+json Forgot password
application/vnd.pingidentity.user.register+json Register a user
application/vnd.pingidentity.usernamePassword.check+json Check a user's password
application/vnd.pingidentity.password.reset+json Reset a user's password
application/vnd.pingidentity.password.recover+json Recover a user's password
application/vnd.pingidentity.password.sendRecoveryCode Send the user a recovery code
application/vnd.pingidentity.user.verify+json Verify a user
application/vnd.pingidentity.user.sendVerificationCode+json Send the user a verification email
application/vnd.pingidentity.device.select+json Select an MFA device
application/vnd.pingidentity.otp.check+json Validate the one-time password
application/vnd.pingidentity.user.update+json Submit profile data
application/vnd.pingidentity.user.confirm+json Confirm account information
application/vnd.pingidentity.assertion.check+json Check assertion
application/vnd.pingidentity.user.consent+json Agreement Accept Consent
application/vnd.pingidentity.kerberos.lookup+json Sign on using Kerberos
application/vnd.pingidentity.deviceAuthGrant.userCode.verify+json Confirm Device Activation Code
application/vnd.pingidentity.deviceAuthGrant.consent+json Accept Device Authorization Grant Consent
Flows common response data model

These common properties are returned with the flow response.

Property Type Required? Mutable? Description
aggregateFido2Devices Boolean N/A Read-only Indication of whether the available authentication method list should include only a single generic FIDO2 option rather than including an entry for each paired FIDO2 device.
application Object Immutable A reference to the application that initiated the flow.
application.id String Immutable A string that specifies the ID of the application that initiated the flow.
application.name String Immutable A string that specifies the name of the application that initiated the flow.
application.icon.id String Immutable A string that specifies the icon ID for the application that initiated the flow.
application.icon.href String Immutable A string that specifies the URL of the icon for the application that initiated the flow.
authenticator Array Read only An array that specifies the set of authentication methods that the user completed in this flow. The values returned by the flow must use the values defined in RFC 8176. The order of the methods returned by the flow might not reflect the order in which they were executed in the flow.
authorizeResponse.access_token String Read only A string that specifies the access token returned by the flow in a non-redirect or MFA only authentication flow (for an implicit authorization request).
authorizeResponse.id_token String Read only A string that specifies the ID token returned by the flow in a non-redirect or MFA only authentication flow (for an implicit authorization request).
authorizeResponse.code String Read only A string that specifies the authorization code returned by the flow in a non-redirect or MFA only authentication flow (for an authorization_code authorization request).
authorizeResponse.state String Immutable A string that specifies the authorization state (used to maintain state between the logout request and the callback to the redirect URI) returned by the flow in a non-redirect or MFA only authentication flow (for an authorization_code authorization request).
completedSignOnPolicy.id String Read only A string that specifies the ID of the completed sign-on policy resource after the flow is COMPLETED.
completedSignOnPolicy.name String Read only A string that specifies the name of the completed sign-on policy after the flow is COMPLETED.
createdAt Date Read only The time the resource was created.
expiresAt Date Read only The time this flow will expire due to inactivity timeout based on a sliding window.
id String Immutable A string that specifies the flow resource’s unique identifier.
identifier String Immutable A string that specifies a username value returned from the login_hint property.
resumeUrl String Immutable A string that specifies where the flow handler UI will redirect the browser to after the flow is COMPLETED or FAILED.
status String Immutable A string that specifies the status of the flow.
user.id String Immutable A string that specifies the ID of the session user. This value is used for authentication flows initiated with an existing session's unique ID.

These common links are returned with the flow response.

Links Description
self The link to the current flow resource.
session.reset The link to the session reset action. This link is present if the user has signed on previously on this device. It can be used to sign off the user and reset the flow.

These common embedded resources are returned with the flow response:

Embedded resources Description
devices List of objects containing the properties of each devices associated with the user.
devices[].otpStatus.status Whether or not the device can be used currently for OTP-based authentication. Value returned is ENABLED or DISABLED. Relevant only for devices where type is MOBILE.
devices[].otpStatus.reason If the status is DISABLED, contains the reason that the device cannot be used for OTP-based authentication, for example, that the application used a version of the MFA SDK that does not support OTP. Relevant only for devices where type is MOBILE.
devices[].pushStatus.status Whether or not the device can be used currently for push-based authentication. Value returned is ENABLED or DISABLED. Relevant only for devices where type is MOBILE.
devices[].pushStatus.reason If the status is DISABLED, contains the reason that the device cannot be used for push-based authentication, for example, that the push option was disabled for the application in the MFA policy. Relevant only for devices where type is MOBILE.
devices[].usableStatus.status Whether or not the device can be used currently for authentication. Value returned is ENABLED or DISABLED.
devices[].usableStatus.reason If the status is DISABLED, contains the reason that the device cannot be used for authentication, for example, that the defined daily notifications limit has already been reached.
user The link to the resource containing profile attributes of the actively signing-on or previously signed-on user.

Audit reporting events

To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.

Service Event
FlowDefinitions FLOW_DEFINITION.CREATED
FlowDefinitions FLOW_DEFINITION.UPDATED
FlowDefinitions FLOW_DEFINITION.DELETED
FlowExecutions FLOW_EXECUTION.CREATED
FlowExecutions FLOW_EXECUTION.UPDATED
FlowExecutions FLOW_EXECUTION.DELETED
FlowExecutions STEP_EXECUTION.CREATED
FlowExecutions STEP_EXECUTION.UPDATED
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You weren’t authenticated to perform this operation.
404 The requested resource was not found.

Check Assertion


Check One-Time Password (OTP)


Check Username/Password


Reset Flow


Reset Password


Select Device


Sign On with a Username


Sign On with Kerberos


Read Flow

Forgot Password

The forgot password endpoints provide the flow actions to recover a user's forgotten password. These flow actions allow the user to recover the account and set a new password.


Forgot Password


Send (Resend) Recovery Code


Recover Password

Registration and Verification

The registration and verification endpoints provide flow actions for the following authentication workflows:

  • Register new users.

  • Verify the newly registered user account.

  • Update user profiles.

  • Confirm user account information received from an external identity provider.

  • Prompt users to consent to (or reject) an agreement.


Register User


Send (Resend) Verification Code


User Profile Update


Confirm Account Information


Agreement Accept Consent


Verify User

Device Authorization Grant Flows

The device authorization grant endpoints provide the flow actions to verify a user's device user code and accept a consent agreement for the device. These flow actions address the flow states generated in a device code authentication flow.


Confirm Device Activation Code


Accept Device Authorization Grant Consent

OpenID Connect/OAuth 2

PingOne integrates with applications that use standards-compliant protocols by taking on the role of an OpenID Connect provider and OAuth 2 authorization server. In this capacity, PingOne provides the framework for connected applications to access protected HTTP resources. For more information about OpenID Connect and OAuth 2, see the OpenID Connect 1.0 spec and the OAuth 2.0 Authorization Framework RFC6749.

The PingOne authorization endpoint /{{envID}}/as/authorize is used to interact with the resource owner and obtain an authorization grant. For more information and additional examples, see Authorization and authentication by application type.

OpenID Connect/OAuth2 data model

Property Type Required? Mutable? Description
acr_values String Optional Mutable Either a single DaVinci policy (identified by the flow policy ID), or one or more PingOne sign-on policies by name (space-separated). The PingOne sign-on policies can be the predefined sign-on policies, Single_Factor and Multi_Factor, or any custom defined sign-on policy names. The PingOne sign-on policy names should be listed in order of preference, and they must be assigned to the application.
client_assertion String Optional Mutable A JWT that contains a signed assertion with the application’s credentials. This property is required if the application's tokenEndpointAuthMethod is set to either PRIVATE_KEY_JWT or CLIENT_SECRET_JWT.
client_assertion_type String Optional Mutable A string that specifies the client assertion type. The value of this property must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer. This property is required if the application's tokenEndpointAuthMethod is set to either PRIVATE_KEY_JWT or CLIENT_SECRET_JWT.
client_id String Required Immutable The application's UUID.
client_secret String Required Immutable The application's client secret.
code String Optional Immutable the authorization code returned by the authorization server. This property is required only if the grant_type is set to authorization_code.
code_challenge String Optional Immutable Computed from the code_verifier that is used in a Proof Key for Code Exchange (PKCE) authorization request. The length and character set requirements for the code_challenge string are documented in Section 4.1 of RFC7636. The computation for the code_challenge string is documented in Section 4.2 of RFC7636.
code_challenge_method String Optional Mutable Specifies the computation logic used to generate the code_challenge string. The token endpoint uses this method to verify the code_verifier for PKCE authorization requests. Options are: plain and S256.
code_verfier String Optional Immutable Used to create the code_challenge value passed to the authorization server in the request. The length an character set requirements for the code_verifier string is documented in Section 4.1 of RFC7636.
grant_type String Optional Mutable The grant type of the token request. Options are authorization_code, implicit, refresh_token, and client_credentials.
login_hint String Optional Mutable A login identifier to pre-fill the Username field of the sign-on screen. The string can be the UUID of an existing user in the environment, which results in the look-up of the user's username property, or it can be another string used to pre-fill the sign-on screen. The Username field of the sign-on screen does not pre-fill if (1) no string is provided as a hint, and (2) the OpenID Connect scope openid is not specified. In the flow response, if the login_hint value is a username, the value is returned in the flow response's identifier attribute. If the login_hint is a UUID, and the look-up finds a user, the username value is returned in the identifier attribute. If a user is not found, the UUID is returned in the flow response's identifier attribute.
login_hint_token Token Optional Immutable Provides a way for the client to identify and authenticate the end-user without needing to encode the entire authentication request in a signed JWT. Using a separate token instead of the login_hint parameter also means that this token can be signed by a client different from the authenticating client.
mobilePayload Parameter Optional Mutable Used by mobile applications leveraging PingOne MFA SDK. See Implement automatic pairing of native app as MFA authenticator app.
max_age String Optional Mutable The maximum amount of time allowed (in seconds) since the user last authenticated. If the max_age value is exceeded, the user must re-authenticate. If the max_age value is set to 0 (max_age=0), the user is always required to re-authenticate.
nonce String Optional Immutable Used to associate a client session with a token to mitigate replay attacks. The value is passed through unmodified from the authentication request to the token. This is an optional property for authorization requests that return a code.
prompt String Optional Mutable Specifies whether the user is prompted to login for re-authentication. The prompt parameter can be used as a way to check for existing authentication, verifying that the user is still present for the current session. For prompt=none, the user is never prompted to login to re-authenticate, which can result in an error if authentication is required. For prompt=login, if time since last login is greater than the max-age, then the current session is stashed away in the flow state and treated in the flow as if there was no previous existing session. When the flow completes, if the flow's user is the same as the user from the stashed away session, the stashed session is updated with the new flow data and persisted (preserving the existing session ID). If the flow's user is not the same as the user from the stashed session, the stashed session is deleted (logout) and the new session is persisted.
redirect_uri String Required Mutable The URL of the return entry point of the application.
refreshTokenRollingGracePeriodDuration Integer Optional Mutable The number of seconds that a refresh token may be reused after having been exchanged for a new set of tokens. This is useful in the case of network errors on the client. Valid values are between 0 and 86400 seconds. Null is treated the same as 0.
request Token Optional Immutable A JWT that enables OIDC/OAuth2 request parameters to be passed as a single, self-contained parameter. If the application's supportUnsignedRequestObject property value is set to false, the JWT must be signed (using the HS256 signing algorithm). Using a JWT enables integrity protection of parameters that are required for risk-based authentication or privacy and consent use cases. Specifically:
  • Passing in the user agent's original IP address when the PingOne platform is used behind a server side application that is functioning as an authentication gateway or PingFederate.
  • Passing in a purpose or usage description string that could be displayed to the user on the authentication UI prompt, SMS or voice message, push notification, or email message.
For more information, see Create a request property JWT.
response_mode String Optional Mutable The mechanism for returning authorization response parameters from the authorization endpoint. Options are query, fragment, form_post, and pi.flow. The pi.flow option is a Ping Identity custom response mode to specify that the redirect_uri parameter is not required and authorization response parameters are encoded as a JSON object wrapped in a flow response and returned directly to the client with a 200 status. For more information about the query, fragment, and form_post options, see the ResponseModes section of the OAuth 2.0 Multiple Response Type Encoding Practices specification. For non-redirect use case information, see Redirect and non-redirect authentication flows.
response_type String Required Mutable The code or token type returned by an authorization request. Options are token, id_token, and code.
scope String Optional Mutable Permissions that determine the resources that the application can access. This parameter is not required, but it is needed to specify accessible resources.
state String Optional Mutable Used to maintain state between the logout request and the callback to the endpoint specified by the post_logout_redirect_uri query parameter.
subject_token String Required Immutable The security token that represents the identity of the PingFederate cluster (or other client type) that requires access to PingOne services.
subject_token_type String Required Immutable The type of the security token provided in the subject_token property. Options are pingone_gateway_credential.
token String Required Immutable The token string. This is a required property for token introspection and token revocation.
Application access control conditions

You can configure OpenID Connect applications for access control by setting the accessControl property on the application. For more information about accessControl properties, see Application Operations. When accessControl properties are set for an application, the user must meet the requirements specified by these application properties to get a token. If the user attempts to authenticate and the grant_type is either authorization_code or implicit, then the application's accessControl conditions are evaluated to determine whether the user can be issued a token.

The token (or tokens) is minted if the user meets the application's access control conditions. If the conditions are not met, the token (or tokens) is not issued and an ACCESS_FAILED error is returned. If access is denied, a USER.ACCESS_DENIED event is published; otherwise, a USER.ACCESS_ALLOWED event is published.

For more information, see Control access to applications through roles and groups.

Audit reporting events

To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.

Service Event
applications SECRET.UPDATED
applications SECRET.READ
applications GRANT.CREATED
applications GRANT.UPDATED
applications GRANT.DELETED
resources RESOURCE.CREATED
resources RESOURCE.UPDATED
resources RESOURCE.DELETED
resources SCOPE.CREATED
resources SCOPE.UPDATED
resources SCOPE.DELETED
resources ATTRIBUTE.CREATED
resources ATTRIBUTE.UPDATED
resources ATTRIBUTE.DELETED
resources SECRET.UPDATED
resources SECRET.READ

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You weren’t authenticated to perform this operation.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Authorization

The authorize endpoints support the following actions:

  • The authorize endpoint /{{envID}}/as/authorize is used to interact with the end user and obtain an authorization grant. Note that PingOne supports both GET and POST operations for authorize requests. The supported parameters for an authorize request vary depending on the value of the response_type parameter (code, token, id_token or combinations of these three options).

  • For non-redirect flows, such as with native mobile apps in which the app renders the end user interface, response_mode property value is set to pi.flow. This setting allows the app to authenticate using the PingOne flows API without needing to handle HTTP redirections. The pi.flow value is also used with transaction approval use cases in which strong authentication is required for elevated security for a high-value transaction, or high-risk resource or service.

Use Cases


Authorize (authorization_code)


Authorize (implicit)


Authorize (hybrid)


Authorize (authorization_code)


Authorize (implicit)


Authorize (hybrid)


Authorize (Non-redirect and MFA Only Flows)


Authorize (Transaction Approval)

Pushed Authorization Request

Applications can use a pushed authorization request (PAR) to securely initiate authorization flows. A PAR allows applications to send their authorization requests directly to PingOne without going through the browser, which safeguards sensitive data from end-user devices.

With a PAR, an application can push an authorization request payload to PingOne with a direct back-channel request, which is a more secure method of sending sensitive data, such as personally identifiable information, than sending it with a browser on the front channel.

The POST /{{envID}}/as/par endpoint accepts the same request parameters as /{{envID}}/as/authorize, as well as any additional parameters needed for client authentication. It can accept signed and unsigned requests. Requests must be less than 1MB.

After PingOne validates the request and saves the payload, it returns the request_uri parameter as a reference to the payload. The response also indicates the lifetime of the request URI. The default lifetime is 60 seconds.

The application then uses the front channel to request an authorization code or token, sending the request_uri parameter to PingOne. PingOne uses the request URI to look up the request payload and continue the authorization flow. PingOne accepts a particular request URI only once.

For more information on the PAR specification, see RFC 9126.


Pushed Authorization Request (NONE)


Pushed Authorization Request (CLIENT_SECRET_POST)


Pushed Authorization Request (CLIENT_SECRET_BASIC)


Pushed Authorization Request (CLIENT_SECRET_JWT)


Pushed Authorization Request (PRIVATE_KEY_JWT)


Authorize (implicit) (request_uri)

Token

The token endpoints support the following actions:

  • The token endpoint /{{envID}}/as/token is used by the client to obtain an access token by presenting its authorization grant. Note that authentication requirements to this endpoint are configured by the application's tokenEndpointAuthMethod property. For information about the application's tokenEndpointAuthMethod property, see the "Applications OIDC settings data model" table in Application Operations.

  • The token introspection endpoint /{{envID}}/as/introspect returns the active state of an OAuth 2.0 token and the claims specified in RFC 7662 Section 2.2. The request requires the token parameter, which is the token string.

  • The token revocation endpoint {{envID}}/as/revoke revokes the token specified in the request. Note that this operation does not apply to the tokens issued for the PingOne API resource.

Use Cases


Token (authorization_code) (CLIENT_SECRET_BASIC)


Token (authorization_code) (CLIENT_SECRET_POST)


Token (client_credentials) (CLIENT_SECRET_POST)


Token (authorization_code) (CLIENT_SECRET_JWT)


Token (authorization_code) (PRIVATE_KEY_JWT)


Token (authorization_code) (NONE)


Token (refresh_token) (CLIENT_SECRET_BASIC)


Token (refresh_token) (CLIENT_SECRET_POST)


Token (refresh_token) (CLIENT_SECRET_JWT)


Token (refresh_token) (PRIVATE_KEY_JWT)


Token (refresh_token) (NONE)


Token Admin App (client_credentials)


Token Exchange (Gateway Credential)


Token Introspection (Access Token)


Token Introspection (ID Token)


Token Introspection (Refresh Token)


Token Introspection (Resource ID and Secret)


Token Revocation

Device Authorization Grant

The device authorization grant endpoints support the following actions for applications configured with the DEVICE_CODE grant type:

  • The device authorization endpoint /{{envID}}/as/device_authorization starts an action to return an activation code to the end user. The endpoint response returns a device code, a user code, and a verification URI. The supported parameters for the endpoint request are the client_id parameter and an optional scope parameter.

  • The start flow endpoints /{{envID}}/device/{{appIdentifier}} or /{{envID}}/device in which the appIdentifier variable represents one of either the application ID (clientId or applicationId) or a short secondary application identifier (devicePathId configured per app) that is used only with the /device endpoint.

  • The token endpoint /{{envID}}/as/token returns the tokens issued for the device.

Device authorization grant data model

Property Type Required? Mutable? Description
client_id String Required Immutable The application's UUID.
grant_type String Required Mutable The grant type of the token request. Options are urn:ietf:params:oauth:grant-type:device_code.
scope String Optional Mutable Permissions that determine the resources that the application can access. This parameter is not required, but it is needed to specify accessible resources.
device_code String Required Read only The device verification code. This is a required property for device auth grant flows.
user_code String Required Read only The end-user verification code. This is a required property for device auth grant flows.
verification_uri String Required Read only The end-user verification URI on the authorization server. This is a required property for device auth grant flows.
verification_uri_complete String Optional Read only The end-user verification URI on the authorization server that includes the user_code.
expires_in String Required Read only The lifetime, in seconds, of the device_code. This value is set on the application configuration.
interval String Optional Read only The minimum amount of time, in seconds, that the client should wait between polling requests to the token endpoint. If no value is provided, the default is 5 seconds. This value is set on the application configuration.

Authorize (device)


Token (device_code) (NONE)


Start device flow (with appIdentifier)


Start device flow (without appIdentifier)


Resume


Userinfo


Resume


Discovery OpenID Configuration


Userinfo


Signoff


Read JWKS

SAML 2.0

The SAML endpoints are used by SAML applications to initiate sign-on and signoff operations. The SAML service implements functions to initiate SAML 2.0 single sign-on and single logout authentication flows.

Use Cases

SAML 2.0 protocol

The SAML protocol allows clients to obtain a requestor’s authentication state. SAML 2.0 uses security tokens, which contain assertions about the requestor, to pass authentication and authorization information about the requestor between the identity provider and the resource provider.

SAML SSO authentication requests

A SAML SSO authentication request uses the following authentication flow:

  1. The client (browser) initiates a login action to access a protected resource.
  2. The identity provider issues an <AuthnRequest> message to be delivered by the user agent to the SAML service endpoint using either HTTP Redirect or HTTP POST.
  3. The SAML service validates the request and creates an authentication flow with the flow orchestration service.
  4. The SAML service indicates user interaction is required to perform the authentication flow.
  5. The browser is redirected to the PingOne hosted authentication UI or the per application configured URL of a custom UI, passing in the environmentId and flowSessionId query parameters. The authentication UI uses flow orchestration and action services endpoints to complete the authentication flow. The authentication API checks on every call to ensure that the session token cookie contains the current token for the session associated with the flow. On successful completion of the flow, a new session token is generated for the session and set in the cookie.
  6. The browser is redirected to the resume endpoint of the SAML service.
  7. The SAML service retrieves and deletes the authentication flow from the flow orchestration service.
  8. The SAML service generates the appropriate tokens and issues a <Response> message delivered by the user agent to the identity provider using HTTP POST.

The following is a sample SAML assertion generated for an authentication <AuthnRequest> request:

<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="identifier_1"
    Version="2.0"
    IssueInstant="2004-12-05T09:21:59">
    <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
  </samlp:AuthnRequest>


The following data model describes the supported attributes for a SAML <AuthnRequest> request. For more information see Security Assertion Markup Language (SAML) V2.0 Technical Overview.

Property Required? Description
id Required The value of the ID attribute in the request. The InResponseTo attribute in the corresponding response must match this value.
version Required The value should be set to 2.0.
IssueInstant Required The time (in UTC) that the request was issued.
destination Required A URI reference indicating the address to which this request has been sent. It is required if the <AuthnRequest> request, optional otherwise. If submitted, it should match the location at which the message was received.
consent Optional A string that specifies whether or not (and under what conditions) consent has been obtained from a principal in the sending of this request.
ForceAuthn Optional A boolean that when set to true specifies that the identity provider must authenticate the presenter directly rather than rely on a previous security context. If a value is not provided, the default value is false.
IsPassive Optional A boolean that when set to true specifies that the identity provider and the user agent itself must not visibly take control of the user interface from the requester and interact with the presenter in a noticeable fashion. If a value is not provided, the default value is false.
AssertionConsumerServiceIndex Optional This value specifies the location to which the <Response> message should be returned to the requester. It applies only to profiles in which the requester is different from the presenter. If omitted, then the identity provider must return the <Response> message to the default location associated with the requester for the profile of use.
AssertionConsumerServiceURL Optional This value specifies the location to which the <Response> message must be returned to the requester. This attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute and is typically accompanied by the ProtocolBinding attribute.
ProtocolBinding Optional A URI reference that identifies a SAML protocol binding used when returning the <Response> message. This attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute and is typically accompanied by the AssertionConsumerServiceURL attribute.
ProviderName Optional This value specifies the human-readable name of the requester. It is used only for logging purposes, if available and if needed.
<saml:Issuer> Required This value specifies the service provider (9)SP) Entity ID. It identifies the entity that generated the request message. This should be treated as the client_id.
<ds:Signature> Optional An XML Signature that authenticates the requester and provides message integrity.
<RequestedAuthnContext> Optional A value that specifies the requirements, if any, that the requester places on the authentication context that applies to the responding provider's authentication of the presenter.
<saml:Subject> Optional A value that specifies the requested subject that names the actual identity about which it wishes to receive an assertion.
<NameIDPolicy> Optional A value that specifies the constraints on the name identifier to be used to represent the requested subject.
<saml:Conditions> Optional A value that specifies the SAML conditions the requester expects to limit the validity and/or use of the resulting assertion (or assertions).
<Scoping> Optional A value that specifies a set of identity providers trusted by the requester to authenticate the presenter, as well as limitations and context related to proxying of the <AuthnRequest> message to subsequent identity providers by the responder.

The following is a sample SAML assertion response:

<samlp:Response
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="identifier_2"
    InResponseTo="identifier_1"
    Version="2.0"
    IssueInstant="2004-12-05T09:22:05"
    Destination="https://sp.example.com/SAML2/SSO/POST">
    <saml:Issuer>https://auth.pingone.com/{{envID}}</saml:Issuer>
    <samlp:Status>
      <samlp:StatusCode
        Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      ID="identifier_4"
      Version="2.0"
      IssueInstant="2004-12-05T09:22:05">
      <saml:Issuer>https://auth.pingone.com/{{envID}}</saml:Issuer>
      <!-- a POSTed assertion MUST be signed -->
      <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
      <saml:Subject>
        <saml:NameID
          Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
          3f7b3dcf-1674-4ecd-92c8-1544f346baf8
        </saml:NameID>
        <saml:SubjectConfirmation
          Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
          <saml:SubjectConfirmationData
            InResponseTo="identifier_1"
            Recipient="https://sp.example.com/SAML2/SSO/POST"
            NotOnOrAfter="2004-12-05T09:27:05"/>
        </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions
        NotBefore="2004-12-05T09:17:05"
        NotOnOrAfter="2004-12-05T09:27:05">
        <saml:AudienceRestriction>
          <saml:Audience>https://sp.example.com/SAML2</saml:Audience>
        </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement
        AuthnInstant="2004-12-05T09:22:00"
        SessionIndex="identifier_3">
        <saml:AuthnContext>
          <saml:AuthnContextClassRef>
            urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
         </saml:AuthnContextClassRef>
        </saml:AuthnContext>
      </saml:AuthnStatement>
    </saml:Assertion>
  </samlp:Response>


IdP-Initiated SSO

IdP-initiated SSO allows users to authenticate through their identity provider, which then issues and signs SAML assertions to service providers. This allows users to access multiple applications and services with a single authentication.

IdP-Initiated SSO uses the following flow:

  1. A user signs on to their system with a username and password and is presented with an application catalog that displays icons representing the web-based applications and services they can access.
  2. The user clicks an icon to access one of those applications or services.
  3. The IdP creates and signs an SAML assertion that includes information about the user’s identity, along with any other attribute information that the IdP and SP agreed to share to authenticate users.
  4. The IdP either sends the assertion to the SP through a browser or sends a reference to the assertion that the SP can use to securely retrieve the assertion.
  5. The SP validates the signature to ensure that the SAML assertion really came from its trusted IdP and that none of the values in the assertion have been modified. It also extracts the identity, attribute, and authorization information it needs to determine whether access should be granted and which privileges the user will have.
  6. Users access the application or service.

IdP-Initiated SSO has the following benefits:

  • The user gains access to catalog of applications and services with a single authentication.
  • The authentication flow is more secure because user credentials are never transmitted between IdP and SP.
  • The authentication flow is simpler because it eliminates a redirect step from SP to IdP.

You can start the IdP-Initiated SSO authentication session using the Get Identity Provider Initiated SSO request.

SAML SLO logout requests

A SAML single logout (SLO) operation uses the following flow:

  1. The user initiates logout.
  2. The session participant initiates single logout by sending a <LogoutRequest> message to the identity provider that sent the corresponding <AuthnRequest> authentication assertion.
  3. The SAML service validates the request. It then calls the end session endpoint of the flow orchestration service and passes through the cookie header. The flow orchestration service deletes the session identified by the session cookie and includes a Set-Cookie in the response to immediately expire the session cookie.
  4. The identity provider uses the contents of the <LogoutRequest> message to determine the session(s) being terminated.
  5. The identity provider issues a <LogoutResponse> message to the original requesting session participant.

DaVinci flows with SAML applications

The following workflow outlines the interaction between PingOne applications and DaVinci flows and flow policies.

  1. PingOne applications support a configuration option to assign DaVinci flow policies to the application. For information about creating DaVinci flows and flow policies, see Getting Started with DaVinci. For information on designating a DaVinci flow as a PingOne flow, see Setting a trigger type on the flow.

  2. The SAML SSO service retrieves the application configuration data. Based on the configuration, the application can use either a PingOne sign-on policy or a DaVinci flow policy to determine the sign-on workflow. To assign DaVinci flow policies to applications, see Application Flow Policy Assignments.

  3. For DaVinci flow policy use cases, the DaVinci widget renders the sign-on flow page. For more information about DaVinci widgets, see Launching a flow with the widget in the PingOne admin documentation.

  4. The DaVinci widget manages the flow, and after the flow completes, the PingOne SSO Connector creates a session and passes control back to the protocol service.

  5. The SAML SSO service processes the response, performs attribute mapping using user attributes from the PingOne directory, creates a SAMLResponse, and sends it to the SAML application.

  6. The application continues its normal flow, calling the PingOne token endpoint to obtain the tokens.

SAML data model

Property Type Required? Mutable? Description
acsUrls URL Required Mutable The Assertion Consumer Service URLs. The first URL in the list is used as default. There must be at least one URL.
assertionDuration Integer Required Mutable The assertion validity duration in seconds.
assertionSigned Boolean Optional Mutable Whether the SAML assertion itself should be signed. The default value is true.
defaultTargetUrl String Optional Mutable A URL that sets the relay state if the identity provider does not include an applicationUrl query parameter in its /{{envID}}/saml20/idp/startsso request.
description String Optional Mutable A description of the resource.
enabled Boolean Optional Mutable Whether the application is enabled. The default is false if this value is not set.
icon.id String Optional Mutable The icon resource’s unique identifier.
icon.href String Optional Mutable The URL of the icon resource.
id String Required Immutable The resource’s unique identifier.
idpSigning.key.id String Optional Mutable The certificate to be used by the identity provider to sign assertions and responses. If this property is omitted, the default signing certificate for the environment is used.
loginPageUrl String Optional Mutable The URL of the authentication flow UI that this application uses to interact with the end-user through the authentication flow. If a URL is not specified, the default PingOne hosted UI is used.
name String Required Mutable The name of SAML attribute and should be unique within an environment. Note that samlAssertion.subject is a reserved case-insensitive name that indicates the mapping to be used for the subject in the assertion.
protocol String Required Mutable The protocol used by the application. This value determines the set of additional protocol specific properties, links, and embedded resources associated with the resource. Options are OPENID_CONNECT and SAML.
RelayState String Required Mutable The target application ID for SAML assertions used in IdP-initiated SSO.
responseSigned Boolean Optional Mutable Whether the SAML assertion response itself should be signed. The default value is false.
returnUrl String Optional Mutable The endpoint of the PingOne SSO Connector receiving the ppmResponsefrom the PingOne SAML SSO service. This is strictly validated based on configuration.
sloBinding String Optional Mutable The binding protocol to be used for the logout response. Options are HTTP_REDIRECT or HTTP_POST. The default is HTTP_POST. Existing configurations with no data default to HTTP_POST.
sloEndpoint URL Optional Mutable The logout endpoint URL. If a sloEndpoint logout endpoint URL is not defined, logout actions result in an error.
sloResponseEndpoint URL Optional Mutable The endpoint URL to submit the logout response. If a value is not provided, the sloEndpoint property value is used to submit SLO response.
spEntityId String Required Immutable The service provider entity ID used to lookup the application. This is a required property and is unique within the environment.
spVerification.cert.id String Optional Mutable The certificate ID used to verify the service provider signature.

Application access control conditions

You can configure SAML applications for access control by setting the accessControl properties on the application. For more information about accessControl properties, see Application Operations. When accessControl properties are set for an application, the user must meet the requirements specified by these application properties. If the user attempts to authenticate, then the application's accessControl conditions are evaluated before creating an assertion.

An assertion is created if the user meets the the application's access control conditions. If the conditions are not met, then an authorization failed error is returned with the top level code urn:oasis:names:tc:SAML:2.0:status:Responder and the second level code urn:oasis:names:tc:SAML:2.0:status:RequestDenied. If access is denied, a USER.ACCESS_DENIED event is published; otherwise, a USER.ACCESS_ALLOWED event is published.

For more information, see Control access to applications through roles and groups.

Audit reporting events

To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.

Service Event
applications ATTRIBUTE.CREATED
applications ATTRIBUTE.UPDATED
applications ATTRIBUTE.DELETED

Response codes

Code Message
200 Successful operation.
201 Successfully created.
400 The request could not be completed. .
401 You weren’t authenticated to perform this operation.
404 The requested resource was not found.

SAML SSO Using POST


SAML ACS Endpoint for Inbound SSO


SAML ACS Endpoint for Identity Provider Initiated Inbound SSO


SAML SLO Using POST


Read SAML Metadata


SAML SSO Using GET


Identity Provider Initiated SSO


Read SAML Service Provider Metadata


Service Provider Initiated Inbound SSO


SAML SLO Using GET


SAML resume

Management APIs

The PingOne Management API provides the interface to configure and manage your PingOne organization. The Management API includes the following entities.

Organizations

PingOne uses an organization-based model to define tenant accounts and their related entities. The organization is the top-level identifier. It defines your entire enterprise within the PingOne platform.

For more information, see Organizations.

Environments

An organization contains one or more environments. Environments define separate working domains within an organization. Environments are used to model regions within a large global enterprise such as NA (North America) or EU (European Union). They are also used as the defining entity to segregate enterprise operations by functionality, staging environments, or configurations.

In the management API sample requests shown in this document, the {{apiPath}} variable in the sample requests represents the regional domain for the PingOne server. See PingOne API domains for more information.

For more information, see Environments.

Environments contain many of the core resources on which all identity services are built. Environments encompass:

  • Populations

    In PingOne, a population defines a set of users, similar to an organizational unit (OU). In a given environment, you can use populations to simplify the management of users. For example, you can create a population for similar types of users and apply a password policy to that population. You must create at least one population before you can create users. An individual user cannot belong to more than one population simultaneously, but users can be moved to a different populations.

    For more information, see Populations.

  • Users

    Users are unique entities that interact with the applications and services within the environment to which the they are assigned. User resources in PingOne are the full representation of a user profile, including the user's relationships, roles, devices, and attributes. Users are associated with populations rather than defined within a population. The user's association with a population is established as a property on the user resource.

    For more information, see Users, User password management, User role assignments, and Enable user devices.

  • Applications and resources

    Applications in PingOne define the connection between the PingOne platform and the actual application (also thought of as the client configuration). Resources represent the connections to external services, enabling secure access to PingOne resources and other defined external resources.

    For more information, see Application Management, Application role assignments, Application sign-on policy assignments, Resources, Resource scopes, and Resource attributes.

  • Activities

    Activities are collections of user activity information such as login attempts, password reset attempts, and total active user counts. This audit data can be exported, reported on, or streamed out to customer security information and event management (SIEM) solutions.

    For more information, see User activities.

  • Branding and images

    Branding can be configured for elements of the PingOne interface. All end user interfaces are branded according to the theme defined in the associated branding resource. Image resources can be configured to upload custom branding image files to the content delivery network (CDN) and manage the lifecycle of those images.

    For more information, see Branding and Images.

  • Password policies

    These resources represent the password management actions and password policies that can be applied to users within an environment.

    For more information, see Passwords.

  • Sign-on policies

    These resources represent the sign-on workflow policies to establish an authentication flow during login, re-authentication, or registration actions that identify and verify users. The authentication workflows are part of the authentication API. The signOnPolicy resource is a proxy back to other APIs to perform authentication actions.

    For more information, see Sign-on policies and Sign-on policy actions.

  • Notifications templates

    These endpoints manage notification templates resources and notifications content.

    For more information, see Notifications templates and Notifications settings.

  • Certificates and keys

    The certificate management endpoints provide an implementation that supports FIPS 140-2 Level 1 compliant security algorithms to generate key pairs. They manage customer-provided certificates, customer-provided signing/encryption keys, Ping-generated certificates (PKI), and Ping-generated signing/encryption keys.

    For more information, see Certificate management.

  • Identity providers

    The identity provider endpoints manage external identity provider configurations to enable social login and inbound SAML login features in PingOne. An external identity provider configuration allows linked users to authenticate and gain access to PingOne resources using the login flow and credentials provided by the external identity provider.

    For more information, see Identity providers and Linked accounts.

Roles, entitlements, and permissions

Roles, permissions, and entitlements are defined at the root of the platform, and these entitlements apply to all PingOne management APIs, regardless of domain. Roles are assigned to users, and these user roles include a scope property to grant the user permissions corresponding to the role. For example, a role of Identity Admin contains permissions allowing the subject to read and edit user data. When this role is assigned to a user, it can be assigned with the scope property that identifies a population or an environment to which the permissions apply.

Self-service application permissions are described using scopes rather than roles. Scopes are more narrowly defined roles in that a scope cannot cross an environment boundary, and it is restricted to a specific task. For example, the p1:read:user scope grants permission to read the user resource's data only; it does not grant permission to read another user's data or perform create, update, or delete operations on user resources. Self-service applications issue access tokens that grant these narrowly defined permissions to end users.

For more information, see Roles, Resource scopes, and Access services through scopes and roles.

Licenses

The license resource identifies the organization that owns the license, the licensing package type, and the expiration date for the license.

For more information, see Licensing.

Identity accounts

Active identity counts use authentication and password-evaluation user events to determine whether an identity is active within a specified sampling period. Total identity counts provide the number of unique identities associated with a specified environment per day.

For more information, see Active identity counts and Total identities.

Application Management

Application resources define the connection between PingOne and the actual application (also known as a client connection). The application type you choose to create includes default settings that you're free to change. For example, you can configure the settings for a Single-Page application to match the settigs for a Web application. This is by design for maximum flexibility.

When you make a request to create a new application, you must specify the type property that specifies one of the following application types:

  • Web application

    A browser-based application with a server-side component, such as ASP, CGI, JSP/Java, Node.js, or Ruby on Rails applications.

  • Native application

    An application that is installed and run directly on the local operating system, like Java, Objective-C, Swift, or React applications. Native applications are typically intended for mobile devices. These native applications are optionally configured using the mobile property.

  • Single-Page application

    A browser-based application that runs on the front-end with no server-side component, such as Sencha Touch, AngularJS, and React applications. A single page application runs on the client side after it loads, so it cannot keep a client secret.

  • Non-interactive

    A web application that does not require user interaction through the web browser, like a command line interface, a service, or a daemon.

  • Worker

    An administrator application that can interact with platform APIs. Access to platform APIs is determined by the user's or application's role assignments. The role assignment for a Worker app is set by the assignActorRoles property.

  • Device authorization

    Creating an application of this type initiates an action that returns an activation code to the end user. This enables you to obtain authorization from the end user through (what is typically) a mobile device.

  • Platform applications

    PingOne creates platform applications (PingOne Admin Console, PingOne Application Portal, PingOne Self-Service - MyAccount, and PingFederate-SSO) when the environment is created. The PingFederate-SSO platform application is created only if the PingOne environment includes PingFederate, and unlike the other platform applications, PingFederate-SSO application information is not returned through a GET request.

These are the default grantTypes, response_type, and tokenEndpointAuthMethod attributes for the application types:

Application type Grant type Response type Token endpoint authentication method
Device Authorization DEVICE_CODE, REFRESH_TOKEN N/A NONE
Native AUTHORIZATION_CODE, IMPLICIT TOKEN, ID_TOKEN, CODE NONE
Single-page IMPLICIT TOKEN, ID_TOKEN NONE
Web AUTHORIZATION_CODE CODE CLIENT_SECRET_BASIC
Worker/Non-interactive CLIENT_CREDENTIALS TOKEN CLIENT_SECRET_BASIC

Use Cases

Managing applications

The base endpoint, /environment/{{envID}}/applications, provides endpoint operations to create, read, update, and delete OIDC and SAML application connections. There are POST request examples to show the required properties to create each type of application connection. For more information, see Application Operations.

The secret endpoint, /environments/{{envID}}/applications/{{appID}}/secret, provides endpoint operations to read and update the application's secret, if the requesting actor has a superset of the application's role assignments. For more information, see Application Secret.

Applications support the following additional configuration properties:

  • Application resource grants

    The application resource grants endpoint, /environments/{{envID}}/applications/{{appID}}/grants, provides endpoint operations to create, read, update, and delete the resource grant associated with the application connection. For more information, see Application Resource Grants.

  • Application sign-on policy assignments

    The application sign-on policy assignments endpoint, /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments, provides endpoint operations to create, read, update, and delete the sign-on policies associated with the application connection. For more information, see Application Sign-On Policy Assignments.

  • Application role assignments

    The application role assignments endpoint, /environments/{{envID}}/applications/{{appID}}/roleAssignments, provides endpoint operations to create, read, update, and delete the role assignments associated with the application connection. For more information, see Application Role Assignments.

  • Application attribute mapping

    The application attribute mapping endpoint, /environments/{{envID}}/applications/{{appID}}/roleAssignments, lets you customize the content of an ID token or a SAML assertion by adding custom attributes and their values. For more information, see Application Attribute Mapping.

  • Application MFA push credentials

    Push credentials are required for sending push notifications to a native application. The endpoint, /environments/{{envID}}/applications/{{appID}}/pushCredentials, provides endpoint operations to create, read, update, and delete the push credentials associated with the application connection. This section provides examples for both APNS and FCM push credential types. For more information, see Application MFA Push Credentials.

Application Operations

The Applications service implements operations to create, read, update, and delete, applications resources.

Cross-origin resource sharing

PingOne supports cross-origin resource sharing (CORS), which gives applications running at different domains permission to access resources on PingOne servers. For example, an application at https://myapp.com that uses PingOne to authenticate users needs to request permission to access resources at https://auth.pingone.com before authentication operations are executed. In this case, a request is made to the resource owner (auth.pingone.com) from the requestor (myapp.com) using CORS headers to ask for access privileges. The response from auth.pingone.com returns the CORS Access-Control-Allow-Origin header with a value that confirms the requestor's access rights.

PingOne servers are configured to trust all origins when using access tokens. However, when requesting sensitive resources that use PingOne session cookies for authentication, only specified origins will be trusted. The following endpoints require session cookies for authentication, and only the origins specified in the application’s corsSettings property will be trusted when calling these endpoints:

/{envId}/as/authorize
/{envId}/as/resume
/{envId}/as/signoff
/{envId}/rp/authenticate
/{envId}/rp/callback/{callbackId}
/{envId}/saml20/idp/sso
/{envId}/saml20/idp/startsso
/{envId}/saml20/resume
/{envId}/saml20/idp/slo
/{envId}/wsf/sts/{appId}
/{envId}/wsf/mex/{appId}
/{envId}/wsf/prp/{appId}
/{envId}/wsf/prp/resume

When using session cookies for authentication, no origins will be trusted when calling these endpoints:

/{envId}/as/txs 
/{envId}/saml20/sp/sso
/{envId}/saml20/sp/acs
/{envId}/saml20/sp/jwtacs

Consequently, when defining an application's connection to PingOne, you generally do not need to add your application's domain to a list of trusted origins. Cross-origin requests that use HTTP methods to modify the resource, such as PUT, PATCH, POST, and DELETE, trigger a preflight request to ensure that the initial request can be sent. The browser initiates a preflight HTTP OPTIONS request to verify that the HTTP method used in the actual request is allowed. In these cases, the response from auth.pingone.com to the preflight request returns a response with the CORS Access-Control-Allow-Methods header to specify the allowed methods.

When making CORS requests, only these headers can be used:

  • Accept
  • Accept-Language
  • Content-Language
  • Content-Type
  • Range
  • Authorization
  • Content-Length
  • Cookie
  • Correlation-Id
  • Origin
  • Origin-Cookies
  • Referer or Referrer
  • X-Amz-Date
  • X-Amz-Security-Token
  • X-Api-Key
  • X-client-version
  • X-Content-Type-Options

When accessing CORS responses, you're restricted to reading only the Correlation-Id header (as well as the request body).

Attempting to submit or access headers that are not listed above may prevent you from making CORS requests or reading the responses.

Applications data models

The following applications properties tables show the base data model for properties that apply to all application protocols, and the specific properties for the OpenID Connect (OIDC), SAML, and WS-Federation application protocols.

Applications base data model
Property Type Required? Mutable? Description
accessControl.role.type String Optional Mutable The user role required to access the application. Options are ADMIN_USERS_ONLY. A user is an admin user if the user has one or more of the following roles: Organization Admin, Environment Admin, Identity Data Admin, or Client Application Developer.
accessControl.group.type String Optional Mutable The group type required to access the application. Options are ANY_GROUP (the actor must belong to at least one group listed in the accessControl.group.groups property) and ALL_GROUPS (the actor must belong to all groups listed in the accessControl.group.groups property).
accessControl.group.groups String[] Optional Mutable The group IDs for the groups the actor must belong to for access to the application.
createdAt Date N/A Read-only The time the resource was created.
description String Optional Mutable The description of the application.
enabled String Required Mutable The current enabled state of the application. Options are ENABLED or DISABLED.
environment.id String Required Read-only The PingOne environment associated with the application.
hiddenFromAppPortal Boolean Optional Mutable Whether the application is hidden in the application portal despite the configured group access policy.
homePageUrl String Optional Mutable The custom home page URL for the application.
icon Object Optional Mutable The HREF and the ID for the application icon.
id String Required Read-only The application UUID.
loginPageUrl String Optional Mutable The custom login page URL for the application. If you set the loginPageUrl property for applications in an environment that sets a custom domain, the URL should include the top-level domain and at least one additional domain level. Warning: To avoid issues with third-party cookies in some browsers, a custom domain must be used, giving your PingOne environment the same parent domain as your authentication application. For more information about custom domains, see Custom domains.
name String Required Mutable The name of the application.
protocol String Required Immutable The protocol used by the application. Options are OPENID_CONNECT, SAML, WS-FED, and EXTERNAL_LINK.
type String Required Mutable The application type. Options are WEB_APP, NATIVE_APP, SINGLE_PAGE_APP, SERVICE, CUSTOM_APP, WORKER, PING_ONE_SELF_SERVICE, PING_ONE_ADMIN_CONSOLE, PING_ONE_PORTAL, TEMPLATE_APP, and PORTAL_LINK_APP.
updatedAt Date N/A Read-only The time the resource was last updated.
Applications OIDC settings data model
Property Type Required? Mutable? Description
additionalRefreshTokenReplayProtectionEnabled Boolean Optional Mutable When set to true (the default), if you attempt to reuse the refresh token, the authorization server immediately revokes the reused refresh token, as well as all descendant tokens. Setting this to null equates to a false setting.
allowWildcardInRedirectUris Boolean Optional Mutable Whether wildcards are allowed in redirect URIs. For more information, see Wildcards in Redirect URIs.
assignActorRoles Boolean Optional Mutable Indicates whether the permissions service should assign to the application the roles of the actor creating the application (defaults to true). This property is set only on the POST request. The property is ignored when included in a PUT request. Best Practice: When creating a Worker app, the best practice is to set this value to false. This is for security purposes, to ensure you assign only the minimal set of permissions necessary for the Worker app.
corsSettings Object Optional Mutable Enables you to customize how the Authorization and Authentication APIs interact with CORS requests that reference the application. If omitted, the application allows CORS requests from any origin except for operations that expose sensitive information (such as, operations from /as/authorize and /as/token). We recommend you use corsSettings, rather than omitting this property.
corsSettings.behavior String Required Mutable Options are "ALLOW_NO_ORIGINS" and "ALLOW_SPECIFIC_ORIGINS". ALLOWS_NO_ORIGINS rejects all CORS requests. ALLOW_SPECIFIC_ORIGINS rejects all CORS requests except those listed in corsSettings.origins.
corsSettings.origins String[] Optional Mutable This must be specified when corsSettings.behavior is ALLOW_SPECIFIC_ORIGINS, and must be omitted or empty when corsSettings.behaviour is ALLOW_NO_ORIGINS. Limited to 20 values. The values are the origins from which CORS requests to the Authorization and Authentication APIs are allowed. Each value is an HTTP or HTTPS URL without a path. The host may be a domain name (including localhost), or an IPv4 address. Subdomains can be specified using the wildcard (*) to match any string.
devicePathId String Optional Mutable A string that specifies a unique identifier within an environment for a device authorization grant flow to provide a short identifier to the application. This property is ignored when the deviceCustomVerificationUri property is configured. The string can contain any letters, numbers, and some special characters (regex: a-zA-Z0-9_-). It can have a length of no more than 50 characters (min/max=1/50).
deviceCustomVerificationUri String Optional Mutable A string that specifies an optional custom verification URI that is returned for the /device_authorization endpoint.
deviceTimeout Integer Required Mutable An integer that specifies the length of time (in seconds) that the userCode and deviceCode returned by the /device_authorization endpoint are valid. This property is required only for applications in which the grantTypes property is set to device_code. The default value is 600 seconds. It can have a value of no more than 3600 seconds (min/max=1/3600).
devicePollingInterval Integer Required Mutable An integer that specifies the frequency (in seconds) for the client to poll the /as/token endpoint. This property is required only for applications in which the grantTypes property is set to device_code. The default value is 5 seconds. It can have a value of no more than 60 seconds (min/max=1/60).
grantTypes String[] Required Mutable The grant type for the authorization request. Options are authorization_code, implicit, refresh_token, device_code, and client_credentials.
initiateLoginUri String Optional Mutable The URI to use for third-parties to begin the sign-on process for the application. If specified, PingOne redirects users to this URI to initiate SSO to PingOne. The application is responsible for implementing the relevant OIDC flow when the initiate login URI is requested. This property is required if you want the application to appear in the PingOne Application Portal. See the OIDC specification section Initiating Login from a Third Party for more information.
jwks String Optional Mutable A JWKS string that validates the signature of signed JWTs for applications that use the PRIVATE_KEY_JWT option for the tokenEndpointAuthMethod. This property is required when tokenEndpointAuthMethod is PRIVATE_KEY_JWT and the jwksUrl property is empty. For more information, see Create a private_key_jwt JWKS string. This property is also required if the optional request property JWT on the authorize endpoint is signed using the RS256 (or RS384, RS512) signing algorithm and the jwksUrl property is empty. For more infornmation about signing the request property JWT, see Create a request property JWT.
jwksUrl String Optional Mutable A URL (supports https:// only) that provides access to a JWKS string that validates the signature of signed JWTs for applications that use the PRIVATE_KEY_JWT option for the tokenEndpointAuthMethod. This property is required when tokenEndpointAuthMethod is PRIVATE_KEY_JWT and the jwks property is empty. For more information, see Create a private_key_jwt JWKS string. This property is also required if the optional request property JWT on the authorize endpoint is signed using the RS256 (or RS384, RS512) signing algorithm and the jwks property is empty. For more infornmation about signing the request property JWT, see Create a request property JWT.
kerberos.key Object Optional Mutable A Relationship object containing the certificate issuer (root CA).
kerberos.key.id String Optional Immutable The unique identifier for the Kerberos key. Required if kerberos.key is specified.
mobile.bundleId String Optional Immutable The bundle associated with the application, for push notifications in native apps. The value of the bundleId property is unique per environment, and once defined, is immutable. Used only for applications for the Apple ecosystem.
mobile.huaweiAppId String Optional Immutable The unique identifier for the app on the device and in the Huawei Mobile Service AppGallery. The value of the mobile.huaweiAppId property is unique per environment, and once defined, is immutable. Used only for applications for the Huawei ecosystem.
mobile.huaweiPackageName String Optional Immutable The package name associated with the application, for push notifications in native apps. The value of the mobile.huaweiPackageName property is unique per environment, and once defined, is immutable. Used only for applications for the Huawei ecosystem.
mobile.packageName String Optional Immutable The package name associated with the application, for push notifications in native apps. The value of the mobile.packageName property is unique per environment, and once defined, is immutable. Used only for applications for the Google ecosystem.
mobile.integrityDetection.googlePlay Object Optional Mutable Object that contains the credentials required for using Google's Play Integrity API for integrity detection.
mobile.integrityDetection.googlePlay.verificationType String Optional Mutable The type of verification that should be used. The possible values are GOOGLE and INTERNAL. Using internal verification will not count against your Google API call quota. The value you select for verificationType determines what other parameters you must provide. When set to GOOGLE, you must provide serviceAccountCredentials. When set to INTERNAL, you must provide decryptionKey and verificationKey.
mobile.integrityDetection.googlePlay.serviceAccountCredentials String Optional Mutable Contents of the JSON file that represents your Service Account Credentials. This parameter must be provided if you have set mobile.integrityDetection.googlePlay.verificationType to GOOGLE.
mobile.integrityDetection.googlePlay.decryptionKey String Optional Mutable Play Integrity verdict decryption key from your Google Play Services account. This parameter must be provided if you have set mobile.integrityDetection.googlePlay.verificationType to INTERNAL.
mobile.integrityDetection.googlePlay.verificationKey String Optional Mutable Play Integrity verdict signature verification key from your Google Play Services account. This parameter must be provided if you have set mobile.integrityDetection.googlePlay.verificationType to INTERNAL.
mobile.integrityDetection.mode String Optional Mutable Indicates whether device integrity detection takes place on mobile devices, for the application's enrollment and authentication events. The possible values are ENABLED or DISABLED.
mobile.integrityDetection.excludedPlatforms Array Optional Mutable You can enable device integrity checking separately for Android and iOS by setting mobile.integrityDetection.mode to ENABLED and then using this property to specify an OS where you do not want to use device integrity checking. The possible values are GOOGLE and IOS. Note that this is implemented as an array even though currently you can only include a single value.
mobile.integrityDetection.cacheDuration.amount Integer Optional Mutable The duration between successful integrity detection calls. Every attestation request entails a certain time tradeoff. You can choose to cache successful integrity detection calls for a predefined duration, between a minimum of 1 minute and a maximum of 48 hours. If mobile.integrityDetection.mode is ENABLED, the cache duration must be set.
mobile.integrityDetection.cacheDuration.units String Optional Mutable The time units used for mobile.integrityDetection.cacheDuration.amount. The possible values are MINUTES or HOURS.
mobile.passcodeRefreshDuration.duration Integer Optional Mutable The amount of time a passcode should be displayed before being replaced with a new passcode. Must be between 30 and 60 (seconds).
mobile.passcodeRefreshDuration.timeUnit String Optional Mutable The type of time unit for mobile.passcodeRefreshDuration.duration. Currently, this must be SECONDS.
mobile.uriPrefix String Optional Mutable A URI prefix that enables direct triggering of the mobile application when scanning a QR code. The URI prefix can be set to a universal link with a valid value (which can be a URL address that starts with HTTP:// or HTTPS://, such as https://www.acme.com), or an app schema, which is just a string and requires no special validation.
parRequirement Enum Optional Mutable Whether pushed authorization requests (PAR) are required. Options are REQUIRED and OPTIONAL. The default value is OPTIONAL.
parTimeout Integer Optional Mutable PAR timeout in seconds. Must be between 1 and 600. The default value is 60.
pkceEnforcement String Optional Mutable Specifies how PKCE request parameters are handled on the authorize request. Options are: OPTIONAL: PKCE code_challenge is optional and any code challenge method is acceptable. REQUIRED: PKCE code_challenge is required and any code challenge method is acceptable. S256_REQUIRED: PKCE code_challenge is required and the code_challenge_method must be S256.
postLogoutRedirectUris String[] Optional Mutable The URLs that the browser can be redirected to after logout.
redirectUris String[] Optional Mutable The callback URI for the authentication response.
refreshTokenDuration Integer Optional Mutable The lifetime in seconds of the refresh token. If a value is not provided, the default value is 2592000, or 30 days. Valid values are between 60 and 2147483647. If the refreshTokenRollingDuration property is specified for the application, then this property must be less than or equal to the value of refreshTokenRollingDuration. After this property is set, the value cannot be nullified. This value is used to generate the value for the exp claim when minting a new refresh token.
refreshTokenRollingDuration Integer Optional Mutable The number of seconds a refresh token can be exchanged before re-authentication is required. If a value is not provided, the refresh token is valid forever. Valid values are between 60 and 2147483647. After this property is set, the value cannot be nullified. This value is used to generate the value for the exp claim when minting a new refresh token.
refreshTokenRollingGracePeriodDuration Integer Optional Mutable The number of seconds that a refresh token may be reused after having been exchanged for a new set of tokens. This is useful in the case of network errors on the client. Valid values are between 0 and 86400 seconds. Null is treated the same as 0.
requireSignedRequestObject Boolean Optional Mutable Indicates that the Java Web Token (JWT) for the request query parameter is required to be signed. If false or null (default), a signed request object is not required. Both supportUnsignedRequestObject and this property cannot be set to true.
responseTypes String[] Optional Mutable The code or token type returned by an authorization request. Options are TOKEN, ID_TOKEN, and CODE. For hybrid flows that specify CODE with TOKEN or ID_TOKEN, see Hybrid grant type.
signing Object Optional Mutable Configuration for the signing key. If absent, application tokens will be signed and verified by the PingOne default key at runtime. This property only applies to OIDC applications of type WEB_APP, NATIVE_APP, SINGLE_PAGE_APP, and CUSTOM_APP.
signing.keyRotationPolicy Object Required Mutable Contains the Key Rotation Policy (KRP) ID. This property is required if signing is set.
signing.keyRotationPolicy.id String Required Mutable Reference to a KRP ID from certificate management. This property is required if signing is set.
supportUnsignedRequestObject Boolean Optional Mutable Indicates whether the Java Web Token (JWT) for the request query parameter is allowed to be unsigned. If false or null (default), an unsigned request object is not allowed. Both requireSignedRequestObject and this property cannot be set to true.
tags String[] Optional Mutable An array that specifies the list of labels associated with the application. Options are PING_FED_CONNECTION_INTEGRATION. Only applicable for Create Application (OIDC Protocol - PingFederate Worker App).
targetLinkUri String Optional Mutable The URI for the application. If specified, PingOne will redirect application users to this URI after a user is authenticated. In the PingOne admin console, this becomes the value of the target_link_uri parameter used for the Initiate Single Sign-On URL field.
template Object Optional Mutable Valid only when the application type is TEMPLATE_APP. This identifies the application as integration in Integration Catalog. (by integration.id and version.id) and provides key-value map of parameters needed by the integration
template.configuration Object Required Mutable Contains a key/value map of the parameters required by the integration in Integration Catalog.
template.integration.id String Required Mutable The UUID of the integration in Integration Catalog.
template.version.id String Required Mutable The UUID of the integration version in Integration Catalog.
tokenEndpointAuthMethod String Optional Mutable The client authentication methods supported by the token endpoint. Options are NONE, CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, PRIVATE_KEY_JWT, and CLIENT_SECRET_JWT.
Applications OIDC settings data model for PING_ONE_SELF_SERVICE

For applications of type PING_ONE_SELF_SERVICE only. Ignored for all other application types.

Property Type Required? Mutable? Description
userForm Relationship Required Mutable Configures the form from the form builder service that is used by the self service app for user profile updates. The referenced form must have a category of SELF_SERVICE.
applyDefaultTheme Boolean Required Mutable If true, applies the default theme to the self service application.
enableDefaultThemeFooter Boolean Required Mutable If true, shows the default theme footer on the self service application. Applies only if applyDefaultTheme is also true.
Applications OIDC settings data model for PING_ONE_PORTAL

For applications of type PING_ONE_PORTAL only. Ignored for all other application types.

Property Type Required? Mutable? Description
applyDefaultTheme Boolean Required Mutable If true, applies the default theme to the app portal application.
Applications SAML settings data model
Property Type Required? Mutable? Description
acsUrls String[] Required Mutable The Assertion Consumer Service URLs. The first URL in the list is used as default (there must be at least one URL).
assertionDuration Integer Required Mutable The assertion validity duration in seconds.
assertionSigned Boolean Optional Mutable Indicates whether the SAML assertion itself should be signed. The default value is true.
corsSettings Object Optional Mutable Enables you to customize how the Authorization and Authentication APIs interact with CORS requests that reference the application. If omitted, the application allows CORS requests from any origin except for operations that expose sensitive information (such as, operations from /as/authorize and /as/token). We recommend you use corsSettings, rather than omitting this property.
corsSettings.behavior String Required Mutable Options are "ALLOW_NO_ORIGINS" and "ALLOW_SPECIFIC_ORIGINS". ALLOWS_NO_ORIGINS rejects all CORS requests. ALLOW_SPECIFIC_ORIGINS rejects all CORS requests except those listed in corsSettings.origins.
corsSettings.origins String[] Optional Mutable This must be specified when corsSettings.behavior is ALLOW_SPECIFIC_ORIGINS, and must be omitted or empty when corsSettings.behaviour is ALLOW_NO_ORIGINS. Limited to 20 values. The values are the origins from which CORS requests to the Authorization and Authentication APIs are allowed. Each value is an HTTP or HTTPS URL without a path. The host may be a domain name (including localhost), or an IPv4 address. Subdomains can be specified using the wildcard (*) to match any string.
defaultTargetUrl String Optional Mutable This is used as the RelayState parameter by the IdP to deep link into the application after authentication. This value can be overridden by the applicationUrl query parameter for GET Identity Provider Initiated SSO. Although both of these parameters are generally URLs, because they are used as deep links, this is not enforced. If neither defaultTargetUrl nor applicationUrl is specified during a SAML authentication flow, no RelayState value is supplied to the application. The defaultTargetUrl (or the applicationUrl) value is passed to the SAML application’s ACS URL as a separate RelayState key value (not within the SAMLResponse key value).
enableRequestedAuthnContext Boolean Optional Mutable Indicates whether requestedAuthnContext is taken into account in policy decision-making.
idpSigning.algorithm String Optional Mutable The algorithm used by the IdP signing key. Algorithms supported: SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA256withECDSA, SHA384withECDSA, and SHA512withECDSA.
idpSigning.key.id String Optional Mutable The certificate to be used by the identity provider to sign assertions and responses. If this property is omitted, the default signing certificate for the environment is used.
nameIdFormat String Optional Mutable The format of the Subject NameID attribute in the SAML assertion. Options are
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: The Subject's NameID format is not specified. Use this format if you are not sure which format to use.
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: The Subject's NameID format is in the form of an email address.
  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: The Subject's NameID format is an opaque unique identifier for a user that retains the same value over time.
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient: The Subject's NameID format is a randomly generated identifier. A different value is used for each SSO for a given user.
responseSigned Boolean Optional Mutable Indicates whether the SAML assertion response itself should be signed. The default value is False.
sloBinding String Optional Mutable The binding protocol to be used for the logout response. Options are HTTP_REDIRECT or HTTP_POST. The default is HTTP_POST; existing configurations with no data default to HTTP_POST. This is an optional property.
sloEndpoint String Optional Mutable The logout endpoint URL. This is an optional property. However, if a sloEndpoint logout endpoint URL is not defined, logout actions result in an error.
sloResponseEndpoint String Optional Mutable The endpoint URL to submit the logout response. If a value is not provided, the sloEndpoint property value is used to submit SLO response.
sloWindow Integer Optional Mutable Defines how long PingOne can exchange logout messages with the application, specifically a LogoutRequest from the application, since the initial request. PingOne can also send a LogoutRequest to the application when a single logout is initiated by the user from other session participants, such as an application or identity provider. This setting is per application. The SLO logout is separate from the user session logout that revokes all tokens.
spEncryption Object Optional Mutable Enables PingOne to encrypt SAML assertions to be sent to the application. Assertions are not encrypted by default.
spEncryption.algorithm String Required Mutable The algorithm for encrypting the assertions (AES_128, AES_256, or TRIPLEDES).
spEncryption.certificate Object Required Mutable Contains the ID of the encryption public certificate that has been uploaded to PingOne.
spEncryption.certificate.id String Required Mutable The unique identifier of the encryption public certificate that has been uploaded to PingOne.
spEntityId String Required Immutable The service provider entity ID used to lookup the application. This must be unique within the environment.
spVerification.authnRequestSigned Boolean Optional Mutable Whether the Authn Request signing should be enforced. Default is false.
spVerification.certificates[].id String[] Optional Mutable An array that specifies the certificate IDs used to verify the service provider signature.
template Object Optional Mutable Valid only when the application type is TEMPLATE_APP. This identifies the application as integration in Integration Catalog.
template.configuration Object Required Mutable Contains a key/value map of the parameters required by the integration in Integration Catalog.
template.integration.id String Required Mutable The UUID of the integration in Integration Catalog.
template.version.id String Required Mutable The UUID of the integration version in Integration Catalog.
Applications SAML metadata settings data model
Property Type Required? Mutable? Description
acsBindings String Optional Mutable The assertion consumer service binding protocol. Options are: HTTP_REDIRECT or HTTP_POST
acsUrls String[] Optional Mutable The assertion consumer service URLs.
authnRequestsSigned Boolean Optional Mutable Indicates whether the SAML authentication request is signed.
encryptionCertificate.pkcs7Der Byte[] Optional Mutable The PKCS7 encryption certificate in DER format.
sloBinding String Optional Mutable The SAML single logout binding protocol used for logout response. Options are: HTTP_REDIRECT or HTTP_POST.
sloEndpoint String Required Mutable The SAML single logout endpoint URL.
signingCertificates[].pkcs7Der Byte[] Optional Mutable The PKCS7 signing certificates in DER format.
Applications WS-Federation settings data model
Property Type Required? Mutable? Description
audienceRestriction String Optional Mutable The service provider ID. Defaults to urn:federation:MicrosoftOnline.
corsSettings Object Optional Mutable Enables you to customize how the Authorization and Authentication APIs interact with CORS requests that reference the application. If omitted, the application allows CORS requests from any origin except for operations that expose sensitive information (such as, operations from /as/authorize and /as/token). We recommend you use corsSettings, rather than omitting this property.
corsSettings.behavior String Required Mutable Options are "ALLOW_NO_ORIGINS" and "ALLOW_SPECIFIC_ORIGINS". ALLOWS_NO_ORIGINS rejects all CORS requests. ALLOW_SPECIFIC_ORIGINS rejects all CORS requests except those listed in corsSettings.origins.
corsSettings.origins String[] Optional Mutable This must be specified when corsSettings.behavior is ALLOW_SPECIFIC_ORIGINS, and must be omitted or empty when corsSettings.behaviour is ALLOW_NO_ORIGINS. Limited to 20 values. The values are the origins from which CORS requests to the Authorization and Authentication APIs are allowed. Each value is an HTTP or HTTPS URL without a path. The host may be a domain name (including localhost), or an IPv4 address. Subdomains can be specified using the wildcard (*) to match any string.
domainName String Required Mutable The federated domain name (for example, the Azure custom domain).
idpSigning Object Required Mutable Contains the information about the signing of requests by the identity provider (IdP).
idpSigning.algorithm String Required Mutable The signature algorithm to be used for signing. Algorithms supported: SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA256withECDSA, SHA384withECDSA, and SHA512withECDSA.
idpSigning.key String Required Mutable The key pair to be used by the IdP to sign requests. If this isn't specified, the default signing certificate for the environment is used.
idpSigning.key.id String Required Mutable The ID of the key specified for idpSigning.key.
kerberos Object Optional Mutable Contains the Kerberos authentication settings. Set this to null to disable Kerberos authentication.
kerberos.gateways Object[] Optional Mutable Contains the gateway properties.
kerberos.gateways.id String Required Mutable The UUID of the LDAP gateway.
kerberos.gateways.type String Required Mutable The gateway type. This must be "LDAP".
kerberos.gateways.userType.id String Required Mutable The UUID of a user type in the list of userTypes for the LDAP gateway.
replyUrl String Required Mutable The URL that the replying party (such as, Office365) uses to accept submissions of RequestSecurityTokenResponse messages that are a result of SSO requests.
sloEndpoint String Optional Mutable The single logout endpoint URL.
subjectNameIdentifierFormat String Optional Mutable The format to use for the SubjectNameIdentifier element. This value must be one of the following:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Audit reporting events

To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.

Service Event
applications APPLICATION.CREATED
applications APPLICATION.UPDATED
applications APPLICATION.DELETED

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request, or your license is exceeded.
404 The requested resource was not found.
500 An unexpected error occurred.

Create Application (OIDC Protocol - Web App)


Create Application (OIDC Protocol - Native App)


Create Application (OIDC Protocol - Single Page App)


Create Application (OIDC Protocol - Service App)


Create Application (OIDC Protocol - Worker App)


Create Application (OIDC Protocol - Worker Interactive App)


Create Application (OIDC Protocol - PingFederate Worker App)


Create Application (OIDC Device Authorization Grant)


Create Application (OIDC Mobile App)


Create Application (SAML Protocol)


Create Application (WS-Federation Protocol)


Read All Applications


Read One Application


Update Application (OIDC)


Update Application (SAML)


Update Application (WS-Federation)


Delete Application

Application Attribute Mapping

ID token and SAML assertion customization

The application attributes service lets you customize the content of an ID token or a SAML assertion by adding custom attributes and their values. Custom attributes have a cumulative length constraint of 16 Kb. See Custom attributes in Schemas for more information.

In the Authorization request header field of all samples, the accessToken value is your full base64url-encoded JSON web token generated by the authentication service.

OpenID Connect application attribute mappings

For OpenID Connect (OIDC) applications, the user claim defined by the custom attribute mapping is returned in the ID token, regardless of the scopes specified in the authorization request. For example, suppose you want to include a user's accountId in ID tokens associated with the specified OIDC application, a custom application attribute resource can be created to map the user's account ID to the accountId PingOne user attribute. The request looks like this:

curl -X "POST" "https://api.pingone.com/v1/environments/{{envID}}/applications/{{appID}}/attributes" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer {{accessToken}}' \
-d '{
	"name": "userAccountID",
	"value": "${user.accountId}",
	"required": true
}'

SAML application attribute mappings

For SAML applications, the user claim defined by the custom attribute mapping is returned in the SAML assertion.

For example, suppose you want to include an externalId in assertions associated with the specified SAML application, a custom application attribute resource can be created to map the SAML externalId attribute to the user's external ID attribute. The request looks like this:

curl -X "POST" "https://api.pingone.com/v1/environments/{{envID}}/applications/{{appID}}/attributes" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer {{accessToken}}' \
-d '{
	"name": "externalId",
	"value": "${user.externalId}",
	"required": true
}'

Advanced attribute mapping

You can use PingOne's expression language for advanced attribute mapping. The supported expression language is an augmentation of SpEL. SpEL is a powerful expression language used for querying and manipulating an object graph at runtime.

For example, with advanced attribute mapping capabilities, you can write an expression that concatenates two or more user attributes in the value property:

curl -X "POST" "https://api.pingone.com/v1/environments/{{envID}}/applications/{{appID}}/attributes" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer {{accessToken}}' \
-d '{
	"name": "fullName",
	"value": "${user.name.given + ', ' + user.name.family}",
	"required": true
}'

In this request, the fullName mapped attribute includes the user's first name and last name in the response.

Applications attribute mapping data model
Property Type Required? Mutable? Description
application.id String Required Read-only The application associated with the application mapping resource.
createdAt Date N/A Read-only The time the resource was created.
environment.id String Required Read-only The environment associated with the application mapping resource.
id UUID Required Read-only The application mapping ID.
mappingType String Optional Mutable The mapping type of the attribute. Options are CORE, SCOPE, and CUSTOM. The CORE and SCOPE mapping types are for reserved attributes managed by the API and cannot be removed. Attribute values for these mapping types can be updated. The CUSTOM mapping type is for user-defined attributes. Attributes of this type can be updated and deleted.
name String Required Immutable The name of attribute. Must be unique within an application. The property is set on create only and cannot be changed after creation. For SAML applications, the samlAssertion.subject name is a reserved case-insensitive name which indicates the mapping to be used for the subject in an assertion. For OpenID Connect applications, the following names are reserved and cannot be used:
  • acr
  • amr
  • at_hash
  • aud
  • auth_time
  • azp
  • client_id
  • exp
  • iat
  • iss
  • jti
  • nbf
  • nonce
  • org
  • scope
  • sid
  • sub
nameFormat String Optional Mutable A URI reference representing the classification of the attribute. Helps the service provider interpret the attribute format.
required Boolean Required Mutable Whether a mapping value is required for this attribute. If true, a value must be set and a non-empty value must be available in the SAML assertion or ID token.
updatedAt Date N/A Read-only The time the resource was updated.
value String Required Mutable The string constants or expression for mapping the attribute path against a specific source. The expression format is: ${<source>.<attribute_path>}. The only supported source is user (for example, ${user.id}).
idToken Boolean Optional Mutable Whether the attribute mapping should be available in the ID Token. This property is applicable only when the application's protocol property is OPENID_CONNECT. If omitted, the default is true. Note that the idToken and userInfo properties cannot both be set to false. At least one of these properties must have a value of true.
userInfo Boolean Optional Mutable Whether the attribute mapping should be available through the /as/userinfo endpoint. This property is applicable only when the application's protocol property is OPENID_CONNECT. If omitted, the default is true. Note that the idToken and userInfo properties cannot both be set to false. At least one of these properties must have a value of true.
oidcScopes List Optional Mutable OIDC resource scope IDs that this attribute mapping is available for exclusively. This setting overrides any global OIDC resource scopes that contain an attribute mapping with the same name. The list can contain only scope IDs that have been granted for the application through the /grants endpoint. A null value is accepted for backwards compatibility. However, an empty set is invalid, and one scope ID is expected. If null, the response includes this mapping in the openid scope.
OIDC application core mapping attributes
Property Type Required? Mutable? Description
sub String Required Mutable A string that specifies the core OIDC application mapping attribute. The default user attribute value is ${user.id} and the required property value must be set to true.
SAML application core mapping attributes
Property Type Required? Mutable? Description
saml_subject String Required Mutable A string that specifies the core SAML mapping attribute. The default user attribute value is ${user.id} and the required property value must be set to true.
Audit reporting events

To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.

Service Event
applications ATTRIBUTE.CREATED
applications ATTRIBUTE.UPDATED
applications ATTRIBUTE.DELETED
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.
500 An unexpected error occurred.

Create Application Attribute Mapping


Read All Application Attribute Mappings


Read One Application Attribute Mapping


Update Application Attribute Mapping


Delete Application Attribute Mapping

Application Flow Policy Assignments

Flow policy assignment endpoints manage the flow policies associated with the specified application. An application can have zero or more flow policies assigned to it that determine how users are authenticated. The number of flow policies assigned to an application also controls how the authentication flow progresses.

No flow policy assignments

Applications that have no flow policy assignments use the environment resource's default sign-on policy to authenticate users (or a designated sign-on policy assignment).

One flow policy assignment

Applications that have one flow policy assignment always use that flow policy to authenticate users.

Two or more flow policy assignments

If an application has two or more assigned flow policies, the authentication flow uses the flow policy with the highest priority (priority 1) first. If authentication is successful, the flow is complete. If authentication fails, the flow initiates the flow policy with the next highest priority. The flow continues until one of the assigned flow policies completes successfully or all policies have been tried and failed.

OIDC applications can request a lower-priority policy by using the acr_values OIDC parameter with the desired PingOne authentication name or DaVinci flow policy ID. See OpenID Connect/OAuth2 data model.

SAML applications can request a lower-priority policy by sending a SAML 2.0 authentication request with the RequestedAuthnContext parameter, where the value indicates the desired PingOne authentication name or DaVinci flow policy ID. Note that the enableRequestAuthnContext must be set to true for the SAML application. See SAML settings data model.

Flow policies and the PingOne application portal

If the PingOne application portal is not configured with any flow policies, it will use the default PingOne policy.

You can apply policies other than the default to the PingOne application portal by appending the policy query parameter to your Application Portal Home Page URL. For example, the Home Page URL https://apps.pingone.com/<envID>/myapps/ would become https://apps.pingone.com/<envID>/myapps/?policy=<value>, where <value> is the name of a configured PingOne policy, or the ID of a configured DaVinci flow policy. If the policy name or ID doesn't match any configured policy, then PingOne returns an error.

Application flow policy assignments data model

Property Type Required? Mutable? Description
application.id String Required Read only A string that specifies the application resource ID associated with the flow policy assignment.
environment.id String Required Read only A string that specifies the environment associated with the application.
flowPolicy.id String Required Mutable A string that specifies the flow policy resource ID associated with the flow policy assignment.
id String Required Read only A string that specifies the flow policy assignment resource's unique identifier.
priority Integer Required Mutable The order in which the policy referenced by this assignment is evaluated during an authentication flow relative to other policies. An assignment with a lower priority will be evaluated first.

Audit reporting events

To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.

Service Event
applications FLOW_POLICY_ASSIGNMENT.CREATED
applications FLOW_POLICY_ASSIGNMENT.UPDATED
applications FLOW_POLICY_ASSIGNMENT.DELETED

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.
500 An unexpected error occurred.

Create an Application Flow Policy Assignment


Read All Application Flow Policy Assignments


Read One Application Flow Policy Assignment


Update an Application Flow Policy Assignment


Delete an Application Flow Policy Assignment

Application MFA Push Credentials

Push credentials are required for the purpose of sending push notifications to a native application. Push credentials must be defined for the application.

The push credentials endpoint implements functions to create, read, update and delete the push credentials associated with native application resources.

There are three types of push credentials:

  • APNS (Apple)
  • FCM_HTTP_V1 (Google)
  • HMS (Huawei)

The FCM type, used previously for Google Play-based applications, has been deprecated. Use FCM_HTTP_V1 instead.

MFA push credentials data model
Property Type Required? Mutable? Description
type String Required Immutable Specifies the push credential type.
Valid values:
  • APNS (for Apple)
  • FCM_HTTP_V1 (for Google)
  • HMS (for Huawei)
  • FCM (deprecated, used previously for Google)
clientId String Required Immutable Used only if type is set to HMS. OAuth 2.0 Client ID from the Huawei Developers API console.
clientSecret String Required Immutable Used only if type is set to HMS. The client secret associated with the OAuth 2.0 Client ID.
googleServiceAccountCredentials String Required Immutable Used when type is set to FCM_HTTP_V1. The value should be the contents of the JSON file that represents your Service Account Credentials.
key String Required Immutable Used when type is set to APNS. The value should be the key ID. Before the deprecation of the FCM type, this was also used for the server key.
teamId String Required Immutable Used only if type is set to APNS. Used to identify teams.
token String Required Immutable Used only if type is set to APNS. Used as the authentication token signing key to securely connect to APNS. This is a p8 file with a private key format.
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.
500 Unexpected server error.

Create MFA Push Credential (APNS)


Create MFA Push Credential (FCM_HTTP_V1)


Create MFA Push Credential (HMS)


Read All MFA Push Credentials


Read One MFA Push Credential


Update MFA Push Credential


Delete MFA Push Credential

Application Resource Grants

Resources are the protected endpoints that applications request access to using OAuth 2 authorization services. A resource access grant specifies the identifier of the resource associated with the specified application.

Applications resource grant data model
Property Type Required? Mutable? Description
application.id String N/A Read-only The application resource ID associated with the resource grant.
createdAt Date N/A Read-only The time the resource was created.
id String N/A Read-only The application resource grant ID.
resource.id String N/A Read-only The ID of the protected resource associated with this grant.
scopes.id String[] Required Mutable The IDs of the scopes associated with this grant.
updatedAt Date N/A Read only The time the resource was last updated.
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.
500 An unexpected error occurred.

Create Grant


Read All Grants for an Application


Read One Grant for an Application


Update Grant


Delete Grant

Application Role Assignments

The role assignments endpoint implements functions to create, read, and delete the role assignments associated with applications resources. For more information about roles and the permissions associated with each role, see Roles.

Role assignments are defined by the role itself, and at a more granular level by the scope attribute associated with the role assignment. The role assignment scope identifies the type of platform resource that defines the scope, and the id of the specific resource to which the scope applies. The following sample shows the scope attribute, which includes the resource type and id attributes. In this case, the scope is restricted to the environment resource identified by its id.

{
  "scope": {
   "id": "d928aa51-c194-4333-9cf5-0fd0c9b7d62f",
   "type": "ENVIRONMENT"
   }
}   

Role assignment scopes can be:

  • Organization

  • Environment

  • Population

  • Application

Applications role assignments data model
Property Type Required? Mutable? Description
application.id String Required Read only The application resource ID associated with the role assignment.
environment.id String Required Read only The environment associated with the application role assignment.
id String Required Read only The application role assignment ID.
readOnly Boolean Optional Mutable Indicates whether this role assignment can be deleted by the current actor.
role.id String Required Mutable The role ID.
scope.id String Required Mutable The role assignment scope ID. When this is an application ID, because an application ID is guarenteed to be globally unique (across all environments), the application ID here eliminates the need to also specify the application environment ID.
scope.type String Required Mutable The type of resource defining the scope of the Role assignment. Options are ORGANIZATION, ENVIRONMENT, and POPULATION, APPLICATION.
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
404 The requested resource was not found.

Create Application Role Assignments


Read Application Role Assignments


Read One Application Role Assignment


Delete Application Role Assignment

Application Secret

The client secret endpoint is available to users or worker applications only if they have a superset of the application's role assignments.

Access to the application's client secret is restricted based on the accessing user's or application's role assignments. For example, if a client has the Environment Admin role, an actor with an Identity Admin role cannot see the client secret. This restriction addresses privilege escalation issues by preventing the Identity Admin user from doing things with the client that the Identity Admin role assignment does not allow. You need the Client Application Developer role to perform operations on application resources.

Best practices
  • Do not store an application secret in applications that are publicly available.

  • For security purposes, regenerate application secrets regularly.

  • If you suspect an application secret has been compromised, generate a new application secret immediately.

Applications secret data model
Property Type Required? Mutable? Description
environment.id String Read-only The environment associated with the application.
previous Object Optional Read only An object that specifies the previous secret, when it expires, and when it was last used.
previous.secret String N/A Read only A string that specifies the previous application secret. This property is returned in the response if the previous secret is not expired.
previous.expiresAt Timestamp Optional Read only A timestamp that specifies how long this secret is saved (and can be used) before it expires. Supported time range is 1 minute to 30 days.
previous.lastUsed Timestamp Optional Read only A timestamp that specifies when the previous secret was last used.
secret String Required Read-only The application secret ID used to authenticate to the authorization server. The secret has a minimum length of 64 characters per SHA-512 requirements when using the HS512 algorithm to sign ID tokens using the secret as the key.
Response codes
Code Message
200 Successful operation.
201 Successfully created.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.
500 An unexpected error occurred.

Update Application Secret


Read Application Secret


Delete Previous Application Secret

Application Sign-On Policy Assignments

Sign-on policy assignment endpoints manage the sign-on policies associated with the specified application. An application can have zero or more sign-on policies assigned to it that determine how users are authenticated. The number of sign-on policies assigned to an application also controls how the authentication flow progresses.

No sign-on policy assignments

Applications that have no sign-on policy assignments use the environment resource's default sign-on policy to authenticate users. Every environment has one designated sign-on policy as its default policy. If the environment's default sign-on policy changes, then the application's sign-on policy changes to use the updated default policy.

One sign-on policy assignment

Applications that have one sign-on policy assignment always use that sign-on policy to authenticate users. For example, if the application has the Single_Factor sign-on policy assigned, the application will always use this basic authentication method that prompts users to enter a username and password to authenticate the account.

Two or more sign-on policy assignments

If an application has two or more assigned sign-on policies, the authentication flow uses the sign-on policy with the highest priority (priority 1) first. If authentication is successful, the sign-on flow is complete. If authentication fails, the flow initiates the sign-on policy with the next highest priority. If authentication fails again, the sign-on flow initiates the next sign-on policy. The sign-on flow continues until one of the assigned sign-on policies completes successfully or all policies have been tried and failed.

Sign-on policy priority when acr_values is set

For applications with the protocol property set to OPENID_CONNECT, the acr_values property (set on the authorize request) identifies the exact list of sign-on policies that can execute at sign on. At sign-on, only the sign-on policies listed in the acr_values property are evaluated, and they are evaluated based on the order of the policies listed in this property. In addition, if there are numerous sign-on policies assigned to an application, setting the acr_values property limits the number of sign-on policies evaluated to only those listed in this property.

For example, if the authorize request includes acr_values=Multi_Factor Single_Factor, the authentication flow executes the Multi_Factor policy first. If the multi-factor sign-on flow completes all conditions for the policy, the flow completes and the user is issued a token. If the multi-factor policy fails, the Single_Factor policy executes. If that policy completes all conditions, the flow completes and the user is issued a token. If the single-factor policy is the last policy in the acr_values list, and it fails, then the sign-on flow fails. No other sign-on policies are tried, even if the application has additional sign-on policy assignments.

Applications sign-on policy assignments data model
Property Type Required? Mutable? Description
application.id String Required Read-only The application resource ID associated with the sign-on policy assignment.
environment.id String Required Read-only The environment associated with the application sign-on policy assignment.
id String Required Read-only The sign-on policy assignment resource’s unique identifier.
priority Integer Required Mutable The order in which the policy referenced by this assignment is evaluated during an authentication flow relative to other policies. An assignment with a lower priority will be evaluated first.
signOnPolicy.id String Required Mutable The sign-on policy resource's unique identifier associated with this sign-on policy assignment.

Audit reporting events

To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.

Service Event
applications SIGN_ON_POLICY_ASSIGNMENT.CREATED
applications SIGN_ON_POLICY_ASSIGNMENT.UPDATED
applications SIGN_ON_POLICY_ASSIGNMENT.DELETED
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.
500 An unexpected error occurred.

Create SOP Assignment


Read All SOP Assignments


Read One SOP Assignment


Update SOP Assignment


Delete SOP Assignment

Integration Catalog

Use the endpoints in the Integration Catalog to discover and retrieve integration metadata, SAML metadata, and download integration kits as a compressed file.

Integration data model

Property Type Required? Mutable? Description
categories String[] Optional Mutable The list of categories used to classify the integration. Valid strings include alphanumeric characters, underscore, hyphen, and space.
createdAt Date Required Immutable Creation date of the integration.
description String Optional Mutable The description of the integration in HTML to be used for the integration listing. You can use class and style attributes for inline styling. There's a 4000 character limit for the description.
id String Required Immutable The platform-generated ID of this integration.
logo String Optional Mutable A logo to use for the integration. If specified, the associated properties are required.
logo.href String Required Mutable The href to the absolute URL of the image.
logo.id String Required Mutable The image ID generated by the Image service.
marketingLandingPageUrl String Optional Mutable Absolute URL link to the marketing landing page.
name String Required Mutable Name of the integration.
pingProductNames String[] Required Mutable The Ping product associated with the integration. Can include: PINGID, PINGONE_ENTERPRISE, PINGONE, PINGACCESS, PINGFEDERATE, PINGDIRECTORY, PINGDATAGOVERNANCE, orPINGINTELLIGENCE_FOR_APIS, PINGONE_ADVANCED_SERVICES
publisher String Required Mutable Name of the publisher.
tags String[] Optional Mutable Tags to apply to the integration metadata. Can include: SSO, AUTHENTICATION, MFA, INTELLIGENCE, GOVERNANCE, IDAAS, ACCESS, DIRECTORY, or PROVISIONING.
thirdParty Object Optional Mutable Metadata that defines the third party related to this integration.
thirdParty.companyName String Required Mutable Name of the third party company for the listing.
thirdParty.products String[] Optional Mutable Names of the third party products for the integration.

Integration version data model

Each integration can have versions. Valid integration version numbers match the regular expression (^\d+.\d+(.\d+)?$). So, 1.0.2 and 2.06 are valid versions. Examples of invalid versions include v.1.2 and 1.2.3.4.

Property Type Required? Mutable? Description
configuration Object Optional Mutable The configuration of the integration version. If specified, configuration.schema and configuration.properties is required.
configuration.schema Object Required Mutable Contains a JSON schema defining the integration version.
configuration.properties Object Required Mutable Contains the property names and assigned values for the integration version.
description String Optional Mutable Unicode characters. The description of this integration metadata version.
id String Required Immutable The platform-generated ID of this integration metadata version.
integration Object Required Read only The parent integration of the integration version.
integration.id String Required Immutable The platform-generated ID of the parent integration.
name String Required Mutable A unique name for the integration metadata version.
number String Required Mutable A unique number for the integration version.
type String Optional Mutable The type of integration for this version. Currently, the only valid values are PRODUCT_INTEGRATION_KIT and SAML.

Integration Kit data model (extends Integration Version)

Integration version metadata with a type of PRODUCT_INTEGRATION_KIT will include this data.

Property Type Required? Mutable? Description
documentationUrl String Optional Mutable Absolute URL to the documentation.
endOfLifeOn Date Optional Mutable EOL support date in the form yyyy-mm-dd.
integratedWith Object Optional Mutable Ping product integration details.
integratedWith.name String Required Mutable Name of the compatible Ping product with which this version integrates. Can include: PINGID, PINGONE_ENTERPRISE, PINGONE, PINGACCESS, PINGFEDERATE, PINGDIRECTORY, or PINGDATAGOVERNANCE
integratedWith.minVersion String Optional Mutable Earliest version of the integrated Ping product.
integratedWith.maxVersion String Optional Mutable Latest version of the integrated Ping product.
number String Required Mutable Unique number for the integration version.
releasedOn Date Required Mutable Release date in the form yyyy-mm-dd.

SAML data model (extends Integration Version)

Integration version metadata with a type of SAML will include the following data.

Property Type Required? Mutable? Description
assertionConsumerService String Required Mutable The URL to which PingOne sends SAML responses. Parameterize the URL using ${_paremter_}. For example, https://${subdomain}.slack.com. The maximum length is 2000 characters.
assertionEncrypted Boolean Optional Mutable The state of assertion encryption. True if encrypted.
defaultTarget String Optional Mutable After an IdP-initiated SSO, this URL is passed in the RelayState value in the SAML response. Informs the IdP where to send its response. Parameterize the URL using ${_paremter_}. For example, https://${subdomain}.slack.com.
entityId String Optional Mutable Unique ID for the application.
nameIdFormat String Optional Mutable This can be one of the following:
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
protocolVersion String Required Mutable The SAML protocol version supported: 2.0, 1.1, or 1.0.
slo Object Optional Mutable The Single Logout information.
slo.requestEndpoint String Optional Mutable The endpoint where SLO requests are sent.
slo.responseEndpoint String Optional Mutable The endpoint where SLO responses are sent.
slo.binding String Optional Mutable The SLO binding. Must be either HTTP_POST or HTTP_REDIRECT
thirdParty Object Optional Mutable Third-party IdP information.
thirdParty.metadata Object Optional Mutable The third-party IdP metadata.
thirdParty.metadata.href String Optional Mutable URL of IdP's SAML metadata XML.
thirdParty.instructions.href String Optional Mutable URL of IdP's setup instructions.

Attribute data model

Only available for SAML integration metadata. The attribute data is used to store any attributes that are predefined by providers.

Property Type Required? Mutable? Description
id String Required Mutable Auto-generated ID of this attribute.
integration Object Required Read only The parent integration of the integration version.
integration.id String Required Immutable The platform-generated ID of the parent integration.
name String Optional Mutable Attribute name the application expects. Unique within the integration version and in the form urn:oasis:names:tc:SAML:2.0:attrname-format:uri.
required Boolean Optional Mutable Whether or not the attribute is required. If true, the value property must be set with a non-empty value. Default is false.
schema String Required Mutable A JSON schema describing the current attribute mapping.
version Object Required Read only The relationship to the parent integration version.
version.id String Required Immutable The platform-generated ID of the parent integration version.

Use Cases


Read All Integration Metadata


Read All Integration Versions Metadata


Read All Attributes of an Integration Version (SAML only)


Read One Integration Metadata


Read One Integration Version Metadata


Read One Attribute of an Integration Version (SAML only)