PingOne Platform API Reference
PingOne is a cloud-based framework for secure identity access management. The PingOne API gives developers the tools to integrate enterprise and third-party applications with the PingOne platform.
This document describes a number of PingOne services, including the Management API services, the Authentication API services, and the Multi-factor Authentication services. There is also material in this document that refers to the integrations between the PingOne platform and other Ping products that facilitate extended functionality beyond PingOne.
New to PingOne?
If you're new to PingOne, the following topic links will help you learn more and start working with the PingOne API.
-
Getting started with the PingOne APIs
This collection of topics helps you create your first application connection using the PingOne admin console application and get a JSON Web Token for the application you created. With your admin access token, you can make calls to the Pingone resource server.
-
Download the PingOne Postman collections
This topic includes downloads for the PingOne Platform API Postman master collection as well as targeted collections the PingOne MFA APIs, and the PingOne Protect APIs.
-
The PingOne use cases provide workflows for common PingOne configurations and sign-on flows. Each use case includes a Postman collection linked to a Run in Postman button, enabling you to load (and run) the use case collections into your Postman workspace.
-
PingOne authorization and authentication APIs
These topics provide a deeper dive into PingOne platform authorization and authentication concepts and workflows. It includes detailed information about access tokens, ID tokens, user scopes, platform roles, and sign-on flows.
-
You'll find here the documentation for the PingOne mobile SDKs. Currently, this includes the PingOne MFA SDKs, the PingOne Neo SDKs, and the PingOne Protect SDKs.
Changelog
The following changes have been made to the PingOne APIs or the associated SDKs.
Release Date | Description |
---|---|
Aug 29, 2024 | When retrieving verified data with Read All User Verified Data, you can use the attempt query parameter to limit the number of retries returned and thus reduce the size of the response. |
Aug 19, 2024 | PingOne Protect now has a risk predictor called Traffic Anomaly intended to detect traffic anomalies in terms of variables such as users, devices, and sessions. The Traffic Anomaly predictor will eventually include a variety of rules, some of which you can select to enable or disable. Currently, the predictor detects situations where there are a large number of risk evaluations requested for a single user within a short period of time, and optionally can also detect situations where the number of users per device during a given period is suspicious. When a risk level of High is calculated for a Traffic Anomaly predictor, the recommendedAction field in the risk evaluation response has the value DENY , indicating that you should probably deny access. To create a Traffic Anomaly predictor, set the type parameter to the new value TRAFFIC_ANOMALY. If you want to also check the number of users per device, use the objects described in the traffic anomaly risk predictor data model. For details, see Risk Predictors and Risk evaluations. |
Aug 5, 2024 | When creating composite predictors, you can now include conditions that check what PingOne user groups the user belongs to. For details, see the Composite Risk Predictors section in Risk Predictors and the relevant example. |
Aug 5, 2024 | The Bot Detection predictor now has an option that you can enable to expand the range of bot activity that PingOne Protect can detect. For details, see the new field includeRepeatedEventsWithoutSdk under Risk Predictors. |
Jul 22, 2024 | For MFA, there is now an option to use dynamic linking to attach a unique identifier to the registration of a FIDO device. For details, see MFA devices. |
Jul 15, 2024 | MFA is now enforced for environment administrators during registration. You can read and update admin sign-on settings using the new Administrator Security endpoints. For details, see Administrator Security. |
Jul 3, 2024 | The Suspicious Device predictor now includes an option to specify that any risk policies that include the predictor will require that the Signals SDK payload be provided as a signed JWT whose signature will be verified before proceeding with risk evaluation. For details, see Risk Predictors. |
Jun 27, 2024 | We've added the new role "Application Owner", enabling you to restrict administrator access to specific applications. Use this role to assign application developers permissions only to the applications they manage. For details, see Roles. |
Jun 18, 2024 | When creating risk evaluations, you can now provide additional detail about the context of the flow by providing a value for flow.subtype in addition to flow.type . For details, see Risk evaluations. |
Jun 17, 2024 | A new endpoint, riskFeedback , has been added to allow you to provide feedback on the accuracy of specific risk evaluations that were carried out. Each such call can include feedback for up to 100 risk evaluations, and for each you can specify a feedback category and a reason for including the evaluation in that category, For details, see Providing feedback for risk evaluations. |
Jun 4, 2024 | For MFA, there is now an option to use dynamic linking to attach a unique identifier to a FIDO transaction. For details, see Create a request property JWT and Device authentications data model. |
Jun 3, 2024 | When creating or updating MFA policies, you can now include a field called promptForNicknameOnPairing to allow users to provide nicknames for devices during pairing. For details, see Device Authentication Policies. |
May 28, 2024 | The Forms service now supports a social login button as a field type option. For details, see Forms. |
May 6, 2024 | The platform now supports the AU (Australia/Asia Pacific) region. The platform continues to support the AP (Asia Pacific) region. However, if your environments use the AP region designation (api.pingone.asia domain) for Asia-Pacific countries, be aware that this region does not support the migration of PingID customers (or the PingID product) to the PingOne platform. To get PingID platform support for your Asia-Pacific environments, use the AU region designation (api.pingone.com.au domain) when creating your new environments. For details, see Working with PingOne APIs. |
Apr 24, 2024 | The Resources service now provides a property to add application permissions to access tokens. For details, see Resources. |
Apr 8, 2024 | Simplify changing your PingOne regional domain with an environment variable, tld , in the public PingOne environment template that represents the top level domain (TLD) for your PingOne domain, such as com or eu . All the {{...Path}} variables, such as {{apiPath}} and {{authPath}} , reference {{tld}} . To change your region's top level domain, merely change the value of {{tld}} . See PingOne API domains for more information. |
Apr 4, 2024 | With Managed Credential Issuance, client applications can issue and update credentials using Create Credential Type (managed) rather than an Issuance Rule. |
Apr 3, 2024 | You can submit a redirect URL and redirect message, used and seen by users when submitting verification documents, in the body of Create Verify Transaction. |
Apr 3, 2024 | You can issue and update user credentials via a Create a User Credential or Update a User Credential call rather than an Issuance Rule. |
Apr 3, 2024 | When you create a trusted email domain, PingOne now prepares an additional text record that reflects the association of the domain with the specific PingOne environment. If you add this new record to your DNS, any "sender" email address belonging to the domain is set to active status as soon as you create it, with no need for a verification email. For details, see Trusted Email Domains. |
Apr 2, 2024 | FIDO policies now include an option called aggregateDevices that you can use to specify that the displayed list of available authentication methods should include only a single generic entry for FIDO2 devices, even if the user has multiple paired FIDO2 devices. For details, see FIDO Policies. With the introduction of this feature, responses to requests that use the deviceAuthentications and flows endpoints may now include a field called aggregateFido2Devices , indicating whether the available authentication method list should include only a single generic FIDO2 option. |
Mar 12, 2024 | We've added the new LDAP Gateway attribute userTypes.updateUserOnSuccessfulAuthentication . When enabled, on user sign on, user attributes are updated based on responses from the LDAP server. For details, see Gateway LDAP data model. |
Mar 4, 2024 | The external IdP service now supports PKCE. A new pkceMethod property has been added to the base IdP data model. For details, see Identity Provider Management. |
Mar 4, 2024 | PingOne Protect now has a new risk predictor called Email Reputation to detect the use of disposable email addresses during registration. The value of the type parameter for this predictor is EMAIL_REPUTATION. For details, see Risk Predictors. For risk evaluations based on policies that include an email reputation predictor, the response may include a value of TEMP_EMAIL_MITIGATION for the result.recommendedAction field. For details, see Risk evaluations. |
Mar 4, 2024 | For risk evaluations that use a risk policy with the New Device predictor, the response now includes the field details.device.lastSeen , which represents the date and time that the device was last seen. If an externally-maintained device ID was provided in the risk evaluation request, the response will include externalLastSeen for the date and time that the device was last seen. For details, see Risk evaluations. |
Feb 28, 2024 | For situations where a user did not receive the one-time passcode (OTP) that was sent for pairing a device, you can now use the devices endpoint to resend the OTP. For details, see Resend Pairing Code. |
Feb 21, 2024 | The platform now supports the device_code device authorization grant type on an application configuration, and it also provides endpoints to initiate and manage a device authorization flow. For details, see Device Authorization Grant. |
Feb 20, 2024 | A new field, fidoUserVerification , was added to the information that can be included in MFA device reports generated with the dataExplorations endpoint. For details, see Reporting. |
Feb 14, 2024 | PingOne now supports the CLIENT_SECRET_JWT and PRIVATE_KEY_JWT token endpoint authentication methods for OIDC applications. For details, see the jwks and jwksUrl properties in Application Operations, the client_assertion and client_assertion_type properties in OpenID Connect/OAuth 2, Token (authorization_code) (CLIENT_SECRET_JWT), Token (authorization_code) (PRIVATE_KEY_JWT), and Configure CLIENT_SECRET_JWT as the Token Auth Method. |
Feb 12, 2024 | PingOne Protect now has a new risk predictor to prevent Adversary-in-the-Middle (AitM) attacks. To create an AitM predictor, set the type parameter to the new value ADVERSARY_IN_THE_MIDDLE and use the whiteList parameter to specify the legitimate domains that your users will access for your restricted resources. For details, see Risk Predictors. |
Feb 5, 2024 | PingOne Verify no longer reads or uses verifyStatus on the user. The PingOne Neo Verify Verify Status endpoint, /environments/{{envID}}/users/{{userID}}/verifyStatus and its two operations, Read User Verification Status and Update User Verification Status at the same URL, are deprecated. The endpoint and requests will be removed February 2025. |
Jan 19, 2024 | We've added the icon property to the Environments service, enabling you to assign an icon to a PingOne environment. See the Environments data model for details. |
Jan 16, 2024 | The platform's client secret configuration now supports optional parameters to designate the replaced secret as a "previous" secret that remains valid for a specified period, up to 30 days. For details, see Update Application Secret and Create Resource Client Secret. |
Jan 11, 2024 | The platform supports the PingOne Authorize application resources and roles services, which provide endpoints to define custom resources, roles, and permissions to protect external application resources. For details, see PingOne Authorize Application Resources and Roles. |
Jan 8, 2024 | The platform supports reduced self-service scopes when the mfa authentication method is not included as an amr claim value in the token. For details, see PingOne self-management scopes. |
Jan 7, 2024 | Changes have been made to the steps required to retrieve MFA device reports generated as files. This is reflected in the responses to the relevant requests. For details, see Reporting. Note that the .zip file containing the report is now password-protected and cannot be opened without the password that is returned. |
Jan 4, 2024 | A field called device.externalId has been added to the Event data model for risk evaluations. You can use this field to send an externally-maintained device ID to the risk evaluation. If you provide such an ID, that is the device ID that will be used rather than the device ID provided by the Signals SDK. For details, see Risk evaluations. |
Jan 3, 2024 | We've added a corsSettings object to support applications using cross-origin resource sharing (CORS). See Cross-origin resource sharing, and the corsSettings properties in the Applications data models for OIDC, SAML, and WS-Federation. |
Dec 15, 2023 | You can now set and get the default identity provider (IdP) for a population. See Update Population Default IdP and Read One Population Default IdP for details. |
Dec 8, 2023 | PingOne Platform API collections in the PingOne public workspace now use Postman Collection-Level Authorization of type bearer . All requests that use bearer token authorization are now set to Inherit authorization from parent . |
Dec 4, 2023 | The PingOne Neo Verify User Data endpoint, /environments/{{envID}}/users/{{userID}}/verifyTransactions/{{transactionID}}/userData and its only operation, Read User Verification Data at the same URL, are deprecated. The endpoint and request will be removed December 2024. |
Dec 4, 2023 | The New Device Paired notification template now has an optional variable called report.fraud . If you include this variable, the notification will include a link for reporting fraudulent pairing attempts. For details, see Notifications Templates. |
Nov 16, 2023 | We've added documentation for the supported password encoding schemes. See Password encoding for more information. |
Oct 24, 2023 | You can now assign admin roles to user groups. See Group Role Assignments. |
Oct 12, 2023 | PingOne now supports outbound mutual TLS (mTLS) authentication with webhooks. You can upload a key with a usageType of OUTBOUND_MTLS and pass the ID to the tlsClientAuthKeyPair.id property when creating or updating a webhook. For more information, see Subscriptions (webhooks). |
Oct 4, 2023 | Added the displayName , sourceId , and sourceType parameters to allow querying of external user groups. See Groups. |
Sep 19, 2023 | When creating composite predictors, it is now possible to create additional sets of conditions to form an if / else if structure. To facilitate this, the composition object has been replaced with an array called compositions . To ensure backward compatibility, requests that contain the single composition object are still supported. For details, see Risk Predictors. |
Sep 18, 2023 | When providing the flow type as input for a risk evaluation, you can now use other types in addition to AUTHENTICATION . The new flow types supported are: REGISTRATION , ACCESS , AUTHORIZATION , and TRANSACTION . See Risk Evaluations. |
Sep 18, 2023 | In the MFA Settings for an environment, you can now specify whether MFA should be enabled by default for a user when their account is created. For details, see users.mfaEnabled in MFA settings. |
Sep 14, 2023 | If you create a pairing key that is shared by multiple applications, but define different pairing key lifetimes for the different applications, all the applications using the pairing key now use the most strict setting that you specified for key lifetime (shortest time). |
Sep 7, 2023 | We've added a Correlation-Id setting in the header of Phone Delivery Settings requests to the custom provider enabling you to track notifications sent by the custom provider using the Correlation-Id value. See Phone Delivery Settings. |
Sep 5, 2023 | We've added information regarding how to handle client secret updates for external identity providers. See Update Identity Provider. |
Sep 5, 2023 | You can now specify Elliptical Curve Digital Signature Algorithm (ECDSA) signing certificate algorithms for your SAML identity providers and applications. See Create Identity Provider (SAML) and SAML Application Settings Data Model. |
Aug 10, 2023 | You can now use the RequestedAuthnContext parameter to specify lower-priority application flow policies for SAML applications. See Application Flow Policy Assignments. |
Jul 31, 2023 | Added a new endpoint to PingOne Authorize to manage API service deployment. See API Service Deployment. |
Jul 26, 2023 | We've added the new roles DaVinci Admin and DaVinci Read-Only Admin . Currently, you cannot assign these roles to a Worker app. For details, see Roles. |
Jul 5, 2023 | A new field called newDeviceNotification has been added for MFA policies to allow you to specify that users should receive an SMS or email notification when a new device is added to their account. For details, see Device Authentication Policies. |
Jul 5, 2023 | New fields were added to the information that can be included in MFA device reports generated with the dataExplorations endpoint: deviceIntegrityStateCompromised , deviceIntegrityStateReason , deviceIntegrityStateTimestamp , deviceIntegrityStateAdvice , extension , fidoBackupEligibility , fidoBackupState , lastDeviceTrxTime . For details, see Reporting. |
Jun 30, 2023 | Two new risk predictors - Bot Detection and Suspicious Device - have been added. For details, see Risk Predictors and Risk Evaluations. |
Jun 30, 2023 | For including data from the Signals SDK in risk evaluations, the data in now sent using the sdk.signals.data property rather than sending the data in the header of the request. For details, see Risk Evaluations. |
Jun 20, 2023 | In MFA policies, you can now disable pairing for specific authentication methods. You can use this option if you want to phase out an existing authentication method but want to allow users to continue using the method for authentication for existing devices. See pairingDisabled in Device Authentication Policies. |
Jun 19, 2023 | To provide support for passkeys, Fido policies have been expanded significantly. For details, see FIDO Policies. Note that FIDO policy requests now use the endpoint environments/{{envID}}/fido2Policies and not environments/{{envID}}/fidoPolicies . In the framework of these changes, support was added for a new MFA device type called FIDO2. For details, see MFA Devices. |
Jun 15, 2023 | Requests that use the flows endpoint and the deviceAuthentications endpoint now include additional device status information in the response: usableStatus , pushStatus , and otpStatus . For details, see Flows and MFA Device Authentications. |
Jun 12, 2023 | PingOne MFA has moved to Firebase Cloud Messaging for sending push messages. This impacts the credentials you must enter when enabling push notifications for Google Play-based mobile applications. For details, see Application MFA Push Credentials. |
Jun 1, 2023 | We've fixed an issue with the Try a Request feature in the documentation. We've re-enabled this feature for all endpoints except the authorization endpoints (identified by the {{authPath}} variable). The Try a Request feature has always been blocked for these endpoints, due to a CORS constraint. |
May 18, 2023 | You can now choose to include the IP address of an actor and the user-agent HTTP header of an event in the source section of a subsciption audit event. See Create Subscriptions. |
May 8, 2023 | It is now possible to have one-time passwords delivered via voice to phone numbers that include extensions. For details on enabling support for phone numbers with extensions, see MFA Settings. |
Apr 28, 2023 | PingOne now supports a Language Translations service, which provides operations to view the custom string translations for a specified language and to update localized strings for specified user interface elements. For details, see Language Translations. |
Apr 25, 2023 | DaVinci no longer ignores the pi.flow OAuth property. For details about pi.flow , see the OpenID Connect/OAuth2 data model. |
Apr 23, 2023 | When creating notification policies, you can now use the quotas array to limit the use of email messages for pairing and authentication. For details, see Notification Policies. |
Apr 19, 2023 | For integrity checking on Android devices, PingOne MFA now uses Google's Play Integrity API. This requires you to provide additional information from your Google service account if you want to create or update an application that uses integrity checking. For the details of the new mandatory fields, see the Applications OIDC settings data model table in Application Operations and the Create Application (OIDC Protocol - Native App) sample. |
Apr 14, 2023 | PingOne now supports the Forms service, which provides tools for administrators to create custom forms presented to users during the authentication workflow. For details, see Forms and Forms Recaptcha. |
Apr 3, 2023 | When creating notification policies, you can now use the countryLimit object to limit the countries where you can use SMS and voice notifications. For details, see Notification Policies. |
Mar 27, 2023 | PingOne now supports the SCIM 2.0 identity management standard for provisioning users into PingOne Directory. Currently we support the /Users endpoint with basic SCIM to PingOne Directory attribute mapping. For details, see SCIM. |
Mar 27, 2023 | When creating or updating New Device risk predictors, you can now use the activationAt parameter to specify a date on which the learning process for the predictor should be restarted. This can be used in conjunction with the fallback setting (default.result.level ) to force strong authentication when moving the predictor to production. For details, see Risk Predictors. |
Mar 26, 2023 | In addition to combining existing predictors, you can now include the following risk factors in your composite predictors: country, state, IP range, IP domain organization, ISP, target resource (application). For details, see Risk Predictors. |
Mar 16, 2023 | We've added new Sessions endpoints to Reset the Authentication Session by Session ID or Reset the Authentication Session by Session Token. |
Mar 13, 2023 | When defining the settings for mobile applications in an MFA policy, you can now use the new pairingKeyLifetime object to specify how long an issued pairing key can be used until it expires. For details, see Device Authentication Policies. |
Mar 13, 2023 | You can now define the number of consecutive push notifications that can be ignored or rejected by a user within a defined period before push notifications are blocked for an application. Use this setting to prevent attacks based on repeated push notifications that may lead users to eventually accept the authentication request. For details, see the documentation for the pushLimit object in Device Authentication Policies. |
Feb 01, 2023 | The platform now supports properties for enumerated values and regular expression validation in the schema data model. For details, see Schemas. |
Jan 10, 2023 | You can now configure Android applications to use Huawei Mobile Services. For details, see Application Operations and Application MFA Push Credentials. |
Jan 10, 2023 | You can now use the dataExplorations endpoint to generate reports of MFA devices. For details, see Reporting. |
Jan 10, 2023 | For notification templates of type "Push", it is now possible to specify a push category to control the type of banner that is displayed to the user. For details, see Notification Templates. |
Jan 3, 2023 | You can now use the riskPredictors endpoint to create New Device predictors, which allow your risk policy to take into account the risk associated with users trying to access applications from unknown devices or devices that have not been used in the recent past. For details, see Risk Predictors. |
Jan 3, 2023 | In MFA policies, it is now possible to specify how much time users have to respond to a push notification before it expires. This period can be defined separately for each mobile application included in the MFA policy. For details, see Device Authentication Policies. |
Jan 3, 2023 | The default method to use for MFA is now set at the MFA policy level rather than at the environment level. For details, see Device Authentication Policies. |
Jan 3, 2023 | It is now possible to block a user's MFA device, and to unblock a device that is currently blocked. For details, see MFA Devices. |
Dec 15, 2022 | It is now possible to use the API to unlock a device that was locked-out due to too many failed MFA attempts, even if the defined waiting period has not yet elapsed. For details, see MFA Devices. |
Dec 15, 2022 | It is now possible to use the gateways endpoint to create a RADIUS gateway. For details, see Gateway Management. |
Dec 8, 2022 | We've added properties to support applications using WS-Federation. See the Applications base data model and the Applications WS-Federation settings data model for more information. |
Dec 2, 2022 | We've added an email verification endpoint to verify a user's email through a verification code. See User Email Verification. |
Nov 22, 2022 | You can now use the hiddenFromAppPortal property to hide an application in the application portal, overriding your configured group membership access policy. See Applications base data model. |
Oct 26, 2022 | You can now use the nameFormat property to define the naming format for attributes other than Subject . See Applications attribute mapping data model. |
Oct 26, 2022 | We've added the initiateLoginUri and targetLinkUri properties to the Applications OIDC data model. |
Oct 25, 2022 | The Token Introspection Endpoint now supports authentication with a Resource ID and Secret. See POST Token Introspection (Resource ID and Secret) and Resource Secret. |
Oct 21, 2022 | You can now allow a wildcard character in the Redirect URI for OIDC applications. See Applications OIDC settings data model. |
Oct 19, 2022 | PingOne Risk now includes an SDK that allows you to obtain additional risk-related data and pass the data to the risk evaluation, resulting in improved detection. The riskEvaluations endpoint can now take the data provided by the SDK in a header called X-SDK-DATA-PAYLOAD . For details, see the documentation for creating risk evaluations. |
Sep 28, 2022 | To simplify automated testing of your applications, you can now create dedicated testing devices. When you use the API to send authentication requests to such a device, the OTP is not sent to the actual device, but instead is returned as part of the body of the response. See MFA Devices. |
Sep 15, 2022 | We've added support for the WS-Federation protocol to the Application Management service. This supports Microsoft's Office365 and Azure integration with PingOne. See Create Application (WS-Federation Protocol) for more information. |
Aug 31, 2022 | When using the mfaSettings endpoint to update MFA settings, you can now use pairing.pairingKeyFormat to specify the type of pairing keys that should be used - 12-digit numeric keys or 16-character alphanumeric keys. Existing environments will continue to use the 12-digit numeric keys unless changed. New environments will use the 16-character keys by default. |
Aug 31, 2022 | It is now possible to create composite predictors - for situations where you are interested in combining a number of risk predictors into a single predictor. See Risk Predictors. |
Aug 26, 2022 | The platform now supports adding custom claims to an OpenID Connect scope. See Resource Scopes. |
Aug 18, 2022 | We've added a default property to the Populations endpoint, enabling you to assign a default population to an environment. See Populations. |
Aug 14, 2022 | When creating or editing an MFA policy, you can now use the field mobile.applications[].integrityDetection to specify how registration and authentication attempts should be handled if a response is not received for device integrity: continue with the flow or block the user. For details, see Device Authentication Policies. |
Aug 14, 2022 | When defining a mobile application, you can now use mobile.integrityDetection.excludedPlatforms in conjuction with mobile.integrityDetection.mode to enable device integrity checking only for Android or only for iOS. For details, see Application Operations. |
Aug 2, 2022 | You can now use Kerberos to sign-on users. See Gateway LDAP data model in Gateway Management and the Sign On with Kerberos request. |
Aug 2, 2022 | You can now force a reset of the password identified by the user ID and environment ID without the administrator supplying a password. See Force Change Password request. |
Aug 2, 2022 | It is now possible to use the API to create and manage FIDO policies, which can then be included in device authentication policies. For details, see FIDO Policies and Device Authentication Policies. |
Aug 1, 2022 | It is now possible to use the riskPolicySets endpoint with conditions of type AGGREGATED_SCORES to create score-based policies. See Risk Policies. |
Jul 18, 2022 | For sign-on policies in PingOne, MFA steps are added now by referencing an existing MFA policy rather than having to define the specific authentication methods that are allowed for the policy. For details, see Sign-On Policy Actions. |
Jul 14, 2022 | The platform now includes PingFederate admin roles, allowing admins to SSO from PingOne into PingFederate with the appropriate permissions for their role. See Roles. |
Jul 10, 2022 | For organizations that prefer to maintain their own user device information, it is now possible to initiate authentication while providing the information necessary for contacting the user. See the documentation for the selectedDevice object in MFA Device Authentications. |
Jul 7, 2022 | It is now possible to create passwordless authentication flows that require only FIDO2 authentication with no need for the user to provide their username. To use this feature, use the rp.id property in the request body for deviceAuthentications . For details, see MFA Device Authentications. |
Jun 6, 2022 | You can now define notification policies to limit the use of SMS and voice messages for pairing and authentication. For details, see Notification Policies. |
Apr 28, 2022 | The platform now includes the PingOne Authorize API access management service, which provides tools to externalize the management and evaluation of access control policies for HTTP-based APIs. See PingOneAuthorize API Access Management. |
Apr 25, 2022 | MFA Native SDK v1.7.0 now supports authentication code flows for Android and iOS operating systems. See Authentication code flow. SDK v1.7.0 also supports elliptic-curve cryptography (ECC) for signing and verifying mobile requests. This feature uses iOS secure enclave capabilities. |
Apr 25, 2022 | The platform now includes endpoints that initiate an authentication code flow. See MFA Authentication Code. The platform includes a new uriPrefix property on the application's mobile object that specifies a valid app/universal link or app schema to enable direct triggering of the mobile application when scanning a QR code. See Application Operations. |
Mar 11, 2022 | The platform now requires a minimum password length of 8 - 32 characters. For more information, see Password Policies. |
Mar 07, 2022 | The platform now supports a hybrid flow authorization request, in which some tokens are returned from the authorization endpoint, and others are returned from the token endpoint. For more information, see GET Authorize (hybrid) and POST Authorize (hybrid). |
Feb 09, 2022 | The platform now supports a policy.id property for MFA devices that specifies the device authentication policy ID associated with the device resource. For more information, see MFA Devices and MFA Pairing Keys. |
Feb 04, 2022 | The platform now supports a PingFederate-SSO platform application, which is created automatically if the PingOne environment includes PingFederate. For more information, see Application Management. |
Jan 13, 2022 | Custom risk predictors cannot be referenced as an attribute in a placeholder details list (${details.<attribute>}). See Custom risk predictor conditions in Risk Predictors for more information. |
Dec 27, 2021 | The platform now supports configuring the whiteList property on a per risk predictor basis. For information about risk predictors that support the whiteList property, see Risk Predictors. |
Dec 27, 2021 | The platform now supports the User Location Anomaly risk predictor. See Risk Predictors. |
Dec 23, 2021 | For authorization requests that return an invalid request object error, the error message now includes additional details about the INVALID_VALUE . For example, the old detail message stated this: "The request parameter contains an invalid Request Object" . The new detail message provides specific information about the validation error: "The request parameter contains an invalid Request Object: The token signature is invalid." . |
Dec 17, 2021 | The Integration Catalog has been updated to easily retrieve application integration information and assets. |
Dec 17, 2021 | The image service API now returns a regionalized URL for any new images uploaded. For example, if you are in the EU and use pingone.eu , then uploaded images will now be in this format "https://uploads.pingone.eu/environments/..." instead of "https://uploads.pingone.com/environments/..." . This regionalization is also applicable to uploaded images in the .asia and .ca regions. Old image URLs will still work as expected. For more information, see Images. |
Dec 16, 2021 | The platform now supports configuration of policies for MFA enrollment and authentication transactions in PingOne Flows. The apiPath/environments/envID/deviceAuthenticationPolicy endpoint is deprecated, but still supported. No immediate code change are required, but it's recommended to change to the new apiPath/environments/envID/deviceAuthenticationPolicies endpoint.See Device authentication policies that now supports the following operations: |
Dec 15, 2021 | The platform now includes endpoints that initiate and complete an MFA action without requiring a call to the PingOne authorize service. For more information, see MFA Device Authentications. |
Dec 15, 2021 | The platform now supports the ability to configure short codes and toll-free origination numbers to send SMS and voice notifications to recipients in multiple countries. See the supportedCountries property in the Custom provider phone number properties table. |
Dec 12, 2021 | The platform now supports configuration of untrusted sender email addresses at the email notification template content level, when using a custom email sender. See Content properties. |
Dec 08, 2021 | The platform now provides easier integration with custom providers' remote gateways, including support for dispatching voice notifications. This implementation uses the GET and POST operations and customizable body and headers.Basic and bearer authentication methods are supported. See Phone delivery settings. |
Dec 07, 2021 | The platform now includes decision endpoints that allow efficient evaluation of policies developed in the PingOneAuthorize Policy Editor Service. For more information, see PingOneAuthorize Policy Decision Service. |
Nov 08, 2021 | The platform now supports a JSON array PATCH action to update targeted elements on a user object. For more information, see Update User (Patch JSON Array). |
Oct 25, 2021 | The notifications settings property, notificationsSettings.defaultLanguage , has been removed from the platform. When required, notifications use the environment's default language, which is set using the /environments/{{envID}}/languages endpoint. For information about notification content and language selection, see Runtime logic for content selection. For information about an environment's default language, see Language Management. |
Oct 04, 2021 | Ping Identity has added a Canada regional data center, that will provide enhanced performance and response on services for Canadian customers accounts hosted on this data center. Canada data center domains:
|
Sep 30, 2021 | The platform now supports the Identity Data Read Only Admin role. See Roles. |
Sep 30, 2021 | The platform now supports custom risk predictors. See Risk Predictors. |
Sep 2, 2021 | The platform now supports connecting to external LDAP directories to validate user credentials. See Gateway Management. |
Aug 31, 2021 | The platform now supports configuration of your own provider for dispatching SMS notifications. See Phone delivery settings. The phoneDeliverySettings.provider field now supports the new CUSTOM_PROVIDER valid value.The new POST Create Phone Delivery Settings and PUT Update Phone Delivery Settings operations use the new custom provider phone delivery settings properties:
Note: This implementation uses the POST operation and non-customizable body and headers. It requires customers to create a gateway that receives these requests in their simple, static format, and translates those requests into their custom provider’s supported SMS format. |
Aug 12, 2021 | From MFA Native SDK v1.6.0, the platform supports mobile device integrity checks.
|
Jul 29, 2021 | The following properties have been added to the risk evaluations details data model: state , city , previousSuccessfulTransaction.state , previousSuccessfulTransaction.city . See Risk evaluations. |
Jul 26, 2021 | The platform now supports the Credentials Issuance service, enabling you to create custom verifiable credentials for users. See Credentials Issuance. |
Jul 14, 2021 | The platform now supports configuration of your MFA authentication methods according to your security policies, including passcode refresh time (mobile applications), passcode retry attempts, passcode lifetime duration, and device block duration times. See Device authentication policies. |
Jun 30, 2021 | The platform now supports dispatching SMS and voice notifications via your organization's own Syniverse account in place of Ping Identity's account or your own Twilio account. The phoneDeliverySettings.provider field now supports the new CUSTOM_SYNIVERSE valid value.The fallback option uses the smsProvidersFallbackChain property. For more information see Phone delivery settings. To configure an SMS and voice provider fallback chain see Notifications settings. |
Jun 30, 2021 | The platform now supports pairing a phone number as an MFA method using a voice call OTP, and subsequent voice call OTP authentication notifications to paired phone numbers. The following new operations were added:Existing services have been extended to include voice OTP:
|
May 06, 2021 | The platform now supports just-in-time provisioning of new users who authenticate with a registered authoritative external identity provider. See Identity Provider Management and Users. |
May 05, 2021 | The platform now provides the number of OTP attempts remaining in the error message detail as part of the Check One-Time Passcode action and Activate MFA User Device action. |
Apr 13, 2021 | The platform now provides a Risk Advanced Predictors endpoint to include advanced predictor criteria for risk policies. For more information, see PingOne Risk, Risk Advanced Predictors, and Risk Policies. |
Apr 08, 2021 | If you attempt to create or update a custom content for an existing combination of template, locale , deliveryMethod and variant , you now get an INVALID_DATA /UNIQUENESS_VIOLATION error. |
Mar 24, 2021 | The platform now provides a sign-on policy action that bypasses the PingOne sign-on screen and immediately redirects the user to an external identity provider's sign-on workflow to authenticate. For more information, see Sign-On Policy Actions and External Authentication. |
Mar 19, 2021 | The platform now provides a user account management endpoint to unlock a user account. For more information, see User Accounts, Users, Sign-On Policy Actions, MFA Settings, and Flows. |
Feb 23, 2021 | The platform now supports the ability to prompt end users with your own legal text during registration and sign on. The platform records a user's active consent to the document before proceeding with the flow. For more information, see Agreement Management, User Agreement Consents, Sign-On Policy Actions, and Flows. |
Feb 23, 2021 | The platform now supports text and language customization for all end user interfaces and notifications. In this initial release, it supports the new Agreements (terms of service) feature. For more information, see Language Management. |
Feb 03, 2021 | The platform now supports groups for users. For more information, see Groups. |
Feb 03, 2021 | The platform now includes optional accessControl properties on applications that, when set, specify the conditions that must be met by an authenticating actor to access the application. For more information, see Control access to applications through roles and groups. |
Feb 02, 2021 | The platform now supports multiple custom contents for each template + deliveryMethod + locale combination with the variant property. For more information, see Notifications templates. |
Feb 02, 2021 | The platform now supports a custom notification with the creation of an email or SMS MFA device. For more information, see Custom device pairing notification with device creation. |
Feb 1, 2021 | The platform now includes the PingOne Verify APIs, and the PingOne Verify native SDKs. |
Jan 19, 2021 | The platform now includes endpoints to read and update MFA settings. For more information, see MFA Settings. |
Jan 19, 2021 | The platform includes support for FIDO2 bound biometrics devices and FIDO2 or U2F security key devices. For more information, see FIDO2 Devices. |
Jan 11, 2021 | The platform now supports device ordering to create a default active device. For more information, see Device order. |
Jan 08, 2021 | The platform now supports external registration, which provides a sign-on action to register a user using an external identity provider's registration workflow. For more information, see Flows and Sign-On Policy Actions. |
Dec 30, 2020 | The platform now supports a maximum allowed devices setting for paired devices and a device nickname property used during authentication. For more information, see Maximum allowed devices and Device properties. |
Dec 14, 2020 | The platform now supports risk policy sets and risk evaluations. For more information, see PingOne Risk. |
Dec 14, 2020 | The platform now supports using the token endpoint so that the client can make a token exchange request to the PingOne authorization server. For more information, see Token Exchange (Gateway Credential). |
Dec 09, 2020 | The application protocol data model property no longer supports the NONE option. For more information, see Application Operations. |
Dec 03, 2020 | Notifications content variables are now case insensitive. For more information, see Notifications Templates. |
Oct 15, 2020 | The platform now supports an alerting service that delivers high-level email warnings about resource states. For more information, see Alerting. |
Oct 13, 2020 | The platform now supports a Time-based One-time Password (TOTP) authenticator application device type. For more information, see Create MFA User Device (TOTP) and Sign-on Policy Actions. |
Sep 29, 2020 | The platform now supports the PingOne MFA product. For more information, see Getting Started with PingOne MFA. |
Sep 22, 2020 | The platform now supports the ability to select and customize the branding themes that you can apply to your sign-on screens. For more information, see Branding. |
Sep 21, 2020 | The platform now supports self-management access control scopes that allow organizations to specify which user profile attributes are accessible to end users. For more information, see Access services through scopes and roles and Resource scopes. |
Sep 14, 2020 | The platform now includes endpoints to manage Yahoo, Microsoft, GitHub, and PayPal external identity provider configurations. For more information, see Identity providers. |
Jul 21, 2020 | The platform now supports the ability to configure a trusted email domain for each environment. A trusted email domain with its associated email addresses enable PingOne to send emails on your organization’s behalf. For more information see Trusted email domains and Trusted email addresses. |
Jul 07, 2020 | The platform now supports configuration of sign-on policies to determine whether MFA is required for authentication requests detected as originating from an anonymous network such as an unknown VPN, proxy or anonymity communication tool such as Tor. It is possible to exclude specific IP addresses using a whitelist. See the anonymousNetwork condition in the Condition Variables table in the Sign-on Policy Actions page. |
Jun 25, 2020 | The platform now includes endpoints to manage Apple external identity provider configurations. For more information, see Identity providers. |
Jun 24, 2020 | The platform now includes endpoints to manage Amazon external identity provider configurations. For more information, see Identity providers. |
Jun 24, 2020 | The platform now includes endpoints to manage Twitter external identity provider configurations. For more information, see Identity providers. |
Jun 16, 2020 | The platform now supports despatching SMS notifications via your organization's own Twilio account in place of Ping Identity's account. This also allows for the option of falling back to Ping's account in the event of notification failure, using the new smsProvidersFallbackChain property. For more information see Phone delivery settings. See Notifications settings to configure an SMS provider fallback chain. |
Jun 16, 2020 | The platform now supports transaction approval when strong authentication is required for elevated security for a high value transaction, or high risk resource or service. This includes use of the new request property in the following OIDC operations: GET Authorize (authorization_code), POST Authorize (authorization_code), GET Authorize (implicit) and POST Authorize (implicit). Transaction approval also permits use of the new allowDynamicVariables property in Notifications templates. |
Jun 16, 2020 | From Native SDK v1.3.0, the platform supports extra verification on device authorization. For more information see the extraVerification property in Sign-on policy actions. |
May 05, 2020 | The platform now provides an interface for third-party auditing tools to subscribe to and consume PingOne audit activity events. For more information, see Subscriptions (webhooks). |
Apr 30, 2020 | The platform now supports a token revocation endpoint. For more information, see Token revocation. |
Apr 15, 2020 | The platform now supports an identity-provider initiated SAML authentication single sign-on flow. For more information, see SAML 2.0. |
Apr 15, 2020 | The sign-on policy service now includes an IDENTIFIER_FIRST sign-on policy action. For more information, see Sign-on policy actions. |
Apr 03, 2020 | The sign-on policy service now includes a PROGRESSIVE_PROFILING sign-on policy action. For more information, see Sign-on policy actions. |
Apr 03, 2020 | The licenses and capabilities services now include properties that designate whether the license allows the creation of custom domains. For more information, see Licensing and Capabilities. |
Apr 03, 2020 | The flow service has changed so that a session token cookie is set only after the identity of the user has been partially established. For more information, see Identity providers. |
Apr 03, 2020 | The platform now includes endpoints to manage OpenID Connect external identity provider configurations. For more information, see Identity providers. |
Mar 31, 2020 | The platform now supports configuration of sign-on policies to determine whether MFA is required for authentication requests detected as having high-risk IP reputation and geovelocity anomalies. See the geovelocity and IP reputation Condition variables on the Sign-on policy actions page. |
Mar 31, 2020 | From Native SDK v1.2.0, the platform includes the ability to get logs from authenticating user native devices for investigation and support. See Devices API operations on the Devices page. |
Mar 31, 2020 | From Native SDK v1.2.0, the platform includes the ability to send logs from authenticating user native devices to the PingOne server, for investigation and support. |
Mar 31, 2020 | From Native SDK v1.2.0, the platform supports automatic device authentication. See PingOne Native SDK flows. |
Mar 13, 2020 | The platform now includes an identity propagation API that provides for configurable and audit-capable propagation of identities and their attributes between identity stores owned or managed by a customer. For more information, see Identity propagation. |
Mar 11, 2020 | The platform now includes an identity provider discovery login flow that initiates actions to identify the user and determine the applicable authentication methods for this user. For more information, see Identifier first action and Get a flow. |
Mar 11, 2020 | The platform now includes a progressive profiling authentication flow that prompts users to provide additional data at sign on. For more information, see Progressive profiling action and Submit profile data. |
Feb 19, 2020 | The set password action now includes an optional bypassPolicy property that specifies whether the user's password policy should be ignored. For more information, see Set password. |
Feb 10, 2020 | The platform now includes an endpoint to view and license capabilities. For more information, see Capabilities. |
Jan 13, 2020 | The platform now includes an endpoint to view and update the name property value for a license. For more information, see Licensing. |
Dec 17, 2019 | The platform now supports a token introspection endpoint. For more information, see Token introspection. |
Dec 10, 2019 | The platform now supports password policy customization. For more information, see Password policies. |
Dec 10, 2019 | The platform now supports configuration of a Proof Key for Code Exchange (PKCE) authorization workflow. For more information, see OpenID Connect/OAuth 2 and Configure a PKCE authorization workflow. |
Dec 10, 2019 | The platform now supports custom domains. For more information, see Custom domains. |
Dec 10, 2019 | The platform now includes endpoints to manage LinkedIn external identity provider configurations. For more information, see Identity providers. |
Dec 10, 2019 | The platform now includes endpoints to customize ID tokens for a OIDC applications. For more information, see Attribute mapping. |
Dec 09, 2019 | The Native SDK supports automatic enrollment through OIDC authentication. |
Oct 10, 2019 | The Native SDK sample app for Android now has notification banners. |
Oct 10, 2019 | The Native SDK Android component dependencies have been updated: the Nimbus library has been replaced by Jose4J. See Pingone Native SDK > Android > Set up a native app using the PingOne SDK sample code > Add the PingOne SDK component into your existing project. |
Oct 10, 2019 | The iOS Native SDK API now requires Swift 5.1. See Pingone Native SDK > iOS > Set up a native app using the PingOne SDK sample code > Xcode integration for software prerequisites. |
Oct 10, 2019 | Logs appeared in the Android developer console. This has been resolved so that they no longer appear. (P14CMFA-3242) |
Oct 03, 2019 | The platform now includes endpoints to view authentication statistics on a per application basis. For more information, see Authentications per application. |
Aug 30, 2019 | The platform now includes endpoints to manage Google external identity provider configurations. For more information, see Identity providers. |
Aug 30, 2019 | The platform now supports access token customization. For more information, see Access token customization. |
Aug 19, 2019 | The platform now includes a basic password policy to allow for maximum customer flexibility. For more information, see Password policies. |
Aug 14, 2019 | Sign-on policy action condition attributes now require camelCase syntax for attribute names (for example, ipRange , secondsSince ). For more information, see Sign-on policy actions. |
Jul 31, 2019 | The platform now supports the refresh_token grant type. For more information, see Access tokens and ID tokens and Obtain an access token. |
Jul 31, 2019 | The platform now supports a native SDK that allows developers to send push notifications to custom native applications for multi-factor authentication (MFA). For more information, see Pairing keys, Android PingOne Native SDK API, and iOS PingOne Native SDK API. |
Jul 31, 2019 | The following template IDs (see Notifications templates) have changed:
GET /environments/{{envID}}/templates endpoint will return the new template IDs, instead of the old ones. The deprecated offline_pairing and offline_authentication template IDs are still supported for backward compatibility, but will be unsupported at a future date. |
Jul 02, 2019 | The platform now includes endpoints to manage external identity provider configurations that enable social login and inbound SAML login features in PingOne. It also includes endpoints to manage a user’s links to external identity provider accounts. For more information, see Identity providers and Linked accounts. |
Jun 25, 2019 | The platform now includes endpoints to get information about the licenses associated with an organization. For more information, see Licensing. |
Jun 25, 2019 | The platform now includes endpoints to get information about active identity counts and total identity counts. For more information, see Active identity counts and Total identities. |
Jun 13, 2019 | The file import feature is temporarily disabled. It will be enabled in a future release. |
Apr 15, 2019 | The platform now supports a passwordless authentication flow. For more information, see Sign-on with a username and Configure a passwordless sign-on policy. |
Apr 01, 2019 | PATCH requests that modify custom JSON user attributes are replaced completely. For more information, see Users: Partial update. |
Apr 01, 2019 | Sign on policy actions now support a policy condition language that allows both logical and data rules to construct a policy condition statement. For more information, see Sign-on policy action conditions. |
Mar 25, 2019 | Platform scopes, such as p1:read:env:user , p1:create:env:device , and p1:update:env:population , have been removed. In order to access platform APIs, you must create a new WORKER application type. For more information, see Access through scopes and roles. |
Mar 25, 2019 | Scopes with “self” in the name have been renamed. Example: p1:reset:self:userPassword is now p1:reset:userPassword . For more information, see Access through scopes and roles. |
Mar 01, 2019 | The SAML attribute mappings data model now includes a mappingType attribute to identify CORE , SCOPE and CUSTOM mapping types. For more information, see Attribute mapping. |
Feb 18, 2019 | The following templates are available for use with notifications templates: verification_code_template , recovery_code_template , offline_authentication , and offline_pairing . For more information, see Notifications templates and Notifications settings. |
Jan 28, 2019 | The flow service no longer uses the /step/{{stepID}} sub-resource, and it no longer shows multiple statuses and nested embedded resources. The status property in the flow response contains all information about the flow's current state. For more information, see Flows. |
Jan 22, 2019 | Audit reporting supports a POST operation to retrieve audit events without exposing sensitive or personal filtering information in a GET request URL. The required SCIM filtering expression is specified in the POST request body. For more information, see Get audit activities using POST. |
Jan 21, 2019 | The data model for SAML application settings requires a leading dollar sign ($) when specifying the expression in the value attribute. For example, "value": "${user.username}" . For more information, see SAML application attribute mappings. |
Jan 11, 2019 | The GET /environments/{{envID}}/activities endpoint no longer supports the in (includes) SCIM operator. For more information, see Audit activities and events. |
More information
For more information about PingOne product updates, see Release Notes.
Working with PingOne APIs
If you want to start building your own workflows with PingOne APIs, the Workflow Library provides step-by-step workflows with linked Postman collections to help you start using the PingOne APIs in your Postman environment.
PingOne API domains
The PingOne API includes the following regional domains.
-
api.pingone.com
,api.pingone.ca
,api.pingone.eu
,api.pingone.asia
, andapi.pingone.com.au
These are the primary domains for calling PingOne Management API resource server, with
api.pingone.com
used for environments in the North America region (excluding Canada),api.pingone.ca
for environments in the Canada region,api.pingone.eu
for environments in the European Union region,api.pingone.asia
for environments in the Asia-Pacific region, andapi.pingone.com.au
for environments in the Australia region.The
{{apiPath}}
variable in the sample requests represents the regional domain for the PingOne server. This variable stands forhttps://api.pingone.com/v1
for environments in the North America region (excluding Canada),https://api.pingone.ca/v1
for environments in the Canada region,https://api.pingone.eu/v1
for environments in the European Union region,https://api.pingone.asia/v1
for environments in the Asia-Pacific region, andhttps://api.pingone.com.au/v1
for environments in the Australia region. Note that the trailing/v1
is required. -
auth.pingone.com
,auth.pingone.ca
,auth.pingone.eu
,auth.pingone.asia
, andauth.pingone.com.au
This is the authorization and authentication server domain called to request the access token required to authenticate PingOne API requests, with
auth.pingone.com
used for environments in the North America region (excluding Canada),auth.pingone.ca
for the Canada region,auth.pingone.eu
for the European Union region,auth.pingone.asia
for the Asia-Pacific region, andauth.pingone.com.au
for the Australia region.The
{{authPath}}
variable in the sample requests represents the regional domain for the PingOne authentication server. This variable stands forhttps://auth.pingone.com
for the North America region (excluding Canada),https://auth.pingone.ca
for the Canada region,https://auth.pingone.eu
for the European Union region,https://auth.pingone.asia
for the Asia-Pacific region, andhttps://auth.pingone.com.au
for the Australia region. Note that nothing trails the domain in the{{authPath}}
variable. -
orchestrate-api.pingone.com
,orchestrate-api.pingone.ca
,orchestrate-api.pingone.eu
,orchestrate-api.pingone.asia
, andorchestrate-api.pingone.com.au
These are the primary domains for calling the PingOne DaVinci Management API resource server, with
orchestrate-api.pingone.com
used for environments in the North America region (excluding Canada),orchestrate-api.pingone.ca
for environments in the Canada region,orchestrate-api.pingone.eu
for environments in the European Union region,orchestrate-api.pingone.asia
for environments in the Asia-Pacific region, andorchestrate-api.pingone.com.au
for environments in the Australia region.The
{{orchestratePath}}
variable in the DaVinci requests documentation represents the regional domain for the PingOne server. This variable stands forhttps://orchestrate-api.pingone.com/v1
for environments in the North America region (excluding Canada),https://orchestrate-api.pingone.eu/v1
for environments in the European Union region,https://orchestrate-api.pingone.ca/v1
for environments in the Canada region,https://orchestrate-api.pingone.asia/v1
for environments in the Asia-Pacific region, andhttps://orchestrate-api.pingone.com.au/v1
for environments in the Australia region. Note that the trailing/v1
is required. -
scim-api.pingone.com
,scim-api.pingone.ca
,scim-api.pingone.eu
,scim-api.pingone.asia
, andscim-api.pingone.com.au
These are the primary domains for calling the PingOne System for Cross-domain Identity Management (SCIM) API resource server, with
scim-api.pingone.com
used for environments in the North America region (excluding Canada),scim-api.pingone.ca
for environments in the Canada region,scim-api.pingone.eu
for environments in the European Union region,scim-api.pingone.asia
for environments in the Asia-Pacific region, andscim-api.pingone.com.au
for environments in the Australia region.The
{{scimPath}}
variable in the SCIM requests documentation represents the regional domain for the PingOne SCIM server. This variable stands forhttps://scim-api.pingone.com
for environments in the North America region (excluding Canada),https://scim-api.pingone.eu
for environments in the European Union region,https://scim-api.pingone.ca
for environments in the Canada region,https://scim-api.pingone.asia
for environments in the Asia-Pacific region, andhttps://scim-api.pingone.com.au
for environments in the Australia region.
PingOne API region codes
For the relevant endpoint properties (as shown in the data models for the endpoint), the regions supported by the PingOne API are referenced using these region codes:
Region code | Description |
---|---|
NA | North America |
CA | Canada |
EU | Europe |
AP | Asia-Pacific |
The Try A Request feature
Except for the authentication and authorization requests, our documentation for the PingOne APIs includes an interactive Try A Request feature. Try A Request enables you to configure and send a PingOne API request and get a response from within the documentation. This is a quick way to interactively test a PingOne API request without needing to use either Postman or the command line.
Calling the PingOne APIs from the command line
Each PingOne API request in the documentation includes an example request and response. By default, the example request is displayed using cURL. However, a number of coding languages are available in the associated drop-down list. If you want to run a request from the command line, you can select the coding language and copy the displayed request. You'll need to replace any variables in the request with the appropriate values before running the request.
Using Postman collection-level authorization
Most APIs require authorization to ensure that client requests access data securely. Postman can pass along whatever authorization details necessary for the method demanded by the endpoint. You can manually include authorization data in the header, body, or as parameters to a request. However, the easiest way is to use the Authorization tab in Postman. Select an authorization Type on that tab and Postman offers a dialog to gather the information required by that Type. When you run a request, Postman uses the information from the Authorization tab to automatically add the necessary authorization header, body, or parameters to the request. Postman offers the Authorization tab on requests, folders, and collections.
In PingOne collections, the authorization method is defined at the collection level. Only those requests that require a specific authorization method have authorization defined on the request (roughly 10% of PingOne requests). This allows you to easily change the authorization used for most requests. See Postman Collection-Level Authorization for more information.
Related topics
Forward compatibility guidance for PingOne client developers
This section provides guidance on what PingOne API client developers should do to maintain forward compatibility of their client applications as PingOne APIs evolve. PingOne is a continuously developing platform, and developers must be aware of non-breaking changes to the APIs and how to prepare for these inevitable changes. PingOne will rarely, if ever, introduce a breaking change; however, when that happens, there will be notifications or deprecation messages to inform developers. For non-breaking changes, client developers must ensure that their apps will function as expected after the following API changes occur.
Non-breaking API changes
Client applications should be resilient to additions of new optional properties in request and response payloads. The following list of enhancements occur regularly to the Pingone platform API.
Related resource links
The addition of new related resource links added to responses should not cause application breaks in your client environments.
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6"
},
"organization": {
"href": "https://api.pingone.com/v1/organizations/bed432e6-676a-4ebe-b5a5-6b3b54e46bda"
},
"license": {
"href": "https://api.pingone.com/v1/organizations/bed432e6-676a-4ebe-b5a5-6b3b54e46bda/licenses/3f06970a-3235-46cb-b46f-cf6dfee2bb84"
},
Almost all PingOne API responses include a _links
section that lists related resources as HAL (Hypertext Application Language) links, and these lists change as the platform adds new resources (and new relationships). For common endpoints such as /environments
or /users
, the list of HAL links changes often.
New optional properties
The addition of new (optional) properties added to request and response payloads should not cause application breaks in your client environments.
PingOne API endpoints, even those that have been part of the platform since its inception, can receive additional optional data model properties as the platform matures. Client application developers must configure their client environments to accommodate new optional properties in requests and support new returned properties in endpoint responses.
New content-types or content-language formats
The addition of new content-types or content-language formats of the same resource should not cause application breaks in your client environments.
The platform API includes endpoints that support multiple content types. Client application developers must configure their application environments to accept supported media types for the endpoint. For example, the following request shows a new action on the /{{envID}}/flows/{{flowID}}
endpoint that supports a device authorization grant. Your client environment should support the new content type, application/vnd.pingidentity.deviceAuthGrant.userCode.verify+json
.
curl --location --request POST '{{authPath}}/{{envID}}/flows/{{flowID}}' \
--header 'Content-Type: application/vnd.pingidentity.deviceAuthGrant.userCode.verify+json' \
--data-raw '{
"userCode": "{{userCode}}"
}'
New HTTP methods
The addition of new supported HTTP methods added to a resource should not cause application breaks in your client environments.
Client application developers must configure their application environments to accommodate new HTTP methods added to a platform service. For example, adding a new PATCH operation to an endpoint should be supported in your client environments.
Third-party libraries
Some third-party libraries deployed in your client environment can cause failures as a result of the non-breaking API changes listed above. In such cases, configuration of the library objects can resolve the issue.
For example, if your application environment uses the Jackson library to serialize or map Java objects to JSON, it is recommended that you update the object mapper setting responsible for deserializing API responses to prevent deserialization errors when new properties are added to the API response. The recommended setting is: new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
. (Jackson's default setting is true
.)
As a backup, you can also annotate Jackson library objects with the @JsonIgnoreProperties(ignoreUnknown = true)
property to prevent deserialization errors. Conservative developers may choose to employ both strategies.
Protocol for breaking changes
Ping Identity will only support the current release of the platform APIs.
APIs and resources that are made generally available to all customers for Ping Identity’s multi-tenant hosted service products are designed to evolve in a non-breaking fashion rather than rely on versioning to change. In the case of a breaking change that requires an API or a resource to be versioned, the following describes the Ping Identity version support lifecycle:
-
The current version of the API or resource will be supported;
-
Once a new version of the API or resource is released, the previous version will also be supported for one (1) year; and
-
After this one (1) year period, previous versions of the API or resource will no longer be supported.
Integrations
For information about integrating PingOne services with other Ping Identity products, see the following integration guides:
-
To integrate the PingOne platform with PingFederate, see Federating PingOne and PingFederate.
-
To integrate PingOne MFA with PingFederate, see Overview of the PingOne MFA Integration Kit.
-
To integrate PingOne Risk with PingFederate, see Overview of the PingOne Risk Integration Kit.
Integration Catalog API
The PingOne integration catalog API enables developers to discover and retrieve integration metadata and download integration kits as a compressed file. For more information, see Integration Catalog. For use cases, see Download an integration binary in PingOne for Developers.
Related topics
Accounting for Latency
API clients can experience latency when creating resources across services in the PingOne platform multi-region architecture, where the newly created resource has not propagated through the system to allow for the successful completion of a follow-up request. For example, if you create a resource with one internal service, it is possible that other internal services might not be aware of that new resource in time for your code's next step. An immediate call to the second resource can fail. Given this potential for latency, all applications should be written to retry the request.
The primary areas that experience latency are:
-
Applications and Secrets
Latency occurs when you create an application and then try immediately to retrieve the system-generated secret.
-
Applications and Scopes
Latency occurs when you create an application and then try immediately to retrieve its resource access grants.
-
SAML configuration and attributes
Latency occurs when you create a SAML configuration and then try immediately to retrieve its attribute mappings.
-
Environments, role assignments, and applications
Latency occurs when you create an environment and then try immediately to retrieve its role assignments or add an application to the new environment.
-
Populations and role assignments
Latency occurs when you create a population and then try immediately to retrieve its role assignments.
Authorization and Authentication APIs
The PingOne Authentication API provides services to query the authorization server, run authentication workflows, and receive access tokens from the authorization server. An authentication workflow can include local authentication actions (login), multi-factor authentication actions, and other external actions. The Authentication API includes the flow orchestration and action services needed to configure an authentication workflow.
The authorization service allows a resource owner (you) to share protected resources with a client (an application) without giving the application your password (or access to all your stuff). Instead, the resource owner interacts with an *authorization server (PingOne) that verifies your credentials and issues an access token to the client. The client uses the token to access only the protected resources stored on a resource server (your stuff) that you've granted, as specified by the scopes (permissions) defined in the token.
The flow service provides the authentication actions to complete the checks needed to confirm that it's you. For example, if the authentication flow requires a username/password check (a login action) and a one-time passcode check (an MFA action), then both actions must be completed successfully before the authorization server can issue an access token.
A typical flow starts with a request to the PingOne authorization server. The authorization server returns a flow ID that initiates the authentication flow. After the flow service completes, the session is passed back to the authorization service to generate the access token. The diagram below shows the steps.
In the authorization and authentication API sample requests shown in this document, the {{authPath}}
variable in the sample requests represents the regional domain for the PingOne authorization and authentication services. See PingOne API domains for more information.
The PingOne Authentication API includes the following entities.
Authorization server
The PingOne authorization server (as
) service configures the authorization grants that are used to authenticate users and provide access to resources. This service includes the following entities:
-
authorize
Queries PingOne (or an external resource owner) to get an authorization grant.
-
resume
Continues the processing of an authorization request after the completion of an authentication flow.
-
userinfo
Returns claims about the authenticated user resource.
-
token
Obtains an access token by presenting its authorization grant.
-
jwks
The JSON Web Key (jwks) is a JSON representation of the cryptographic key.
-
.well-known/openid-configuration
The discovery endpoint, used in multi-tenant configurations to support multiple issuers per host.
-
signoff
The end session endpoint called by the flow orchestration service to initiate the logout flow.
For more information, see OpenID Connect/OAuth 2 and Application authorization and authentication.
Flows
The PingOne flow orchestration service configures the steps required to authenticate the application or user that initiated the authentication request. The service is responsible for initiating the authentication session and making calls to specific actions required by the authentication workflow.
For more information, see Flows and PingOne flow states.
OAuth 2 and OpenID Connect
OpenID Connect is an authentication protocol that PingOne connected applications can use to authenticate users and get user data through claims. PingOne can also act as an OAuth 2 authorization server to authorize clients to access protected resources using access tokens. For example, PingOne uses OAuth 2 to protect access to PingOne management APIs.
The OAuth 2 framework defines several methods by which a client can obtain authorization to access protected resources using an access token. The access token represents authorization granted to the client for a set of scopes. Scopes are string identifiers understood by both the authorization server and the resource server to represent the specific boundaries of access. The client can use the access token as a credential for accessing data on a resource server.
For more information about access tokens, see Access tokens.
SAML 2.0
The SAML service provides support for the SAML protocol to authorize clients and allow clients to obtain a requestor’s authentication state. The SAML service implements functions to initiate SAML 2.0 single sign-on and single logout authentication flows.
For more information, see SAML 2.0.
Related topics
Configuration options
The following topics provide information about the platform's advanced configuration options in authorize
and token
requests.
-
Redirect and non-redirect authentication flows
Describes the authorize request's
response_mode
options, which include thequery
,fragment
, andform_post
options for redirecting back to the client. It also describes how to use the PingOnepi.flow
custom response option for non-redirect flows, returning response parameters encoded as a JSON object directly to the client. -
Describes the claims required by the login hint token, and how to sign the JWT using an application's client secret as the signing key.
-
Describes the claims required by the request property token, and how to sign the JWT using either the application's client secret or a private key as the signing key.
-
Describes the claims required by a JWT used to authenticate the PingOne
/token
request, and how to sign the JWT using an application's client secret as the signing key. -
Describes the claims required by a JWT used to authenticate the PingOne
/token
request, and how to sign the JWT using a private key as the signing key. -
Create a private_key_jwt JWKS string
Describes how to configure a JWKS string (or JWKS URL) to add to an application configuration to enable the use of a private key JWT as the authentication method for a PingOne
/token
request.
Redirect and non-redirect authentication flows
The response_mode
authorization service property provides the mechanism for returning authorization response parameters from the authorization endpoint. In PingOne, the response_mode
property's options are query
, fragment
, form_post
, and pi.flow
. The query
, fragment
, form_post
options are defined in the OAuth 2.0 Multiple Response Type Encoding Practices specification.
When redirecting back to the client using the redirect_uri
property:
-
query
The response parameters are encoded in the query string added to the
redirect_uri
. -
fragment
The response parameters are encoded in the fragment added to the
redirect_uri
. -
form_post
The response returns a
form_post
encoded response, and after user approval, returns a result in an HTTP POST to the client.
The pi.flow
option is a Ping Identity custom response mode to specify that the redirect_uri
parameter is not required and authorization response parameters are encoded as a JSON object wrapped in a flow response and returned directly to the client with a 200 status. For example, with native mobile apps and SPAs that want to render the end-user interface, setting the response_mode
property to pi.flow
allows the app to authenticate using the flows API without needing to handle HTTP redirections. When authentication is complete, the app receives the auth code, access token, or ID token in a JSON response instead of a redirect.
Use cases for pi.flow
The following outlines several use cases for a non-redirect flow using the pi.flow
option for the response_mode
property. For application integration use cases (including PingFederate), a login_hint_token
is also specified in the authorize request to specify the application ID and the associated user ID.
The login_hint_token
must be a signed JWT in which the iss
claim is the ID of an enabled application and the aud
claim is the platform issuer URL. For example:
{
"iss": "{{integratedAppID}}",
"sub": "{{userID}}",
"aud": "https://auth.pingone.com/{{envID}}/as",
"iat": 1300819380,
"exp": 1300819391
}
The JWT must be signed using the HS256, HS384, or HS512 algorithm and the application's client secret as the key.
Integrations with PingFederate
The PingFederate PingOne MFA adapter uses the response_mode
property with the pi.flow
option. For detailed information about integrating PingFederate and PingOne MFA, see PingOne MFA Integration Kit.
Non-redirect flow for mobile clients
A non-redirect flow for mobile clients implements custom flow interfaces with PingOne platform flow APIs but with native application interface components. PingOne can be used for complete authentication or MFA only by providing a login_hint_token
with the already authenticated user context on the authorization request.
The following sample shows an authorize request for the non-redirect flow:
{{authPath}}/{{envID}}/as/authorize?response_type=token id_token&response_mode=pi.flow&scope=openid profile email&state={{string}}&login_hint_token={{loginHintJwt}}&client_id={{clientID}}
Transaction approval flows
PingOne supports transaction approval when strong authentication is required for elevated security for a high-value transaction, or high-risk resource or service. The authorize request includes the response_mode
and request
parameters. The request
property value is a JWT that enables OIDC/OAuth2 request parameters to be passed as a single, self-contained parameter.
The following sample shows an authorize request for a transaction approval flow:
{{authPath}}/{{envID}}/as/authorize?response_type=token id_token&response_mode=pi.flow&scope=openid&state={{string}}&request={{requestString}}&client_id={{clientID}}
PingOne support for response_mode options
The following table shows the current support for response_mode
options for specific response_type
values in the authorize request.
response_mode | response_type | Supported option |
---|---|---|
omitted | code |
query |
omitted | id_token |
fragment |
omitted | token |
fragment |
omitted | id_token token |
fragment |
omitted | code id_token |
fragment |
omitted | code token |
fragment |
omitted | code id_token token |
fragment |
query |
code |
query |
query |
id_token |
error |
query |
token |
error |
query |
id_token token |
error |
query |
code id_token |
error |
query |
code token |
error |
query |
code id_token token |
error |
fragment |
code |
fragment |
fragment |
id_token |
fragment |
fragment |
token |
fragment |
fragment |
id_token token |
fragment |
fragment |
code id_token |
fragment |
fragment |
code token |
fragment |
fragment |
code id_token token |
fragment |
form_post |
code |
form_post |
form_post |
id_token |
form_post |
form_post |
token |
form_post |
form_post |
id_token token |
form_post |
form_post |
code id_token |
form_post |
form_post |
code token |
form_post |
form_post |
code id_token token |
form_post |
pi.flow |
pi.flow |
Create a login_hint_token JWT
A login_hint_token
is a JWT that provides a way for the client to identify and authenticate the end-user without needing to encode the entire authentication request in a signed JWT. The following information describes the OIDC parameters and the steps for generating and signing the token.
Prerequisites
-
Install a JWT token generator such as jwtgen globally using
npm install -g jwtgen
. This action requires npm. -
Retrieve the environment
id
property value associated with your worker application and user. -
Retrieve the
clientId
andclientSecret
property values for the worker application. -
Retrieve the user ID
id
orusername
property value for whom this token will be associated.
Generate a signed token
The header parameters cty
and enc
must not be included in the login_hint_token
JWT header. PingOne does not support nested signing or encryption operations here.
The command to generate the login_hint_token
JWT takes the following parameters:
Parameter | Description |
---|---|
-a |
Specifies the JWT signing algorithm. Options are HS256 , HS384 , and HS512 . |
-s |
Specifies the signing key, which is the application's clientSecret property value. |
-e |
Specifies the expiration date, expressed as the number of seconds from the time of creation. The typical value is 3600 seconds. |
--claims |
Specifies the claims required by the token:
|
- Run the
jwtgen
command.
jwtgen -a "HS256" -s "YOUR_CLIENT_SECRET" -e 3600 --claims '{
"iss":"YOUR_CLIENT_ID",
"sub":"YOUR_USER_ID_OR_USERNAME",
"iat":1300819380,
"exp":1300819391,
"aud":"https://auth.pingone.com/YOUR_ENVIRONMENT_ID/as"
}'
- Record the token returned successfully by the command to use as the value of the
login_hint_token
property in the authorize request.
Create a request property JWT
A request
property JWT enables OIDC/OAuth2 request parameters to be passed as a single, self-contained parameter. Using a JWT enables integrity protection of parameters that are required for risk-based authentication or privacy and consent use cases.
You can create a request JWT using the following signing algorithms:
-
HS256, HS384, HS512
Use this signing algorithm when an application's client secret is the signing key.
-
RS256, RS384, RS512
Use this signing algorithm when an external private key is used as the signing key.
For example, the request
JWT for a transaction approval action takes the following parameters:
Parameter | Description |
---|---|
Signing algorithm | Specifies the JWT signing algorithm. Options are HS256 , HS384 , HS512 and RS256 , RS384 , RS512 . |
Signing key | Specifies the signing key, which is the application's clientSecret property value or an external private key. |
--claims |
Specifies the claims required by the token:
|
Request property JWT signed using the client secret
This sample shows the information required in a transaction approval JWT in which the JWT is signed using the PingOne client secret with HS256 encryption:
"jwtHeader": {
"alg": "HS256",
"typ": "JWT"
},
"jwtBody":
{
"aud": "https://auth.pingone.com/{{envID}}/as",
"iss": "{{appID}}",
"pi.template": {
"name": "transaction",
"variant": "{{variantName}}",
"variables": {
"sum": "1,000,000",
"currency": "USD",
"recipient": "Charlie Parker"
}
},
"pi.clientContext": {
"alert.color": "red"
}
}
This sample demonstrates the use of the pi.webAuthn.challenge
parameter for using dynamic linking to attach a unique identifier to a FIDO transaction:
"jwtHeader": {
"alg": "HS256",
"typ": "JWT"
},
"jwtBody":
{
"aud": "https://auth.pingone.com/{{envID}}/as",
"iss": "{{appID}}",
"pi.webAuthn": {
"challenge": "1cd774777136450c97e83267a52cecccb5f52d1adbc0f46c42e164edadb47fb3"
}
}
The following information describes the OIDC parameters and the steps for generating and signing the token.
Prerequisites
-
Install a JWT token generator.
-
Retrieve the environment
id
property value associated with your application and user. -
Retrieve the
clientId
andclientSecret
property values for the application. -
Retrieve the name of the transaction notification template that you want to use.
Generate a signed token
-
Run JWT token generator, providing the information above.
-
Record the token returned successfully by the command to use as the value of the
request
property in the authorize request.
Request property JWT signed using a private key and JWKS string
This sample shows the information required in a transaction approval JWT in which the JWT is signed using an external private key with RS256 encryption:
"jwtHeader": {
"alg": "RS256",
"typ": "JWT"
},
"jwtBody":
{
"aud": "https://auth.pingone.com/{{envID}}/as",
"iss": "{{appID}}",
"pi.template": {
"name": "transaction",
"variant": "{{variantName}}",
"variables": {
"sum": "1,000,000",
"currency": "USD",
"recipient": "Charlie Parker"
}
},
"pi.clientContext": {
"alert.color": "red"
}
}
Generate a keypair
-
Use a keypair generator to create a keypair with the following configuration options.
-
Key size: 2048
-
Key use: signature
-
Algorithm: RS256
-
Key-ID: SHA-256
-
Show X.509: No
-
-
Save the generated Public and Private Keypair and the Public Key.
-
Example public and private keypair
{ "p": "x1mRR-Y1_i8ZPTLe2sPmuif4hhIfaxSph8m_iACDEHvAfTh0RMV7SrExscRSUXzcWX_FbSIKE5tDm4c1qzImnmWz06z6SSQYUjl0iU6V439sebR662deH5kOF92Vbtj5OLk-mNdj-fm6CdwnWEp3vb36T9kOiKHGReluwJpG1I8", "kty": "RSA", "q": "tY0osG4YzkzTX_NCxN3QBFinw_hvJLX6zVXZ-PGHTOD0iFsdwCzmqa3o6_4-GtHUSiuoboTscx2ItbU824IDp41p99HLvSm0lZixszqlcG1JZSaQVj5_5rOBttTcovvAL5te4jq5Mi966WC3yT-V_ZLxE3jFNt5vNzW8ykxsAJ8", "d": "T_2qcj4Tb-wuMCvI3uOvBZza21PjzkCy5iTClT3QZ30Wlwm8A35x1b3MVHz7JGox3I_KvMClwQdrDMU2aibQaGzs_EunMH5Y1VhlKDg4RvuQBoyB9lpDT1TdrmDe7kHDPDERrB84gPQkrAm-RgJ0W_zPyJMR013pZjOwPKlxKYbsW1G02Jbg2Vl1zatNWBm1MFYQYEOYyaNQkt32WktNdgixYg0Qdt3Q160mbfNz5c9USLVqvCsye0J2t9DZPK7WzadQCC4S7ehdmQkGd87IfD4XyKuZND_nE8Nz5nbgOLNfuIwR6QH7ksOHT9ur1JVKkzEkX8P40_7LXdarwraiBQ", "e": "AQAB", "use": "sig", "kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us", "qi": "t06uC_ML8E01gKSeFPH7LNFxpumuIaYBc_Enr10dB-wqGpYfs6B5yqf5SjlXg1K89Z3QZFcU9AdJW0SYtr9T-A7b3csxeWUW98hOwfXentP8vcSv3dXJI753f64tAZqz5Mgd6jh0D8i1Fvg6d7Hqm_a5cfd-DO80QkW9c8u8rmk", "dp": "L95hFWvBQVUb8WcavltWNxNMCR2m77aZcuLOHCFLV5TvxuHcgXsOPQRJk4852RlrbA5TYP5Qfx7EYD9acs5rGZQAV27s9s01DeGAC0yUj3lUmfDtp0M-BcZh7PcnX-O4DJfm4RqvhiIiOyXjSL8w-5330l6jr8lw6-6-yn8BTR8", "alg": "RS256", "dq": "lFS9ftClEcCxHn7Y-ZGkyDhK8ZFD9YF9ZVCUY5GqksRk5hdTylSlLNL7L_0sbqsrQGJFHe8aZL8nmBZ4n3utUrL2dlSBmo69jVARN7ddvep8gdktKlmsFChrfZ6SmdMIZZ0Su9FwyDEEwjKUVifOezwYHWmZ78dypHASTFJ-F08", "n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q" }
-
Example public key
{ "kty": "RSA", "e": "AQAB", "use": "sig", "kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us", "alg": "RS256", "n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q" }
-
Generate a signed JWT
-
Create a signed JWT with
Algorithm RS256
and header and payload information shown below.-
Header
{ "alg": "RS256", "typ": "JWT" }
-
Payload (for the transaction approval example)
{ "aud": "https://auth.pingone.com/{{envID}}/as", "iss": "{{appID}}", "pi.template": { "name": "transaction", "variant": "{{variantName}}", "variables": { "sum": "1,000,000", "currency": "USD", "recipient": "Charlie Parker" } }
-
-
Record the token returned successfully.
- Record the token returned successfully by the command to use as the value of the
request
property in the authorize request.
Create the JWKS string
You will use the generated keys to create a JWKS string object that can be used as the value in your PingOne application’s jwks
property.
-
Copy the Public Key and wrap it like this:
{ "keys": [ <Your public key> ] }
Which looks like this:
{ "keys": [ { "kty": "RSA", "e": "AQAB", "use": "sig", "kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us", "alg": "RS256", "n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q" } ] }
-
The string needs to be reduced to one line and the double quotes escaped.
The JSON for the PingOne application POST (or PUT) to create the application looks like:
{ ... "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT", "jwks": "{ \"keys\": [ { \"kty\": \"RSA\", \"e\": \"AQAB\", \"use\": \"sig\", \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\", \"alg\": \"RS256\", \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\" } ]}", ... }
Configure the JWKS URL
To use the jwksUrl
property in the PingOne application's configuration, the JWKS string must be hosted on a web server, accessible to the internet (using https://
). For testing purposes, the following code sample shows a simple node server file (running on a local web server) that hosts the JWKS string.
const https = require("https");
const host = 'localhost';
const port = 3000;
const requestListener = function (req, res) {
res.setHeader("Content-Type", "application/json");
res.writeHead(200);
const jwksString = "{\r\n \"keys\": [\r\n {\r\n \"kty\": \"RSA\",\r\n \"e\": \"AQAB\",\r\n \"use\": \"sig\",\r\n \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\",\r\n \"alg\": \"RS256\",\r\n \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\"\r\n }\r\n ]\r\n}";
res.end(jwksString);
};
const server = https.createServer(requestListener);
server.listen(port, host, () => {
console.log(`Server is running on https://${host}:${port}`);
});
With the JWKS string in a known location, the application configuration JSON looks like this:
{
...
"tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
"jwksUrl": "https://{{pathToJwksString}}",
...
}
Create a client secret JWT
The CLIENT_SECRET_JWT
property is a supported value on the application's tokenEndpointAuthMethod
property. This client authentication method uses the application's client secret to sign a JWT, which is passed in as a property to authenticate the token request.
For JWT-based client authentication, the token supports the following required and optional claims.
Claim | Type | Required | Description |
---|---|---|---|
iss |
String | Required | A string that specifies the issuer. This value must match the application ID (client ID) of the PingOne application. |
sub |
String | Required | A string that specifies the identifier for the authenticated user. This value must match the application ID (client ID) of the PingOne application. |
aud |
URI | Required | A string that lists the audience, the resources for which this token is intended. Valid options are: (1) the token endpoint (/as/token ), (2) the issuer uri (/as ), (3) the endpoint being called (for example, /as/introspect ). The value must be the full URL, including the PingOne domain, or custom domain. |
exp |
Timestamp | Required | A timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token will expire, as defined in JWT RFC7519. This JWT must not be expired. Tokens that expire more than one hour from now are rejected. |
nbf |
Timestamp | Optional | A "not before" timestamp. If present, the JWT must be valid. JWTs are rejected if nbf is in the future. |
Other properties of the JWT are:
-
The optional
iat
andjti
claims from the JSON Web Token (JWT) spec are not validated. See RFC7523 JWT Format and Processing Requirements. -
The JWT can include other claims in addition to those listed above.
-
The JWT must be signed. For
CLIENT_SECRET_JWT
signing, the platform supports only the HS256, HS384, and HS512 symmetric keyed hashing algorithm. -
The JWT must be valid.
Prerequisites and workflow
The following information describes the OIDC parameters and the steps for generating and signing the JWT.
-
Retrieve the environment
id
property value associated with your application. -
Retrieve the
clientId
andclientSecret
property values for the application. -
Install a JWT generator.
-
Generate the signed JWT using the JWT generator. To create the
client_secret_jwt
JWT, the token generator will require values for the following parameters:
Parameter | Description |
---|---|
Signing algorithm | The JWT signing algorithm. Options for the client_secret_jwt JWT are HS256 , HS384 , and HS512 . |
Signing key | The signing key for the client_secret_jwt JWT, which is the application's clientSecret property value. |
Expiration | The expiration date, expressed as the number of seconds from the time of creation. The typical value is 3600 seconds. |
Claims | The claims required by the token. Required claims are iss , sub , aud , and exp . |
- Record the JWT returned successfully by the JWT generator.
Use the JWT in a token request
For applications that set the tokenEndpointAuthMethod
to CLIENT_SECRET_JWT
, the token request requires the following two properties:
-
client_assertion
A JWT that contains a signed assertion with the application’s credentials. This is the JWT that you generated and signed with your application's client secret.
-
client_assertion_type
A string that specifies the client assertion type. The value of this property must be set to
urn:ietf:params:oauth:client-assertion-type:jwt-bearer
.
For more information about the token request, see Token.
Create a private key JWT
The PRIVATE_KEY_JWT
property is a supported value on the application's tokenEndpointAuthMethod
property. This client authentication method uses an external private key to sign a JWT, which is passed in as a property to authenticate the token request.
For JWT-based client authentication, the token supports the following required and optional claims.
Claim | Type | Required | Description |
---|---|---|---|
iss |
String | Required | A string that specifies the issuer. This value must match the application ID (client ID) of the PingOne application. |
sub |
String | Required | A string that specifies the identifier for the authenticated user. This value must match the application ID (client ID) of the PingOne application. |
aud |
URI | Required | A string that lists the audience, the resources for which this token is intended. Valid options are: (1) the token endpoint (/as/token ), (2) the issuer uri (/as ), (3) the endpoint being called (for example, /as/introspect ). The value must be the full URL, including the PingOne domain, or custom domain. |
exp |
Timestamp | Required | A timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token will expire, as defined in JWT RFC7519. This JWT must not be expired. Tokens that expire more than one hour from now are rejected. |
nbf |
Timestamp | Optional | A "not before" timestamp. If present, the JWT must be valid. JWTs are rejected if nbf is in the future. |
Other properties of the JWT are:
-
The optional
iat
andjti
claims from the JSON Web Token (JWT) spec are not validated. See RFC7523 JWT Format and Processing Requirements. -
The JWT can include other claims in addition to those listed above.
-
The JWT must be signed. For
PRIVATE_KEY_JWT
signing, the platform supports the RS256, RS384, and RS512 symmetric keyed hashing algorithm. -
The JWT must be valid.
Generate a keypair
-
Use a keypair generator to create a keypair with the following configuration options. This example uses the
RS256
signing algorithm (RS384
, andRS512
are also supported).-
Key size: 2048
-
Key use: signature
-
Algorithm: RS256
-
Key-ID: SHA-256
-
Show X.509: No
-
-
Save the generated Public and Private Keypair and the Public Key.
-
Example public and private keypair
{ "p": "x1mRR-Y1_i8ZPTLe2sPmuif4hhIfaxSph8m_iACDEHvAfTh0RMV7SrExscRSUXzcWX_FbSIKE5tDm4c1qzImnmWz06z6SSQYUjl0iU6V439sebR662deH5kOF92Vbtj5OLk-mNdj-fm6CdwnWEp3vb36T9kOiKHGReluwJpG1I8", "kty": "RSA", "q": "tY0osG4YzkzTX_NCxN3QBFinw_hvJLX6zVXZ-PGHTOD0iFsdwCzmqa3o6_4-GtHUSiuoboTscx2ItbU824IDp41p99HLvSm0lZixszqlcG1JZSaQVj5_5rOBttTcovvAL5te4jq5Mi966WC3yT-V_ZLxE3jFNt5vNzW8ykxsAJ8", "d": "T_2qcj4Tb-wuMCvI3uOvBZza21PjzkCy5iTClT3QZ30Wlwm8A35x1b3MVHz7JGox3I_KvMClwQdrDMU2aibQaGzs_EunMH5Y1VhlKDg4RvuQBoyB9lpDT1TdrmDe7kHDPDERrB84gPQkrAm-RgJ0W_zPyJMR013pZjOwPKlxKYbsW1G02Jbg2Vl1zatNWBm1MFYQYEOYyaNQkt32WktNdgixYg0Qdt3Q160mbfNz5c9USLVqvCsye0J2t9DZPK7WzadQCC4S7ehdmQkGd87IfD4XyKuZND_nE8Nz5nbgOLNfuIwR6QH7ksOHT9ur1JVKkzEkX8P40_7LXdarwraiBQ", "e": "AQAB", "use": "sig", "kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us", "qi": "t06uC_ML8E01gKSeFPH7LNFxpumuIaYBc_Enr10dB-wqGpYfs6B5yqf5SjlXg1K89Z3QZFcU9AdJW0SYtr9T-A7b3csxeWUW98hOwfXentP8vcSv3dXJI753f64tAZqz5Mgd6jh0D8i1Fvg6d7Hqm_a5cfd-DO80QkW9c8u8rmk", "dp": "L95hFWvBQVUb8WcavltWNxNMCR2m77aZcuLOHCFLV5TvxuHcgXsOPQRJk4852RlrbA5TYP5Qfx7EYD9acs5rGZQAV27s9s01DeGAC0yUj3lUmfDtp0M-BcZh7PcnX-O4DJfm4RqvhiIiOyXjSL8w-5330l6jr8lw6-6-yn8BTR8", "alg": "RS256", "dq": "lFS9ftClEcCxHn7Y-ZGkyDhK8ZFD9YF9ZVCUY5GqksRk5hdTylSlLNL7L_0sbqsrQGJFHe8aZL8nmBZ4n3utUrL2dlSBmo69jVARN7ddvep8gdktKlmsFChrfZ6SmdMIZZ0Su9FwyDEEwjKUVifOezwYHWmZ78dypHASTFJ-F08", "n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q" }
-
Example public key
{ "kty": "RSA", "e": "AQAB", "use": "sig", "kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us", "alg": "RS256", "n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q" }
-
Generate a signed JWT
-
Create a signed JWT with with a signing algorithm of
RS256
,RS384
, orRS512
and header and payload information shown below.-
Header
{ "alg": "RS256", "typ": "JWT" }
-
Payload
{ "iss": "{{appID}}", "sub": "{{appID}}", "exp": 1691085204, "aud": "https://auth.pingone.com/{{envID}}/as/token" }
-
-
Record the token returned successfully.
Use the JWT in a token request
For applications that set the tokenEndpointAuthMethod
to PRIVATE_KEY_JWT
, the token request requires the following two properties:
-
client_assertion
A JWT that contains a signed assertion with the application’s credentials. This is the JWT that you generated and signed with your private key.
-
client_assertion_type
A string that specifies the client assertion type. The value of this property must be set to
urn:ietf:params:oauth:client-assertion-type:jwt-bearer
.
For more information about the token request, see Token.
Create a private_key_jwt JWKS string
In the PingOne application configuration, when the tokenEndpointAuthMethod
property is set to PRIVATE_KEY_JWT
, the configuration requires either the jwks
property (specifying a JWKS string) or the jwksUrl
property (specifying the location on a web server that hosts the JWKS string).
When using the jwksUrl
property, the application configuration JSON looks like this. Note that the jwksUrl
must be https://
:
{
...
"tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
"jwksUrl": "https://{{pathToJwksString}}",
...
}
The application configuration JSON for the JWKS string in the jwks
property must be formatted as one line with double quotes escaped:
{
...
"tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
"jwks": "{"jwks": "{ \"keys\": [ { \"kty\": \"RSA\", \"e\": \"AQAB\", \"use\": \"sig\", \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\", \"alg\": \"RS256\", \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\" } ]}",
...
}
The following information describes the steps for generating the JWKS for use with "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT"
.
Create the JWKS string
You will use the generated keys you created for your private key JWT (see Create a private key JWT) to generate a JWKS string object that can be used as the value in your PingOne application’s jwks
property.
-
Copy the Public Key and wrap it like this:
{ "keys": [ <Your public key> ] }
Which looks like this:
{ "keys": [ { "kty": "RSA", "e": "AQAB", "use": "sig", "kid": "q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us", "alg": "RS256", "n": "jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q" } ] }
-
The string needs to be reduced to one line and the double quotes escaped.
The JSON for the PingOne application POST (or PUT) to create the application looks like:
{ ... "tokenEndpointAuthMethod": "PRIVATE_KEY_JWT", "jwks": "{\r\n \"keys\": [\r\n {\r\n \"kty\": \"RSA\",\r\n \"e\": \"AQAB\",\r\n \"use\": \"sig\",\r\n \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\",\r\n \"alg\": \"RS256\",\r\n \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\"\r\n }\r\n ]\r\n}", ... }
Configure the JWKS URL
To use the jwksUrl
property in the PingOne application's configuration, the JWKS string must be hosted on a web server, accessible to the internet (using https://
). For testing purposes, the following code sample shows a simple node server file (running on a local web server) that hosts the JWKS string.
const https = require("https");
const host = 'localhost';
const port = 3000;
const requestListener = function (req, res) {
res.setHeader("Content-Type", "application/json");
res.writeHead(200);
const jwksString = "{\r\n \"keys\": [\r\n {\r\n \"kty\": \"RSA\",\r\n \"e\": \"AQAB\",\r\n \"use\": \"sig\",\r\n \"kid\": \"q3sWApYjHZQLmWMUdAIqZiVWSshDdau5eI4K_Bm65Us\",\r\n \"alg\": \"RS256\",\r\n \"n\": \"jWA_vDxg41NrYJdIiv3BcljMy7V15bMyOyK5aJov6FgUTE2Xm_B9SqJu55qmS3CxVhvYWSpRIZvhrgap19CE_VnrAc5pzwj2oSEmDRXXFSGmMjHAmfTXU66nDZVmhbtDIBkPU-h55RDZf6zIn3SPOrmWJYj0G5X2fMJfbUOpuROjH1aMqqGOxcT-dX-LA0dd94LrH4J-g1HFeGZqw-uyQO8l1g6fbQYVaNvnHtw9V7U7I684Ks-3sZcU-YhexNhiN53izIglhdVva9pjSTUk4BnmYtSlfyF6HzUYkvg3H1S0Y6LqzW8lOIw8SF-L6jQqkT2DPDwDbxzNoaNx8lIE0Q\"\r\n }\r\n ]\r\n}";
res.end(jwksString);
};
const server = https.createServer(requestListener);
server.listen(port, host, () => {
console.log(`Server is running on https://${host}:${port}`);
});
With the JWKS string in a known location, the application configuration JSON looks like this:
{
...
"tokenEndpointAuthMethod": "PRIVATE_KEY_JWT",
"jwksUrl": "jwksUrl": "{{pathToJwksString}}",
...
}
External Authentication
The external authentication API provides endpoints for performing end user authentication with PingOne supported external identity providers. End users are redirected immediately to the authentication initialization endpoint at the external authentication service. After users authenticate at the provider, they are redirected back to the external authentication service's authentication callback endpoint, where the external authentication API validates the token or assertion returned from the external identity provider.
External authentication data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
attributes |
Object | N/A | Read-only | The mapped user attributes and their values from the external identity provider. |
<attributename> |
Object | N/A | Read-only | The name of the mapped user attribute from the external identity provider. |
<attributename>.value |
String | N/A | Read-only | The value for the mapped user attribute from the external identity provider. |
<attributename>.update |
String | N/A | Read-only | An enumeration that specifies the update behavior for this attribute based on identity provider configuration. Options are EMPTY_ONLY and ALWAYS . |
externalId |
String | N/A | Read-only | The identifier returned by the identity provider for the external user. |
flow |
Object | Required | Immutable | A reference to the PingOne flow associated with this external authentication. |
flow.id |
String | Required | Mutable | The flow UUID associated with this external authentication. |
identityProvider |
Object | Required | Immutable | A reference to the external identity provider that is used to authenticate the user. |
identityProvider.id |
String | Required | Mutable | The UUID of the external identity provider to which the user is redirected for sign-on. |
status |
String | N/A | Read-only | The status of the external authentication. Options are:
|
error |
Object | N/A | Read-only | When the status is FAILED , returns an error detail from the identity provider to the PingOne flow associated with this external authentication. |
error.code |
String | N/A | Read-only | The PingOne code for the error. |
error.message |
String | N/A | Read-only | The description of the error. |
Audit reporting events
To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.
Service | Event |
---|---|
external-authentications | AUTHENTICATION.CREATED |
external-authentications | AUTHENTICATION.UPDATED |
Response codes
Code | Message |
---|---|
302 | Found. |
400 | The request could not be completed. |
401 | You weren’t authenticated to perform this operation. |
403 | You do not have permissions or are not licensed to make this request. |
Read External Authentication Initialization
Read External Authentication Callback
Read External Authentication Status
Flows
The flow endpoint is used to interact with the user in a sign-on workflow. Flow endpoint operations are used only to implement custom authentication UIs. OIDC/OAuth 2 and SAML requests initiate the flow and redirect the browser to the custom authentication UI (which is configured in the application through the application's loginPageUrl
property).
Common sign-on actions
Login actions
The flow endpoint can initiate login actions that specify the operations required to authenticate with a username and password.
Multi-factor authentication actions
The flow endpoint can also initiate multi-factor authentication (MFA) actions that specify the operations required to complete authentication using a registered user device and a one-time password (OTP).
Identity first actions
The flow can initiate a discovery action used to identify the user by username
and determine the applicable authentication methods for this user.
Progressive profiling actions
Progressive profiling actions prompt users to provide additional data at sign on. This action type does not authenticate users. It is used only to obtain additional profile data.
Agreement actions
Agreement actions enforce user consent to an agreement at sign on. This action type does not authenticate users. It is used only to obtain user consent to a terms of service agreement.
Identity provider actions
An action that bypasses the PingOne sign-on prompt and immediately redirects the user to an external identity provider's sign-on workflow to authenticate.
Use Cases
- Use LOGIN and MFA Actions to Authenticate Users
- Add a user through a registration flow
- Configure a PKCE authorization workflow
- Configure a Progressive Profiling Sign-On Action
- Use LOGIN and AGREEMENT Actions to Authenticate Users
- Configure an MFA Only Flow Using a Login Hint Token
- Use Two MFA Actions to Authenticate Users
Flow status
In a sign-on workflow, the flow's status
property value returned by the last action identifies the appropriate next action in the authentication process. For example, if an application uses the LOGIN
sign-on policy, when a user initiates sign-on and starts the authentication flow, the response returned by the flow shows a status
value that specifies the next required step to complete this flow successfully. For the LOGIN
sign-on policy, the next action prompts the user to enter a username and password, as indicated by the USERNAME_PASSWORD_REQUIRED
value in the status
property.
"status" : "USERNAME_PASSWORD_REQUIRED"
The response data includes a link to the required action, which in this case is the usernamePassword.check
:
{
"_links" : {
"self" : {
"href" : "https://auth.pingone.com/{{envID}}/flows/{{flowID}}"
},
"session.reset" : {
"href" : "https://auth.pingone.com/{{envID}}/flows/{{flowID}}"
},
"usernamePassword.check" : {
"href" : "https://auth.pingone.com/{{envID}}/flows/{{flowID}}"
}
},
After the user submits a username and password, the flow calls the usernamePassword.check
action to verify the username and password.
For more information about flow actions, see Flow API Actions.
Flow status values
An authentication flow can return one of the following status
values in response to a sign-on action:
Status value | Description |
---|---|
USERNAME_PASSWORD_REQUIRED |
This value specifies that a username and password is required. This status can initiate a usernamePassword.check action, a user.register action, a registration.external action, a password.forgot action, or an authenticate action to sign on using an external identity provider. |
PASSWORD_REQUIRED |
This value specifies that a password is required. This status initiates a usernamePassword.check action. |
SIGN_ON_REQUIRED |
This value specifies that a sign-on action is required. This status transitions to a user.lookup action and a registration.external action in a passwordless authentication flow. |
RECOVERY_CODE_REQUIRED |
This value specifies that the user initiated a password.forgot action and a recovery code must be sent. This status calls the password.recover action. |
VERIFICATION_REQUIRED |
This value specifies that the user's account must be verified. This status calls the user.verify action. |
OTP_REQUIRED |
This value specifies that the user must complete a multi-factor authentication action. This status calls the otp.check action. |
DEVICE_SELECTION_REQUIRED |
This value specifies that the user must complete a device selection multi-factor authentication action. This status calls the device.select action. |
PASSWORD_EXPIRED |
This value specifies that a user's password has expired and must be updated. This status calls the password.reset action. |
MUST_CHANGE_PASSWORD |
This value specifies that a temporary password must be changed or updated. This status calls the password.reset action. |
ACCOUNT_LINKING_REQUIRED |
This value specifies that the external identity returned by the identity provider requires an account linking action to link the external account to an existing user. This status can initiate a usernamePassword.check to link to an existing user, a user.register action to create a link to a new user, a registration.external action, or a password.forgot to link to an existing user who has forgotten the password. |
ACCOUNT_CONFIRMATION_REQUIRED |
This value specifies that the external identity information returned by the identity provider requires an account confirmation action to verify the account data. This status can initiate a user.confirm action to verify the account information. |
EXTERNAL_AUTHENTICATION_REQUIRED |
This value specifies that account authentication is required through an external identity provider's authentication flow. The authenticate embedded resource link provides the location to redirect the browser to sign on with the specified identity provider. |
PROFILE_DATA_REQUIRED |
This value specifies that user must submit the requested profile data in order to continue the authentication flow. |
COMPLETED |
This value specifies that the entire flow is completed and initiates a browser redirect to the resumeUrl property to continue. |
FAILED |
This value specifies that the entire flow has failed. |
PUSH_CONFIRMATION_REQUIRED |
This value specifies that a push was sent to a native device to confirm the authentication. The client will have to poll this status using GET /{{envID}}/flows/{{flowID}} to check whether the native device answered the push. |
PUSH_CONFIRMATION_TIMED_OUT |
This value specifies that a push was sent to a native device, but the native device didn't answer the push during the allowed timeframe. |
ASSERTION_REQUIRED |
This value specifies that for a FIDO2 device type, an assertion generated by the browser from the provided webauthn public key credential request is required to continue the flow. The flow calls the assertion.check action. |
AGREEMENT_CONSENT_REQUIRED |
This value specifies that users need to consent to an agreement. This status calls the user.consent action. |
DAG_USER_CODE_REQUIRED |
This value specifies that an activation action is required to continue the flow. The flow calls the deviceAuthGrant.userCode.verify action. |
DAG_CONSENT_REQUIRED |
This value specifies that users need to consent to a device authorization grant agreement. This status calls the deviceAuthGrant.consent action. After accepting consent, a record is stored in the user's OAuth Scope Consents. |
COMPLETED_ACCEPTED |
This completed state is used for device authorization grants to transition to a completed state. Unlike the COMPLETED flow state, this state does not transition the flow to the resume URL. |
COMPLETED_DECLINED |
This completed state is used for device authorization grants to transition to a completed state, and it generates a "device consent declined" audit event. |
Flow status data model and embedded resources
The following sections show the parameters required by the flow status. In addition, the following links and embedded resources are returned in the flow response for the given flow status.
USERNAME_PASSWORD_REQUIRED
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
username |
String | Required | Mutable | A string that specifies the username or ID of the user to authenticate. |
password |
String | Required | Mutable | A string that specifies the password or ID of the user to authenticate. |
Links | Description |
---|---|
usernamePassword.check |
The link to initiate a sign-on action that allows users to login with a username and password. The request body requires the username and password attributes. |
user.register |
The link to initiate a sign-on action to register a user. The request body requires the username , email , and password attributes needed to define a new user. |
registration.external |
The link to redirect a sign-on action to register a user to an external identity provider's registration workflow. |
password.forgot |
The link to initiate an action to recover a user’s forgotten password. The request body requires the username attribute to identify the user. |
Embedded resources | Description |
---|---|
socialProviders.authenticate |
The link to the external authentication resource to initiate authentication using an external identity provider's authentication flow. The response also returns the following information about the identity provider: id , name , and type . For more information, see Base identity providers data model. |
passwordPolicy |
The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, see Password policies data model. |
SIGN_ON_REQUIRED
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
username |
String | Required | Mutable | A string that specifies the username or ID of the user to sign on. |
Links | Description |
---|---|
user.lookup |
The link for existing users to sign on using their username . |
registration.external |
The link to redirect a sign-on action to register a user to an external identity provider's registration workflow. |
PASSWORD_REQUIRED
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
username |
String | Required | Mutable | A string that specifies the username or ID of the user to authenticate. If provided, must match the user currently associated with the session. |
password |
String | Required | Mutable | A string that specifies the password or ID of the user to authenticate. |
Links | Description |
---|---|
usernamePassword.check |
The link to initiate a sign-on action that allows users to log in with a username and password. The request body requires the username and password attributes. |
password.forgot |
The link to initiate an action to recover a user’s forgotten password. The request body requires the username attribute to identify the user. |
Embedded resources | Description |
---|---|
socialProviders.authenticate |
The link to the external authentication resource to initiate authentication using an external identity provider's authentication flow. The response also returns the following information about the identity provider: id , name , and type . For more information, see Base identity providers data model. |
PASSWORD_EXPIRED
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
currentPassword |
String | Required | Mutable | A string that specifies the current password, which must be verified before the new password is set. |
newPassword |
String | Required | Mutable | A string that specifies the new password to set. |
Links | Description |
---|---|
password.reset |
The link to initiate a sign-on action that allows users to reset their password. The request body requires the currentPassword and newPassword attributes. |
Embedded resources | Description |
---|---|
passwordPolicy |
The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, see Password policies data model. |
MUST_CHANGE_PASSWORD
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
currentPassword |
String | Required | Mutable | A string that specifies the current password, which must be verified before the new password is set. |
newPassword |
String | Required | Mutable | A string that specifies the new password to set. |
Links | Description |
---|---|
password.reset |
The link to initiate a sign-on action that allows users to reset their password. The request body requires the currentPassword and newPassword attributes. |
Embedded resources | Description |
---|---|
passwordPolicy |
The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, see Password policies data model. |
RECOVERY_CODE_REQUIRED
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
recoveryCode |
String | Required | Mutable | A string that specifies the recovery code sent to the user to recover the user's password. |
newPassword |
String | Required | Mutable | A string that specifies the new password to set. |
Links | Description |
---|---|
password.recover |
The link to initiate an action to recover the account and set a new password. The request body requires the recoveryCode and newPassword attributes. |
password.sendRecoveryCode |
The link to send the one-time password (OTP) to the user. |
Embedded resources | Description |
---|---|
passwordPolicy |
The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, see Password policies data model. |
VERIFICATION_CODE_REQUIRED
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
verificationCode |
String | Required | Mutable | A string that specifies the verification code to check. |
Links | Description |
---|---|
user.verify |
The link to initiate an action to verify the user account to continue the authentication flow. |
user.sendVerificationCode |
The link to initiate an action to send the user a new account verification email. |
DEVICE_SELECTION_REQUIRED
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
device.id |
String | Required | Mutable | A string that specifies the ID of the selected device. |
Links | Description |
---|---|
device.select |
The link to initiate an action to specify a device ID to use in the multi-factor authentication flow. |
Embedded resources | Description |
---|---|
devices |
The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Device properties. |
OTP_REQUIRED
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
selectedDevice.id |
String | Required | Mutable | A string that specifies the ID of the currently selected device. |
Links | Description |
---|---|
device.select |
The link to initiate an action to specify a device ID to use in the multi-factor authentication flow. |
otp.check |
The link to initiate an action to validate the OTP used in the multi-factor authentication flow. |
Embedded resources | Description |
---|---|
devices |
The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Device properties. |
PUSH_CONFIRMATION_REQUIRED
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
selectedDevice.id |
String | Required | Mutable | A string that specifies the ID of the currently selected device. |
Links | Description |
---|---|
device.select |
The link to initiate an action to specify a device ID to use in the multi-factor authentication flow. |
Embedded resources | Description |
---|---|
devices |
The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Device properties. |
PUSH_CONFIRMATION_TIMED_OUT
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
selectedDevice.id |
String | Required | Mutable | A string that specifies the ID of the currently selected device. |
Links | Description |
---|---|
device.select |
The link to initiate an action to specify a device ID to use in the multi-factor authentication flow. |
Embedded resources | Description |
---|---|
devices |
The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Device properties. |
ACCOUNT_LINKING_REQUIRED
Links | Description |
---|---|
user.register |
The link to initiate a sign-on action that initiates an action to register a user. The request body requires the username , email , and password attributes to define a new user. |
registration.external |
The link to redirect a sign-on action to register a user to an external identity provider's registration workflow. |
Embedded resources | Description |
---|---|
matchedUsers |
An array of 0 or more users that match the external identity. The request returns the username , email , and lastSignedOnAt attributes needed to identify the user. |
identityProviders |
The external identity provider used to authenticate. The request returns the name and type attributes needed to identify the identity provider used for authentication. |
ACCOUNT_CONFIRMATION_REQUIRED
Links | Description |
---|---|
user.confirm |
The link to initiate an action to verify the data returned by the external identity provider. The request body can include the returned attributes from the identity provider. |
Embedded resources | Description |
---|---|
attributes |
An array of attributes returned by the external identity provider. |
EXTERNAL_AUTHENTICATION_REQUIRED
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
name |
String | Required | Mutable | A string that specifies the name of the identity provider. |
type |
String | Required | Mutable | A string that specifies the identity provider type. |
Embedded resources | Description |
---|---|
identityProvider.authenticate |
A string that specifies the URL for the external identity provider's sign-on screen to initiate authentication with the external identity provider. |
identityProvider.loginButtonIcon |
A string that specifies the URL for the external identity provider's login button icon file. |
PROFILE_DATA_REQUIRED
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
displayName |
String | Required | Mutable | A string that specifies the display name as defined in the user schema. |
name |
String | Required | Mutable | A string that specifies the attribute name/path as defined in the user schema (for example, email , address.postalCode ). |
required |
Boolean | Required | Mutable | A boolean that specifies whether the user is required to provide a value for the attribute. |
Links | Description |
---|---|
user.update |
The link to update the specified user's profile with the user attribute values provided in the request. |
Embedded resources | Description |
---|---|
attributes |
An array of user attributes provided to update the user's profile. |
attributes.name |
A string that specifies the attribute path, as defined in the user schema (for example, email , name.family , address.postalCode ). |
attributes.displayName |
A string that specifies the attribute's display name, as defined in the user schema. This property is optional. |
attributes.required |
A boolean that specifies whether the user is required to provide a value for the attribute. |
promptText |
A string that specifies text to display to the user when prompting for attribute values. |
ASSERTION_REQUIRED
Response property | Description |
---|---|
publicKeyCredentialRequestOptions |
A string that specifies the public key credential request options object generated for the selected device that should be used to call the navigator.credentials.get() on the browser to generate the assertion. |
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
assertion |
String | Required | Mutable | A string that specifies the authenticator assertion response, which contains the signed challenge needed to complete the MFA action. |
compatibility |
String | Optional | Mutable | A string that specifies the browser compatibility to support webauthn. Options are FULL (compatible with FIDO2 biometrics and security key), SECURITY_KEY_ONLY (compatible with security key only), and NONE (browser is not compatible with the webauthn method). |
origin |
String | Required | Mutable | A string that specifies the server name where the fetch originates, providing the URI scheme and hostname (for example, https://apps.pingone.com). |
Links | Description |
---|---|
device.select |
The link to initiate an action to specify a device ID to use in the multi-factor authentication flow. For more information, see Select an MFA device. |
assertion.check |
The link to initiate an action to validate the assertion used in the multi-factor authentication flow. For more information, see Check assertion. |
Embedded resources | Description |
---|---|
devices |
The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, see Devices model properties. |
AGREEMENT_CONSENT_REQUIRED
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
accept |
Boolean | Required | Mutable | A boolean that specifies whether the user has consented to the agreement. This property is required for a user.consent action. The value is true if the user has consented to the agreement. |
Links | Description |
---|---|
user.consent |
The link to initiate an action in which the user accepts the agreement. |
DAG_USER_CODE_REQUIRED
Parameters | Description |
---|---|
userCode |
A string that specifies the user code value returned by the device authorization grant authorize request. |
Links | Description |
---|---|
deviceAuthGrant.userCode.verify |
The link to initiate an action to verify the end-user's user code. |
DAG_CONSENT_REQUIRED
Parameters | Description |
---|---|
accept |
A boolean that specifies whether the user has consented to the agreement. This property is required for a deviceAuthGrant.consent action. The value is true if the user has consented to the agreement. |
Links | Description |
---|---|
deviceAuthGrant.consent |
The link to initiate an action to complete the consent agreement. On accepting the agreement, the flow transitions to the COMPLETED_ACCEPTED flow state; otherwise, it transitions to COMPLETED_DECLINED . |
Related topics
Flows
The GET /{{envID}}/flows/{{flowID}}
operation retrieves the flow specified by the flowID
in the request URL. For more information about this flow action, see Get a flow.
Flow API actions
The flow endpoint operation, POST /{{envID}}/flows/{{flowID}}
, supports several flow actions that are specified by the custom media type provided in the HTTP Content-Type
request header. The following table lists the PingOne custom media types and their associated authentication flow actions:
Media type | Flow action |
---|---|
application/vnd.pingidentity.session.reset+json |
Update or reset a flow |
application/vnd.pingidentity.usernamePassword.check+json |
Sign on with a username and password |
application/vnd.pingidentity.user.lookup+json |
Sign on with a username in a passwordless flow |
application/vnd.pingidentity.password.forgot+json |
Forgot password |
application/vnd.pingidentity.user.register+json |
Register a user |
application/vnd.pingidentity.usernamePassword.check+json |
Check a user's password |
application/vnd.pingidentity.password.reset+json |
Reset a user's password |
application/vnd.pingidentity.password.recover+json |
Recover a user's password |
application/vnd.pingidentity.password.sendRecoveryCode |
Send the user a recovery code |
application/vnd.pingidentity.user.verify+json |
Verify a user |
application/vnd.pingidentity.user.sendVerificationCode+json |
Send the user a verification email |
application/vnd.pingidentity.device.select+json |
Select an MFA device |
application/vnd.pingidentity.otp.check+json |
Validate the one-time password |
application/vnd.pingidentity.user.update+json |
Submit profile data |
application/vnd.pingidentity.user.confirm+json |
Confirm account information |
application/vnd.pingidentity.assertion.check+json |
Check assertion |
application/vnd.pingidentity.user.consent+json |
Agreement Accept Consent |
application/vnd.pingidentity.kerberos.lookup+json |
Sign on using Kerberos |
application/vnd.pingidentity.deviceAuthGrant.userCode.verify+json |
Confirm Device Activation Code |
application/vnd.pingidentity.deviceAuthGrant.consent+json |
Accept Device Authorization Grant Consent |
Flows common response data model
These common properties are returned with the flow response.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
aggregateFido2Devices |
Boolean | N/A | Read-only | Indication of whether the available authentication method list should include only a single generic FIDO2 option rather than including an entry for each paired FIDO2 device. |
application |
Object | Immutable | A reference to the application that initiated the flow. | |
application.id |
String | Immutable | A string that specifies the ID of the application that initiated the flow. | |
application.name |
String | Immutable | A string that specifies the name of the application that initiated the flow. | |
application.icon.id |
String | Immutable | A string that specifies the icon ID for the application that initiated the flow. | |
application.icon.href |
String | Immutable | A string that specifies the URL of the icon for the application that initiated the flow. | |
authenticator |
Array | Read only | An array that specifies the set of authentication methods that the user completed in this flow. The values returned by the flow must use the values defined in RFC 8176. The order of the methods returned by the flow might not reflect the order in which they were executed in the flow. | |
authorizeResponse.access_token |
String | Read only | A string that specifies the access token returned by the flow in a non-redirect or MFA only authentication flow (for an implicit authorization request). |
|
authorizeResponse.id_token |
String | Read only | A string that specifies the ID token returned by the flow in a non-redirect or MFA only authentication flow (for an implicit authorization request). |
|
authorizeResponse.code |
String | Read only | A string that specifies the authorization code returned by the flow in a non-redirect or MFA only authentication flow (for an authorization_code authorization request). |
|
authorizeResponse.state |
String | Immutable | A string that specifies the authorization state (used to maintain state between the logout request and the callback to the redirect URI) returned by the flow in a non-redirect or MFA only authentication flow (for an authorization_code authorization request). |
|
completedSignOnPolicy.id |
String | Read only | A string that specifies the ID of the completed sign-on policy resource after the flow is COMPLETED . |
|
completedSignOnPolicy.name |
String | Read only | A string that specifies the name of the completed sign-on policy after the flow is COMPLETED . |
|
createdAt |
Date | Read only | The time the resource was created. | |
expiresAt |
Date | Read only | The time this flow will expire due to inactivity timeout based on a sliding window. | |
id |
String | Immutable | A string that specifies the flow resource’s unique identifier. | |
identifier |
String | Immutable | A string that specifies a username value returned from the login_hint property. |
|
resumeUrl |
String | Immutable | A string that specifies where the flow handler UI will redirect the browser to after the flow is COMPLETED or FAILED . |
|
status |
String | Immutable | A string that specifies the status of the flow. | |
user.id |
String | Immutable | A string that specifies the ID of the session user. This value is used for authentication flows initiated with an existing session's unique ID. |
These common links are returned with the flow response.
Links | Description |
---|---|
self |
The link to the current flow resource. |
session.reset |
The link to the session reset action. This link is present if the user has signed on previously on this device. It can be used to sign off the user and reset the flow. |
These common embedded resources are returned with the flow response:
Embedded resources | Description |
---|---|
devices |
List of objects containing the properties of each devices associated with the user. |
devices[].otpStatus.status |
Whether or not the device can be used currently for OTP-based authentication. Value returned is ENABLED or DISABLED. Relevant only for devices where type is MOBILE. |
devices[].otpStatus.reason |
If the status is DISABLED, contains the reason that the device cannot be used for OTP-based authentication, for example, that the application used a version of the MFA SDK that does not support OTP. Relevant only for devices where type is MOBILE. |
devices[].pushStatus.status |
Whether or not the device can be used currently for push-based authentication. Value returned is ENABLED or DISABLED. Relevant only for devices where type is MOBILE. |
devices[].pushStatus.reason |
If the status is DISABLED, contains the reason that the device cannot be used for push-based authentication, for example, that the push option was disabled for the application in the MFA policy. Relevant only for devices where type is MOBILE. |
devices[].usableStatus.status |
Whether or not the device can be used currently for authentication. Value returned is ENABLED or DISABLED. |
devices[].usableStatus.reason |
If the status is DISABLED, contains the reason that the device cannot be used for authentication, for example, that the defined daily notifications limit has already been reached. |
user |
The link to the resource containing profile attributes of the actively signing-on or previously signed-on user. |
Audit reporting events
To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.
Service | Event |
---|---|
FlowDefinitions | FLOW_DEFINITION.CREATED |
FlowDefinitions | FLOW_DEFINITION.UPDATED |
FlowDefinitions | FLOW_DEFINITION.DELETED |
FlowExecutions | FLOW_EXECUTION.CREATED |
FlowExecutions | FLOW_EXECUTION.UPDATED |
FlowExecutions | FLOW_EXECUTION.DELETED |
FlowExecutions | STEP_EXECUTION.CREATED |
FlowExecutions | STEP_EXECUTION.UPDATED |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You weren’t authenticated to perform this operation. |
404 | The requested resource was not found. |
Related topics
Check Assertion
Check One-Time Password (OTP)
Check Username/Password
Reset Flow
Reset Password
Select Device
Sign On with a Username
Sign On with Kerberos
Read Flow
Forgot Password
The forgot password endpoints provide the flow actions to recover a user's forgotten password. These flow actions allow the user to recover the account and set a new password.
Forgot Password
Send (Resend) Recovery Code
Recover Password
Registration and Verification
The registration and verification endpoints provide flow actions for the following authentication workflows:
-
Register new users.
-
Verify the newly registered user account.
-
Update user profiles.
-
Confirm user account information received from an external identity provider.
-
Prompt users to consent to (or reject) an agreement.
Related topics
Register User
Send (Resend) Verification Code
User Profile Update
Confirm Account Information
Agreement Accept Consent
Verify User
Device Authorization Grant Flows
The device authorization grant endpoints provide the flow actions to verify a user's device user code and accept a consent agreement for the device. These flow actions address the flow states generated in a device code authentication flow.
Confirm Device Activation Code
Accept Device Authorization Grant Consent
OpenID Connect/OAuth 2
PingOne integrates with applications that use standards-compliant protocols by taking on the role of an OpenID Connect provider and OAuth 2 authorization server. In this capacity, PingOne provides the framework for connected applications to access protected HTTP resources. For more information about OpenID Connect and OAuth 2, see the OpenID Connect 1.0 spec and the OAuth 2.0 Authorization Framework RFC6749.
The PingOne authorization endpoint /{{envID}}/as/authorize
is used to interact with the resource owner and obtain an authorization grant. For more information and additional examples, see Authorization and authentication by application type.
OpenID Connect/OAuth2 data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
acr_values |
String | Optional | Mutable | Either a single DaVinci policy (identified by the flow policy ID), or one or more PingOne sign-on policies by name (space-separated). The PingOne sign-on policies can be the predefined sign-on policies, Single_Factor and Multi_Factor , or any custom defined sign-on policy names. The PingOne sign-on policy names should be listed in order of preference, and they must be assigned to the application. |
client_assertion |
String | Optional | Mutable | A JWT that contains a signed assertion with the application’s credentials. This property is required if the application's tokenEndpointAuthMethod is set to either PRIVATE_KEY_JWT or CLIENT_SECRET_JWT . |
client_assertion_type |
String | Optional | Mutable | A string that specifies the client assertion type. The value of this property must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer . This property is required if the application's tokenEndpointAuthMethod is set to either PRIVATE_KEY_JWT or CLIENT_SECRET_JWT . |
client_id |
String | Required | Immutable | The application's UUID. |
client_secret |
String | Required | Immutable | The application's client secret. |
code |
String | Optional | Immutable | the authorization code returned by the authorization server. This property is required only if the grant_type is set to authorization_code . |
code_challenge |
String | Optional | Immutable | Computed from the code_verifier that is used in a Proof Key for Code Exchange (PKCE) authorization request. The length and character set requirements for the code_challenge string are documented in Section 4.1 of RFC7636. The computation for the code_challenge string is documented in Section 4.2 of RFC7636. |
code_challenge_method |
String | Optional | Mutable | Specifies the computation logic used to generate the code_challenge string. The token endpoint uses this method to verify the code_verifier for PKCE authorization requests. Options are: plain and S256 . |
code_verfier |
String | Optional | Immutable | Used to create the code_challenge value passed to the authorization server in the request. The length an character set requirements for the code_verifier string is documented in Section 4.1 of RFC7636. |
grant_type |
String | Optional | Mutable | The grant type of the token request. Options are authorization_code , implicit , refresh_token , and client_credentials . |
login_hint |
String | Optional | Mutable | A login identifier to pre-fill the Username field of the sign-on screen. The string can be the UUID of an existing user in the environment, which results in the look-up of the user's username property, or it can be another string used to pre-fill the sign-on screen. The Username field of the sign-on screen does not pre-fill if (1) no string is provided as a hint, and (2) the OpenID Connect scope openid is not specified. In the flow response, if the login_hint value is a username , the value is returned in the flow response's identifier attribute. If the login_hint is a UUID, and the look-up finds a user, the username value is returned in the identifier attribute. If a user is not found, the UUID is returned in the flow response's identifier attribute. |
login_hint_token |
Token | Optional | Immutable | Provides a way for the client to identify and authenticate the end-user without needing to encode the entire authentication request in a signed JWT. Using a separate token instead of the login_hint parameter also means that this token can be signed by a client different from the authenticating client. |
mobilePayload |
Parameter | Optional | Mutable | Used by mobile applications leveraging PingOne MFA SDK. See Implement automatic pairing of native app as MFA authenticator app. |
max_age |
String | Optional | Mutable | The maximum amount of time allowed (in seconds) since the user last authenticated. If the max_age value is exceeded, the user must re-authenticate. If the max_age value is set to 0 (max_age=0 ), the user is always required to re-authenticate. |
nonce |
String | Optional | Immutable | Used to associate a client session with a token to mitigate replay attacks. The value is passed through unmodified from the authentication request to the token. This is an optional property for authorization requests that return a code. |
prompt |
String | Optional | Mutable | Specifies whether the user is prompted to login for re-authentication. The prompt parameter can be used as a way to check for existing authentication, verifying that the user is still present for the current session. For prompt=none , the user is never prompted to login to re-authenticate, which can result in an error if authentication is required. For prompt=login , if time since last login is greater than the max-age , then the current session is stashed away in the flow state and treated in the flow as if there was no previous existing session. When the flow completes, if the flow's user is the same as the user from the stashed away session, the stashed session is updated with the new flow data and persisted (preserving the existing session ID). If the flow's user is not the same as the user from the stashed session, the stashed session is deleted (logout) and the new session is persisted. |
redirect_uri |
String | Required | Mutable | The URL of the return entry point of the application. |
refreshTokenRollingGracePeriodDuration |
Integer | Optional | Mutable | The number of seconds that a refresh token may be reused after having been exchanged for a new set of tokens. This is useful in the case of network errors on the client. Valid values are between 0 and 86400 seconds. Null is treated the same as 0. |
request |
Token | Optional | Immutable | A JWT that enables OIDC/OAuth2 request parameters to be passed as a single, self-contained parameter. If the application's supportUnsignedRequestObject property value is set to false , the JWT must be signed (using the HS256 signing algorithm). Using a JWT enables integrity protection of parameters that are required for risk-based authentication or privacy and consent use cases. Specifically:
|
response_mode |
String | Optional | Mutable | The mechanism for returning authorization response parameters from the authorization endpoint. Options are query , fragment , form_post , and pi.flow . The pi.flow option is a Ping Identity custom response mode to specify that the redirect_uri parameter is not required and authorization response parameters are encoded as a JSON object wrapped in a flow response and returned directly to the client with a 200 status. For more information about the query , fragment , and form_post options, see the ResponseModes section of the OAuth 2.0 Multiple Response Type Encoding Practices specification. For non-redirect use case information, see Redirect and non-redirect authentication flows. |
response_type |
String | Required | Mutable | The code or token type returned by an authorization request. Options are token , id_token , and code . |
scope |
String | Optional | Mutable | Permissions that determine the resources that the application can access. This parameter is not required, but it is needed to specify accessible resources. |
state |
String | Optional | Mutable | Used to maintain state between the logout request and the callback to the endpoint specified by the post_logout_redirect_uri query parameter. |
subject_token |
String | Required | Immutable | The security token that represents the identity of the PingFederate cluster (or other client type) that requires access to PingOne services. |
subject_token_type |
String | Required | Immutable | The type of the security token provided in the subject_token property. Options are pingone_gateway_credential . |
token |
String | Required | Immutable | The token string. This is a required property for token introspection and token revocation. |
Application access control conditions
You can configure OpenID Connect applications for access control by setting the accessControl
property on the application. For more information about accessControl
properties, see Application Operations. When accessControl
properties are set for an application, the user must meet the requirements specified by these application properties to get a token. If the user attempts to authenticate and the grant_type
is either authorization_code
or implicit
, then the application's accessControl
conditions are evaluated to determine whether the user can be issued a token.
The token (or tokens) is minted if the user meets the application's access control conditions. If the conditions are not met, the token (or tokens) is not issued and an ACCESS_FAILED
error is returned. If access is denied, a USER.ACCESS_DENIED
event is published; otherwise, a USER.ACCESS_ALLOWED
event is published.
For more information, see Control access to applications through roles and groups.
Audit reporting events
To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.
Service | Event |
---|---|
applications | SECRET.UPDATED |
applications | SECRET.READ |
applications | GRANT.CREATED |
applications | GRANT.UPDATED |
applications | GRANT.DELETED |
resources | RESOURCE.CREATED |
resources | RESOURCE.UPDATED |
resources | RESOURCE.DELETED |
resources | SCOPE.CREATED |
resources | SCOPE.UPDATED |
resources | SCOPE.DELETED |
resources | ATTRIBUTE.CREATED |
resources | ATTRIBUTE.UPDATED |
resources | ATTRIBUTE.DELETED |
resources | SECRET.UPDATED |
resources | SECRET.READ |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You weren’t authenticated to perform this operation. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Related topics
Authorization
The authorize endpoints support the following actions:
-
The authorize endpoint
/{{envID}}/as/authorize
is used to interact with the end user and obtain an authorization grant. Note that PingOne supports bothGET
andPOST
operations for authorize requests. The supported parameters for an authorize request vary depending on the value of theresponse_type
parameter (code
,token
,id_token
or combinations of these three options). -
For non-redirect flows, such as with native mobile apps in which the app renders the end user interface,
response_mode
property value is set topi.flow
. This setting allows the app to authenticate using the PingOne flows API without needing to handle HTTP redirections. Thepi.flow
value is also used with transaction approval use cases in which strong authentication is required for elevated security for a high-value transaction, or high-risk resource or service.
Use Cases
- Configure a PKCE authorization workflow
- Create an MFA Transaction Approval using SMS
- Use LOGIN and MFA Actions to Authenticate Users
- Configure a Progressive Profiling Sign-On Action
- Use LOGIN and AGREEMENT Actions to Authenticate Users
- Configure an MFA Only Flow Using a Login Hint Token
Related topics
Authorize (authorization_code)
Authorize (implicit)
Authorize (hybrid)
Authorize (authorization_code)
Authorize (implicit)
Authorize (hybrid)
Authorize (Non-redirect and MFA Only Flows)
Authorize (Transaction Approval)
Pushed Authorization Request
Applications can use a pushed authorization request (PAR) to securely initiate authorization flows. A PAR allows applications to send their authorization requests directly to PingOne without going through the browser, which safeguards sensitive data from end-user devices.
With a PAR, an application can push an authorization request payload to PingOne with a direct back-channel request, which is a more secure method of sending sensitive data, such as personally identifiable information, than sending it with a browser on the front channel.
The POST /{{envID}}/as/par
endpoint accepts the same request parameters as /{{envID}}/as/authorize
, as well as any additional parameters needed for client authentication. It can accept signed and unsigned requests. Requests must be less than 1MB.
After PingOne validates the request and saves the payload, it returns the request_uri
parameter as a reference to the payload. The response also indicates the lifetime of the request URI. The default lifetime is 60 seconds.
The application then uses the front channel to request an authorization code or token, sending the request_uri
parameter to PingOne. PingOne uses the request URI to look up the request payload and continue the authorization flow. PingOne accepts a particular request URI only once.
For more information on the PAR specification, see RFC 9126.
Pushed Authorization Request (NONE)
Pushed Authorization Request (CLIENT_SECRET_POST)
Pushed Authorization Request (CLIENT_SECRET_BASIC)
Pushed Authorization Request (CLIENT_SECRET_JWT)
Pushed Authorization Request (PRIVATE_KEY_JWT)
Authorize (implicit) (request_uri)
Token
The token endpoints support the following actions:
-
The token endpoint
/{{envID}}/as/token
is used by the client to obtain an access token by presenting its authorization grant. Note that authentication requirements to this endpoint are configured by the application'stokenEndpointAuthMethod
property. For information about the application'stokenEndpointAuthMethod
property, see the "Applications OIDC settings data model" table in Application Operations. -
The token introspection endpoint
/{{envID}}/as/introspect
returns the active state of an OAuth 2.0 token and the claims specified in RFC 7662 Section 2.2. The request requires the token parameter, which is the token string. -
The token revocation endpoint
{{envID}}/as/revoke
revokes the token specified in the request. Note that this operation does not apply to the tokens issued for the PingOne API resource.
Use Cases
- Get a token for custom resource access
- Add a custom claim to an access token
- Use LOGIN and MFA Actions to Authenticate Users
Related topics
Token (authorization_code) (CLIENT_SECRET_BASIC)
Token (authorization_code) (CLIENT_SECRET_POST)
Token (client_credentials) (CLIENT_SECRET_POST)
Token (authorization_code) (CLIENT_SECRET_JWT)
Token (authorization_code) (PRIVATE_KEY_JWT)
Token (authorization_code) (NONE)
Token (refresh_token) (CLIENT_SECRET_BASIC)
Token (refresh_token) (CLIENT_SECRET_POST)
Token (refresh_token) (CLIENT_SECRET_JWT)
Token (refresh_token) (PRIVATE_KEY_JWT)
Token (refresh_token) (NONE)
Token Admin App (client_credentials)
Token Exchange (Gateway Credential)
Token Introspection (Access Token)
Token Introspection (ID Token)
Token Introspection (Refresh Token)
Token Introspection (Resource ID and Secret)
Token Revocation
Device Authorization Grant
The device authorization grant endpoints support the following actions for applications configured with the DEVICE_CODE
grant type:
-
The device authorization endpoint
/{{envID}}/as/device_authorization
starts an action to return an activation code to the end user. The endpoint response returns a device code, a user code, and a verification URI. The supported parameters for the endpoint request are theclient_id
parameter and an optionalscope
parameter. -
The start flow endpoints
/{{envID}}/device/{{appIdentifier}}
or/{{envID}}/device
in which theappIdentifier
variable represents one of either the application ID (clientId
orapplicationId
) or a short secondary application identifier (devicePathId
configured per app) that is used only with the/device
endpoint. -
The token endpoint
/{{envID}}/as/token
returns the tokens issued for the device.
Device authorization grant data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
client_id |
String | Required | Immutable | The application's UUID. |
grant_type |
String | Required | Mutable | The grant type of the token request. Options are urn:ietf:params:oauth:grant-type:device_code . |
scope |
String | Optional | Mutable | Permissions that determine the resources that the application can access. This parameter is not required, but it is needed to specify accessible resources. |
device_code |
String | Required | Read only | The device verification code. This is a required property for device auth grant flows. |
user_code |
String | Required | Read only | The end-user verification code. This is a required property for device auth grant flows. |
verification_uri |
String | Required | Read only | The end-user verification URI on the authorization server. This is a required property for device auth grant flows. |
verification_uri_complete |
String | Optional | Read only | The end-user verification URI on the authorization server that includes the user_code . |
expires_in |
String | Required | Read only | The lifetime, in seconds, of the device_code . This value is set on the application configuration. |
interval |
String | Optional | Read only | The minimum amount of time, in seconds, that the client should wait between polling requests to the token endpoint. If no value is provided, the default is 5 seconds. This value is set on the application configuration. |
Related topics
Authorize (device)
Token (device_code) (NONE)
Start device flow (with appIdentifier)
Start device flow (without appIdentifier)
Resume
Userinfo
Resume
Discovery OpenID Configuration
Userinfo
Signoff
Read JWKS
SAML 2.0
The SAML endpoints are used by SAML applications to initiate sign-on and signoff operations. The SAML service implements functions to initiate SAML 2.0 single sign-on and single logout authentication flows.
Use Cases
SAML 2.0 protocol
The SAML protocol allows clients to obtain a requestor’s authentication state. SAML 2.0 uses security tokens, which contain assertions about the requestor, to pass authentication and authorization information about the requestor between the identity provider and the resource provider.
SAML SSO authentication requests
A SAML SSO authentication request uses the following authentication flow:
- The client (browser) initiates a login action to access a protected resource.
- The identity provider issues an
<AuthnRequest>
message to be delivered by the user agent to the SAML service endpoint using eitherHTTP Redirect
orHTTP POST
. - The SAML service validates the request and creates an authentication flow with the flow orchestration service.
- The SAML service indicates user interaction is required to perform the authentication flow.
- The browser is redirected to the PingOne hosted authentication UI or the per application configured URL of a custom UI, passing in the
environmentId
andflowSessionId
query parameters. The authentication UI uses flow orchestration and action services endpoints to complete the authentication flow. The authentication API checks on every call to ensure that the session token cookie contains the current token for the session associated with the flow. On successful completion of the flow, a new session token is generated for the session and set in the cookie. - The browser is redirected to the
resume
endpoint of the SAML service. - The SAML service retrieves and deletes the authentication flow from the flow orchestration service.
- The SAML service generates the appropriate tokens and issues a
<Response>
message delivered by the user agent to the identity provider usingHTTP POST
.
The following is a sample SAML assertion generated for an authentication <AuthnRequest>
request:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:59">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
</samlp:AuthnRequest>
Request model
The following data model describes the supported attributes for a SAML <AuthnRequest>
request. For more information see Security Assertion Markup Language (SAML) V2.0 Technical Overview.
Property | Required? | Description |
---|---|---|
id |
Required | The value of the ID attribute in the request. The InResponseTo attribute in the corresponding response must match this value. |
version |
Required | The value should be set to 2.0 . |
IssueInstant |
Required | The time (in UTC) that the request was issued. |
destination |
Required | A URI reference indicating the address to which this request has been sent. It is required if the <AuthnRequest> request, optional otherwise. If submitted, it should match the location at which the message was received. |
consent |
Optional | A string that specifies whether or not (and under what conditions) consent has been obtained from a principal in the sending of this request. |
ForceAuthn |
Optional | A boolean that when set to true specifies that the identity provider must authenticate the presenter directly rather than rely on a previous security context. If a value is not provided, the default value is false . |
IsPassive |
Optional | A boolean that when set to true specifies that the identity provider and the user agent itself must not visibly take control of the user interface from the requester and interact with the presenter in a noticeable fashion. If a value is not provided, the default value is false . |
AssertionConsumerServiceIndex |
Optional | This value specifies the location to which the <Response> message should be returned to the requester. It applies only to profiles in which the requester is different from the presenter. If omitted, then the identity provider must return the <Response> message to the default location associated with the requester for the profile of use. |
AssertionConsumerServiceURL |
Optional | This value specifies the location to which the <Response> message must be returned to the requester. This attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute and is typically accompanied by the ProtocolBinding attribute. |
ProtocolBinding |
Optional | A URI reference that identifies a SAML protocol binding used when returning the <Response> message. This attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute and is typically accompanied by the AssertionConsumerServiceURL attribute. |
ProviderName |
Optional | This value specifies the human-readable name of the requester. It is used only for logging purposes, if available and if needed. |
<saml:Issuer> |
Required | This value specifies the service provider (9)SP) Entity ID. It identifies the entity that generated the request message. This should be treated as the client_id . |
<ds:Signature> |
Optional | An XML Signature that authenticates the requester and provides message integrity. |
<RequestedAuthnContext> |
Optional | A value that specifies the requirements, if any, that the requester places on the authentication context that applies to the responding provider's authentication of the presenter. |
<saml:Subject> |
Optional | A value that specifies the requested subject that names the actual identity about which it wishes to receive an assertion. |
<NameIDPolicy> |
Optional | A value that specifies the constraints on the name identifier to be used to represent the requested subject. |
<saml:Conditions> |
Optional | A value that specifies the SAML conditions the requester expects to limit the validity and/or use of the resulting assertion (or assertions). |
<Scoping> |
Optional | A value that specifies a set of identity providers trusted by the requester to authenticate the presenter, as well as limitations and context related to proxying of the <AuthnRequest> message to subsequent identity providers by the responder. |
The following is a sample SAML assertion response:
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_2"
InResponseTo="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:22:05"
Destination="https://sp.example.com/SAML2/SSO/POST">
<saml:Issuer>https://auth.pingone.com/{{envID}}</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_4"
Version="2.0"
IssueInstant="2004-12-05T09:22:05">
<saml:Issuer>https://auth.pingone.com/{{envID}}</saml:Issuer>
<!-- a POSTed assertion MUST be signed -->
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="identifier_1"
Recipient="https://sp.example.com/SAML2/SSO/POST"
NotOnOrAfter="2004-12-05T09:27:05"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2004-12-05T09:17:05"
NotOnOrAfter="2004-12-05T09:27:05">
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2004-12-05T09:22:00"
SessionIndex="identifier_3">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
IdP-Initiated SSO
IdP-initiated SSO allows users to authenticate through their identity provider, which then issues and signs SAML assertions to service providers. This allows users to access multiple applications and services with a single authentication.
IdP-Initiated SSO uses the following flow:
- A user signs on to their system with a username and password and is presented with an application catalog that displays icons representing the web-based applications and services they can access.
- The user clicks an icon to access one of those applications or services.
- The IdP creates and signs an SAML assertion that includes information about the user’s identity, along with any other attribute information that the IdP and SP agreed to share to authenticate users.
- The IdP either sends the assertion to the SP through a browser or sends a reference to the assertion that the SP can use to securely retrieve the assertion.
- The SP validates the signature to ensure that the SAML assertion really came from its trusted IdP and that none of the values in the assertion have been modified. It also extracts the identity, attribute, and authorization information it needs to determine whether access should be granted and which privileges the user will have.
- Users access the application or service.
IdP-Initiated SSO has the following benefits:
- The user gains access to catalog of applications and services with a single authentication.
- The authentication flow is more secure because user credentials are never transmitted between IdP and SP.
- The authentication flow is simpler because it eliminates a redirect step from SP to IdP.
You can start the IdP-Initiated SSO authentication session using the Get Identity Provider Initiated SSO request.
SAML SLO logout requests
A SAML single logout (SLO) operation uses the following flow:
- The user initiates logout.
- The session participant initiates single logout by sending a
<LogoutRequest>
message to the identity provider that sent the corresponding<AuthnRequest>
authentication assertion. - The SAML service validates the request. It then calls the end session endpoint of the flow orchestration service and passes through the cookie header. The flow orchestration service deletes the session identified by the session cookie and includes a
Set-Cookie
in the response to immediately expire the session cookie. - The identity provider uses the contents of the
<LogoutRequest>
message to determine the session(s) being terminated. - The identity provider issues a
<LogoutResponse>
message to the original requesting session participant.
DaVinci flows with SAML applications
The following workflow outlines the interaction between PingOne applications and DaVinci flows and flow policies.
-
PingOne applications support a configuration option to assign DaVinci flow policies to the application. For information about creating DaVinci flows and flow policies, see Getting Started with DaVinci. For information on designating a DaVinci flow as a PingOne flow, see Setting a trigger type on the flow.
-
The SAML SSO service retrieves the application configuration data. Based on the configuration, the application can use either a PingOne sign-on policy or a DaVinci flow policy to determine the sign-on workflow. To assign DaVinci flow policies to applications, see Application Flow Policy Assignments.
-
For DaVinci flow policy use cases, the DaVinci widget renders the sign-on flow page. For more information about DaVinci widgets, see Launching a flow with the widget in the PingOne admin documentation.
-
The DaVinci widget manages the flow, and after the flow completes, the PingOne SSO Connector creates a session and passes control back to the protocol service.
-
The SAML SSO service processes the response, performs attribute mapping using user attributes from the PingOne directory, creates a SAMLResponse, and sends it to the SAML application.
-
The application continues its normal flow, calling the PingOne token endpoint to obtain the tokens.
SAML data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
acsUrls |
URL | Required | Mutable | The Assertion Consumer Service URLs. The first URL in the list is used as default. There must be at least one URL. |
assertionDuration |
Integer | Required | Mutable | The assertion validity duration in seconds. |
assertionSigned |
Boolean | Optional | Mutable | Whether the SAML assertion itself should be signed. The default value is true . |
defaultTargetUrl |
String | Optional | Mutable | A URL that sets the relay state if the identity provider does not include an applicationUrl query parameter in its /{{envID}}/saml20/idp/startsso request. |
description |
String | Optional | Mutable | A description of the resource. |
enabled |
Boolean | Optional | Mutable | Whether the application is enabled. The default is false if this value is not set. |
icon.id |
String | Optional | Mutable | The icon resource’s unique identifier. |
icon.href |
String | Optional | Mutable | The URL of the icon resource. |
id |
String | Required | Immutable | The resource’s unique identifier. |
idpSigning.key.id |
String | Optional | Mutable | The certificate to be used by the identity provider to sign assertions and responses. If this property is omitted, the default signing certificate for the environment is used. |
loginPageUrl |
String | Optional | Mutable | The URL of the authentication flow UI that this application uses to interact with the end-user through the authentication flow. If a URL is not specified, the default PingOne hosted UI is used. |
name |
String | Required | Mutable | The name of SAML attribute and should be unique within an environment. Note that samlAssertion.subject is a reserved case-insensitive name that indicates the mapping to be used for the subject in the assertion. |
protocol |
String | Required | Mutable | The protocol used by the application. This value determines the set of additional protocol specific properties, links, and embedded resources associated with the resource. Options are OPENID_CONNECT and SAML . |
RelayState |
String | Required | Mutable | The target application ID for SAML assertions used in IdP-initiated SSO. |
responseSigned |
Boolean | Optional | Mutable | Whether the SAML assertion response itself should be signed. The default value is false . |
returnUrl |
String | Optional | Mutable | The endpoint of the PingOne SSO Connector receiving the ppmResponse from the PingOne SAML SSO service. This is strictly validated based on configuration. |
sloBinding |
String | Optional | Mutable | The binding protocol to be used for the logout response. Options are HTTP_REDIRECT or HTTP_POST . The default is HTTP_POST . Existing configurations with no data default to HTTP_POST . |
sloEndpoint |
URL | Optional | Mutable | The logout endpoint URL. If a sloEndpoint logout endpoint URL is not defined, logout actions result in an error. |
sloResponseEndpoint |
URL | Optional | Mutable | The endpoint URL to submit the logout response. If a value is not provided, the sloEndpoint property value is used to submit SLO response. |
spEntityId |
String | Required | Immutable | The service provider entity ID used to lookup the application. This is a required property and is unique within the environment. |
spVerification.cert.id |
String | Optional | Mutable | The certificate ID used to verify the service provider signature. |
Application access control conditions
You can configure SAML applications for access control by setting the accessControl
properties on the application. For more information about accessControl
properties, see Application Operations. When accessControl
properties are set for an application, the user must meet the requirements specified by these application properties. If the user attempts to authenticate, then the application's accessControl
conditions are evaluated before creating an assertion.
An assertion is created if the user meets the the application's access control conditions. If the conditions are not met, then an authorization failed error is returned with the top level code urn:oasis:names:tc:SAML:2.0:status:Responder
and the second level code urn:oasis:names:tc:SAML:2.0:status:RequestDenied
. If access is denied, a USER.ACCESS_DENIED
event is published; otherwise, a USER.ACCESS_ALLOWED
event is published.
For more information, see Control access to applications through roles and groups.
Audit reporting events
To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.
Service | Event |
---|---|
applications | ATTRIBUTE.CREATED |
applications | ATTRIBUTE.UPDATED |
applications | ATTRIBUTE.DELETED |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
400 | The request could not be completed. |
401 | You weren’t authenticated to perform this operation. |
404 | The requested resource was not found. |
SAML SSO Using POST
SAML ACS Endpoint for Inbound SSO
SAML ACS Endpoint for Identity Provider Initiated Inbound SSO
SAML SLO Using POST
Read SAML Metadata
SAML SSO Using GET
Identity Provider Initiated SSO
Read SAML Service Provider Metadata
Service Provider Initiated Inbound SSO
SAML SLO Using GET
SAML resume
Management APIs
The PingOne Management API provides the interface to configure and manage your PingOne organization. The Management API includes the following entities.
Organizations
PingOne uses an organization-based model to define tenant accounts and their related entities. The organization is the top-level identifier. It defines your entire enterprise within the PingOne platform.
For more information, see Organizations.
Environments
An organization contains one or more environments. Environments define separate working domains within an organization. Environments are used to model regions within a large global enterprise such as NA (North America) or EU (European Union). They are also used as the defining entity to segregate enterprise operations by functionality, staging environments, or configurations.
In the management API sample requests shown in this document, the {{apiPath}}
variable in the sample requests represents the regional domain for the PingOne server. See PingOne API domains for more information.
For more information, see Environments.
Environments contain many of the core resources on which all identity services are built. Environments encompass:
-
Populations
In PingOne, a population defines a set of users, similar to an organizational unit (OU). In a given environment, you can use populations to simplify the management of users. For example, you can create a population for similar types of users and apply a password policy to that population. You must create at least one population before you can create users. An individual user cannot belong to more than one population simultaneously, but users can be moved to a different populations.
For more information, see Populations.
-
Users
Users are unique entities that interact with the applications and services within the environment to which the they are assigned. User resources in PingOne are the full representation of a user profile, including the user's relationships, roles, devices, and attributes. Users are associated with populations rather than defined within a population. The user's association with a population is established as a property on the user resource.
For more information, see Users, User password management, User role assignments, and Enable user devices.
-
Applications and resources
Applications in PingOne define the connection between the PingOne platform and the actual application (also thought of as the client configuration). Resources represent the connections to external services, enabling secure access to PingOne resources and other defined external resources.
For more information, see Application Management, Application role assignments, Application sign-on policy assignments, Resources, Resource scopes, and Resource attributes.
-
Activities
Activities are collections of user activity information such as login attempts, password reset attempts, and total active user counts. This audit data can be exported, reported on, or streamed out to customer security information and event management (SIEM) solutions.
For more information, see User activities.
-
Branding and images
Branding can be configured for elements of the PingOne interface. All end user interfaces are branded according to the theme defined in the associated branding resource. Image resources can be configured to upload custom branding image files to the content delivery network (CDN) and manage the lifecycle of those images.
-
Password policies
These resources represent the password management actions and password policies that can be applied to users within an environment.
For more information, see Passwords.
-
Sign-on policies
These resources represent the sign-on workflow policies to establish an authentication flow during login, re-authentication, or registration actions that identify and verify users. The authentication workflows are part of the authentication API. The
signOnPolicy
resource is a proxy back to other APIs to perform authentication actions.For more information, see Sign-on policies and Sign-on policy actions.
-
Notifications templates
These endpoints manage notification templates resources and notifications content.
For more information, see Notifications templates and Notifications settings.
-
Certificates and keys
The certificate management endpoints provide an implementation that supports FIPS 140-2 Level 1 compliant security algorithms to generate key pairs. They manage customer-provided certificates, customer-provided signing/encryption keys, Ping-generated certificates (PKI), and Ping-generated signing/encryption keys.
For more information, see Certificate management.
-
Identity providers
The identity provider endpoints manage external identity provider configurations to enable social login and inbound SAML login features in PingOne. An external identity provider configuration allows linked users to authenticate and gain access to PingOne resources using the login flow and credentials provided by the external identity provider.
For more information, see Identity providers and Linked accounts.
Roles, entitlements, and permissions
Roles, permissions, and entitlements are defined at the root of the platform, and these entitlements apply to all PingOne management APIs, regardless of domain. Roles are assigned to users, and these user roles include a scope
property to grant the user permissions corresponding to the role. For example, a role of Identity Admin contains permissions allowing the subject to read and edit user data. When this role is assigned to a user, it can be assigned with the scope property that identifies a population or an environment to which the permissions apply.
Self-service application permissions are described using scopes rather than roles. Scopes are more narrowly defined roles in that a scope cannot cross an environment boundary, and it is restricted to a specific task. For example, the p1:read:user
scope grants permission to read the user resource's data only; it does not grant permission to read another user's data or perform create, update, or delete operations on user resources. Self-service applications issue access tokens that grant these narrowly defined permissions to end users.
For more information, see Roles, Resource scopes, and Access services through scopes and roles.
Licenses
The license resource identifies the organization that owns the license, the licensing package type, and the expiration date for the license.
For more information, see Licensing.
Identity accounts
Active identity counts use authentication and password-evaluation user events to determine whether an identity is active within a specified sampling period. Total identity counts provide the number of unique identities associated with a specified environment per day.
For more information, see Active identity counts and Total identities.
Application Management
Application resources define the connection between PingOne and the actual application (also known as a client connection). The application type you choose to create includes default settings that you're free to change. For example, you can configure the settings for a Single-Page application to match the settigs for a Web application. This is by design for maximum flexibility.
When you make a request to create a new application, you must specify the type
property that specifies one of the following application types:
-
Web application
A browser-based application with a server-side component, such as ASP, CGI, JSP/Java, Node.js, or Ruby on Rails applications.
-
Native application
An application that is installed and run directly on the local operating system, like Java, Objective-C, Swift, or React applications. Native applications are typically intended for mobile devices. These native applications are optionally configured using the
mobile
property. -
Single-Page application
A browser-based application that runs on the front-end with no server-side component, such as Sencha Touch, AngularJS, and React applications. A single page application runs on the client side after it loads, so it cannot keep a client secret.
-
Non-interactive
A web application that does not require user interaction through the web browser, like a command line interface, a service, or a daemon.
-
Worker
An administrator application that can interact with platform APIs. Access to platform APIs is determined by the user's or application's role assignments. The role assignment for a Worker app is set by the
assignActorRoles
property. -
Device authorization
Creating an application of this type initiates an action that returns an activation code to the end user. This enables you to obtain authorization from the end user through (what is typically) a mobile device.
-
Platform applications
PingOne creates platform applications (PingOne Admin Console, PingOne Application Portal, PingOne Self-Service - MyAccount, and PingFederate-SSO) when the environment is created. The PingFederate-SSO platform application is created only if the PingOne environment includes PingFederate, and unlike the other platform applications, PingFederate-SSO application information is not returned through a GET request.
These are the default grantTypes
, response_type
, and tokenEndpointAuthMethod
attributes for the application types:
Application type | Grant type | Response type | Token endpoint authentication method |
---|---|---|---|
Device Authorization | DEVICE_CODE, REFRESH_TOKEN | N/A | NONE |
Native | AUTHORIZATION_CODE, IMPLICIT | TOKEN, ID_TOKEN, CODE | NONE |
Single-page | IMPLICIT | TOKEN, ID_TOKEN | NONE |
Web | AUTHORIZATION_CODE | CODE | CLIENT_SECRET_BASIC |
Worker/Non-interactive | CLIENT_CREDENTIALS | TOKEN | CLIENT_SECRET_BASIC |
Use Cases
Managing applications
The base endpoint, /environment/{{envID}}/applications
, provides endpoint operations to create, read, update, and delete OIDC and SAML application connections. There are POST
request examples to show the required properties to create each type of application connection. For more information, see Application Operations.
The secret endpoint, /environments/{{envID}}/applications/{{appID}}/secret
, provides endpoint operations to read and update the application's secret, if the requesting actor has a superset of the application's role assignments. For more information, see Application Secret.
Applications support the following additional configuration properties:
-
Application resource grants
The application resource grants endpoint,
/environments/{{envID}}/applications/{{appID}}/grants
, provides endpoint operations to create, read, update, and delete the resource grant associated with the application connection. For more information, see Application Resource Grants. -
Application sign-on policy assignments
The application sign-on policy assignments endpoint,
/environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments
, provides endpoint operations to create, read, update, and delete the sign-on policies associated with the application connection. For more information, see Application Sign-On Policy Assignments. -
Application role assignments
The application role assignments endpoint,
/environments/{{envID}}/applications/{{appID}}/roleAssignments
, provides endpoint operations to create, read, update, and delete the role assignments associated with the application connection. For more information, see Application Role Assignments. -
Application attribute mapping
The application attribute mapping endpoint,
/environments/{{envID}}/applications/{{appID}}/roleAssignments
, lets you customize the content of an ID token or a SAML assertion by adding custom attributes and their values. For more information, see Application Attribute Mapping. -
Application MFA push credentials
Push credentials are required for sending push notifications to a native application. The endpoint,
/environments/{{envID}}/applications/{{appID}}/pushCredentials
, provides endpoint operations to create, read, update, and delete the push credentials associated with the application connection. This section provides examples for bothAPNS
andFCM
push credential types. For more information, see Application MFA Push Credentials.
Related topics
Application Operations
The Applications service implements operations to create, read, update, and delete, applications resources.
Cross-origin resource sharing
PingOne supports cross-origin resource sharing (CORS), which gives applications running at different domains permission to access resources on PingOne servers. For example, an application at https://myapp.com that uses PingOne to authenticate users needs to request permission to access resources at https://auth.pingone.com before authentication operations are executed. In this case, a request is made to the resource owner (auth.pingone.com) from the requestor (myapp.com) using CORS headers to ask for access privileges. The response from auth.pingone.com returns the CORS Access-Control-Allow-Origin
header with a value that confirms the requestor's access rights.
PingOne servers are configured to trust all origins when using access tokens. However, when requesting sensitive resources that use PingOne session cookies for authentication, only specified origins will be trusted. The following endpoints require session cookies for authentication, and only the origins specified in the application’s corsSettings
property will be trusted when calling these endpoints:
/{envId}/as/authorize
/{envId}/as/resume
/{envId}/as/signoff
/{envId}/rp/authenticate
/{envId}/rp/callback/{callbackId}
/{envId}/saml20/idp/sso
/{envId}/saml20/idp/startsso
/{envId}/saml20/resume
/{envId}/saml20/idp/slo
/{envId}/wsf/sts/{appId}
/{envId}/wsf/mex/{appId}
/{envId}/wsf/prp/{appId}
/{envId}/wsf/prp/resume
When using session cookies for authentication, no origins will be trusted when calling these endpoints:
/{envId}/as/txs
/{envId}/saml20/sp/sso
/{envId}/saml20/sp/acs
/{envId}/saml20/sp/jwtacs
Consequently, when defining an application's connection to PingOne, you generally do not need to add your application's domain to a list of trusted origins. Cross-origin requests that use HTTP methods to modify the resource, such as PUT
, PATCH
, POST
, and DELETE
, trigger a preflight request to ensure that the initial request can be sent. The browser initiates a preflight HTTP OPTIONS
request to verify that the HTTP method used in the actual request is allowed. In these cases, the response from auth.pingone.com to the preflight request returns a response with the CORS Access-Control-Allow-Methods
header to specify the allowed methods.
When making CORS requests, only these headers can be used:
Accept
Accept-Language
Content-Language
Content-Type
Range
Authorization
Content-Length
Cookie
Correlation-Id
Origin
Origin-Cookies
Referer
orReferrer
X-Amz-Date
X-Amz-Security-Token
X-Api-Key
X-client-version
X-Content-Type-Options
When accessing CORS responses, you're restricted to reading only the Correlation-Id
header (as well as the request body).
Attempting to submit or access headers that are not listed above may prevent you from making CORS requests or reading the responses.
Applications data models
The following applications properties tables show the base data model for properties that apply to all application protocols, and the specific properties for the OpenID Connect (OIDC), SAML, and WS-Federation application protocols.
Applications base data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
accessControl.role.type |
String | Optional | Mutable | The user role required to access the application. Options are ADMIN_USERS_ONLY . A user is an admin user if the user has one or more of the following roles: Organization Admin, Environment Admin, Identity Data Admin, or Client Application Developer. |
accessControl.group.type |
String | Optional | Mutable | The group type required to access the application. Options are ANY_GROUP (the actor must belong to at least one group listed in the accessControl.group.groups property) and ALL_GROUPS (the actor must belong to all groups listed in the accessControl.group.groups property). |
accessControl.group.groups |
String[] | Optional | Mutable | The group IDs for the groups the actor must belong to for access to the application. |
createdAt |
Date | N/A | Read-only | The time the resource was created. |
description |
String | Optional | Mutable | The description of the application. |
enabled |
String | Required | Mutable | The current enabled state of the application. Options are ENABLED or DISABLED . |
environment.id |
String | Required | Read-only | The PingOne environment associated with the application. |
hiddenFromAppPortal |
Boolean | Optional | Mutable | Whether the application is hidden in the application portal despite the configured group access policy. |
homePageUrl |
String | Optional | Mutable | The custom home page URL for the application. |
icon |
Object | Optional | Mutable | The HREF and the ID for the application icon. |
id |
String | Required | Read-only | The application UUID. |
loginPageUrl |
String | Optional | Mutable | The custom login page URL for the application. If you set the loginPageUrl property for applications in an environment that sets a custom domain, the URL should include the top-level domain and at least one additional domain level. Warning: To avoid issues with third-party cookies in some browsers, a custom domain must be used, giving your PingOne environment the same parent domain as your authentication application. For more information about custom domains, see Custom domains. |
name |
String | Required | Mutable | The name of the application. |
protocol |
String | Required | Immutable | The protocol used by the application. Options are OPENID_CONNECT , SAML , WS-FED , and EXTERNAL_LINK . |
type |
String | Required | Mutable | The application type. Options are WEB_APP , NATIVE_APP , SINGLE_PAGE_APP , SERVICE , CUSTOM_APP , WORKER , PING_ONE_SELF_SERVICE , PING_ONE_ADMIN_CONSOLE , PING_ONE_PORTAL , TEMPLATE_APP , and PORTAL_LINK_APP . |
updatedAt |
Date | N/A | Read-only | The time the resource was last updated. |
Applications OIDC settings data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
additionalRefreshTokenReplayProtectionEnabled |
Boolean | Optional | Mutable | When set to true (the default), if you attempt to reuse the refresh token, the authorization server immediately revokes the reused refresh token, as well as all descendant tokens. Setting this to null equates to a false setting. |
allowWildcardInRedirectUris |
Boolean | Optional | Mutable | Whether wildcards are allowed in redirect URIs. For more information, see Wildcards in Redirect URIs. |
assignActorRoles |
Boolean | Optional | Mutable | Indicates whether the permissions service should assign to the application the roles of the actor creating the application (defaults to true). This property is set only on the POST request. The property is ignored when included in a PUT request. Best Practice: When creating a Worker app, the best practice is to set this value to false. This is for security purposes, to ensure you assign only the minimal set of permissions necessary for the Worker app. |
corsSettings |
Object | Optional | Mutable | Enables you to customize how the Authorization and Authentication APIs interact with CORS requests that reference the application. If omitted, the application allows CORS requests from any origin except for operations that expose sensitive information (such as, operations from /as/authorize and /as/token ). We recommend you use corsSettings , rather than omitting this property. |
corsSettings.behavior |
String | Required | Mutable | Options are "ALLOW_NO_ORIGINS" and "ALLOW_SPECIFIC_ORIGINS". ALLOWS_NO_ORIGINS rejects all CORS requests. ALLOW_SPECIFIC_ORIGINS rejects all CORS requests except those listed in corsSettings.origins . |
corsSettings.origins |
String[] | Optional | Mutable | This must be specified when corsSettings.behavior is ALLOW_SPECIFIC_ORIGINS, and must be omitted or empty when corsSettings.behaviour is ALLOW_NO_ORIGINS. Limited to 20 values. The values are the origins from which CORS requests to the Authorization and Authentication APIs are allowed. Each value is an HTTP or HTTPS URL without a path. The host may be a domain name (including localhost), or an IPv4 address. Subdomains can be specified using the wildcard (*) to match any string. |
devicePathId |
String | Optional | Mutable | A string that specifies a unique identifier within an environment for a device authorization grant flow to provide a short identifier to the application. This property is ignored when the deviceCustomVerificationUri property is configured. The string can contain any letters, numbers, and some special characters (regex: a-zA-Z0-9_- ). It can have a length of no more than 50 characters (min/max=1/50 ). |
deviceCustomVerificationUri |
String | Optional | Mutable | A string that specifies an optional custom verification URI that is returned for the /device_authorization endpoint. |
deviceTimeout |
Integer | Required | Mutable | An integer that specifies the length of time (in seconds) that the userCode and deviceCode returned by the /device_authorization endpoint are valid. This property is required only for applications in which the grantTypes property is set to device_code . The default value is 600 seconds. It can have a value of no more than 3600 seconds (min/max=1/3600 ). |
devicePollingInterval |
Integer | Required | Mutable | An integer that specifies the frequency (in seconds) for the client to poll the /as/token endpoint. This property is required only for applications in which the grantTypes property is set to device_code . The default value is 5 seconds. It can have a value of no more than 60 seconds (min/max=1/60 ). |
grantTypes |
String[] | Required | Mutable | The grant type for the authorization request. Options are authorization_code , implicit , refresh_token , device_code , and client_credentials . |
initiateLoginUri |
String | Optional | Mutable | The URI to use for third-parties to begin the sign-on process for the application. If specified, PingOne redirects users to this URI to initiate SSO to PingOne. The application is responsible for implementing the relevant OIDC flow when the initiate login URI is requested. This property is required if you want the application to appear in the PingOne Application Portal. See the OIDC specification section Initiating Login from a Third Party for more information. |
jwks |
String | Optional | Mutable | A JWKS string that validates the signature of signed JWTs for applications that use the PRIVATE_KEY_JWT option for the tokenEndpointAuthMethod . This property is required when tokenEndpointAuthMethod is PRIVATE_KEY_JWT and the jwksUrl property is empty. For more information, see Create a private_key_jwt JWKS string. This property is also required if the optional request property JWT on the authorize endpoint is signed using the RS256 (or RS384, RS512) signing algorithm and the jwksUrl property is empty. For more infornmation about signing the request property JWT, see Create a request property JWT. |
jwksUrl |
String | Optional | Mutable | A URL (supports https:// only) that provides access to a JWKS string that validates the signature of signed JWTs for applications that use the PRIVATE_KEY_JWT option for the tokenEndpointAuthMethod . This property is required when tokenEndpointAuthMethod is PRIVATE_KEY_JWT and the jwks property is empty. For more information, see Create a private_key_jwt JWKS string. This property is also required if the optional request property JWT on the authorize endpoint is signed using the RS256 (or RS384, RS512) signing algorithm and the jwks property is empty. For more infornmation about signing the request property JWT, see Create a request property JWT. |
kerberos.key |
Object | Optional | Mutable | A Relationship object containing the certificate issuer (root CA). |
kerberos.key.id |
String | Optional | Immutable | The unique identifier for the Kerberos key. Required if kerberos.key is specified. |
mobile.bundleId |
String | Optional | Immutable | The bundle associated with the application, for push notifications in native apps. The value of the bundleId property is unique per environment, and once defined, is immutable. Used only for applications for the Apple ecosystem. |
mobile.huaweiAppId |
String | Optional | Immutable | The unique identifier for the app on the device and in the Huawei Mobile Service AppGallery. The value of the mobile.huaweiAppId property is unique per environment, and once defined, is immutable. Used only for applications for the Huawei ecosystem. |
mobile.huaweiPackageName |
String | Optional | Immutable | The package name associated with the application, for push notifications in native apps. The value of the mobile.huaweiPackageName property is unique per environment, and once defined, is immutable. Used only for applications for the Huawei ecosystem. |
mobile.packageName |
String | Optional | Immutable | The package name associated with the application, for push notifications in native apps. The value of the mobile.packageName property is unique per environment, and once defined, is immutable. Used only for applications for the Google ecosystem. |
mobile.integrityDetection.googlePlay |
Object | Optional | Mutable | Object that contains the credentials required for using Google's Play Integrity API for integrity detection. |
mobile.integrityDetection.googlePlay.verificationType |
String | Optional | Mutable | The type of verification that should be used. The possible values are GOOGLE and INTERNAL. Using internal verification will not count against your Google API call quota. The value you select for verificationType determines what other parameters you must provide. When set to GOOGLE, you must provide serviceAccountCredentials . When set to INTERNAL, you must provide decryptionKey and verificationKey . |
mobile.integrityDetection.googlePlay.serviceAccountCredentials |
String | Optional | Mutable | Contents of the JSON file that represents your Service Account Credentials. This parameter must be provided if you have set mobile.integrityDetection.googlePlay.verificationType to GOOGLE. |
mobile.integrityDetection.googlePlay.decryptionKey |
String | Optional | Mutable | Play Integrity verdict decryption key from your Google Play Services account. This parameter must be provided if you have set mobile.integrityDetection.googlePlay.verificationType to INTERNAL. |
mobile.integrityDetection.googlePlay.verificationKey |
String | Optional | Mutable | Play Integrity verdict signature verification key from your Google Play Services account. This parameter must be provided if you have set mobile.integrityDetection.googlePlay.verificationType to INTERNAL. |
mobile.integrityDetection.mode |
String | Optional | Mutable | Indicates whether device integrity detection takes place on mobile devices, for the application's enrollment and authentication events. The possible values are ENABLED or DISABLED . |
mobile.integrityDetection.excludedPlatforms |
Array | Optional | Mutable | You can enable device integrity checking separately for Android and iOS by setting mobile.integrityDetection.mode to ENABLED and then using this property to specify an OS where you do not want to use device integrity checking. The possible values are GOOGLE and IOS . Note that this is implemented as an array even though currently you can only include a single value. |
mobile.integrityDetection.cacheDuration.amount |
Integer | Optional | Mutable | The duration between successful integrity detection calls. Every attestation request entails a certain time tradeoff. You can choose to cache successful integrity detection calls for a predefined duration, between a minimum of 1 minute and a maximum of 48 hours. If mobile.integrityDetection.mode is ENABLED, the cache duration must be set. |
mobile.integrityDetection.cacheDuration.units |
String | Optional | Mutable | The time units used for mobile.integrityDetection.cacheDuration.amount . The possible values are MINUTES or HOURS . |
mobile.passcodeRefreshDuration.duration |
Integer | Optional | Mutable | The amount of time a passcode should be displayed before being replaced with a new passcode. Must be between 30 and 60 (seconds). |
mobile.passcodeRefreshDuration.timeUnit |
String | Optional | Mutable | The type of time unit for mobile.passcodeRefreshDuration.duration . Currently, this must be SECONDS. |
mobile.uriPrefix |
String | Optional | Mutable | A URI prefix that enables direct triggering of the mobile application when scanning a QR code. The URI prefix can be set to a universal link with a valid value (which can be a URL address that starts with HTTP:// or HTTPS:// , such as https://www.acme.com ), or an app schema, which is just a string and requires no special validation. |
parRequirement |
Enum | Optional | Mutable | Whether pushed authorization requests (PAR) are required. Options are REQUIRED and OPTIONAL . The default value is OPTIONAL . |
parTimeout |
Integer | Optional | Mutable | PAR timeout in seconds. Must be between 1 and 600 . The default value is 60 . |
pkceEnforcement |
String | Optional | Mutable | Specifies how PKCE request parameters are handled on the authorize request. Options are: OPTIONAL : PKCE code_challenge is optional and any code challenge method is acceptable. REQUIRED : PKCE code_challenge is required and any code challenge method is acceptable. S256_REQUIRED : PKCE code_challenge is required and the code_challenge_method must be S256 . |
postLogoutRedirectUris |
String[] | Optional | Mutable | The URLs that the browser can be redirected to after logout. |
redirectUris |
String[] | Optional | Mutable | The callback URI for the authentication response. |
refreshTokenDuration |
Integer | Optional | Mutable | The lifetime in seconds of the refresh token. If a value is not provided, the default value is 2592000, or 30 days. Valid values are between 60 and 2147483647 . If the refreshTokenRollingDuration property is specified for the application, then this property must be less than or equal to the value of refreshTokenRollingDuration . After this property is set, the value cannot be nullified. This value is used to generate the value for the exp claim when minting a new refresh token. |
refreshTokenRollingDuration |
Integer | Optional | Mutable | The number of seconds a refresh token can be exchanged before re-authentication is required. If a value is not provided, the refresh token is valid forever. Valid values are between 60 and 2147483647 . After this property is set, the value cannot be nullified. This value is used to generate the value for the exp claim when minting a new refresh token. |
refreshTokenRollingGracePeriodDuration |
Integer | Optional | Mutable | The number of seconds that a refresh token may be reused after having been exchanged for a new set of tokens. This is useful in the case of network errors on the client. Valid values are between 0 and 86400 seconds. Null is treated the same as 0. |
requireSignedRequestObject |
Boolean | Optional | Mutable | Indicates that the Java Web Token (JWT) for the request query parameter is required to be signed. If false or null (default), a signed request object is not required. Both supportUnsignedRequestObject and this property cannot be set to true. |
responseTypes |
String[] | Optional | Mutable | The code or token type returned by an authorization request. Options are TOKEN , ID_TOKEN , and CODE . For hybrid flows that specify CODE with TOKEN or ID_TOKEN , see Hybrid grant type. |
signing |
Object | Optional | Mutable | Configuration for the signing key. If absent, application tokens will be signed and verified by the PingOne default key at runtime. This property only applies to OIDC applications of type WEB_APP , NATIVE_APP , SINGLE_PAGE_APP , and CUSTOM_APP . |
signing.keyRotationPolicy |
Object | Required | Mutable | Contains the Key Rotation Policy (KRP) ID. This property is required if signing is set. |
signing.keyRotationPolicy.id |
String | Required | Mutable | Reference to a KRP ID from certificate management. This property is required if signing is set. |
supportUnsignedRequestObject |
Boolean | Optional | Mutable | Indicates whether the Java Web Token (JWT) for the request query parameter is allowed to be unsigned. If false or null (default), an unsigned request object is not allowed. Both requireSignedRequestObject and this property cannot be set to true. |
tags |
String[] | Optional | Mutable | An array that specifies the list of labels associated with the application. Options are PING_FED_CONNECTION_INTEGRATION . Only applicable for Create Application (OIDC Protocol - PingFederate Worker App). |
targetLinkUri |
String | Optional | Mutable | The URI for the application. If specified, PingOne will redirect application users to this URI after a user is authenticated. In the PingOne admin console, this becomes the value of the target_link_uri parameter used for the Initiate Single Sign-On URL field. |
template |
Object | Optional | Mutable | Valid only when the application type is TEMPLATE_APP . This identifies the application as integration in Integration Catalog. (by integration.id and version.id) and provides key-value map of parameters needed by the integration |
template.configuration |
Object | Required | Mutable | Contains a key/value map of the parameters required by the integration in Integration Catalog. |
template.integration.id |
String | Required | Mutable | The UUID of the integration in Integration Catalog. |
template.version.id |
String | Required | Mutable | The UUID of the integration version in Integration Catalog. |
tokenEndpointAuthMethod |
String | Optional | Mutable | The client authentication methods supported by the token endpoint. Options are NONE , CLIENT_SECRET_BASIC , CLIENT_SECRET_POST , PRIVATE_KEY_JWT , and CLIENT_SECRET_JWT . |
Applications OIDC settings data model for PING_ONE_SELF_SERVICE
For applications of type
PING_ONE_SELF_SERVICE only. Ignored for all other application types.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
userForm |
Relationship | Required | Mutable | Configures the form from the form builder service that is used by the self service app for user profile updates. The referenced form must have a category of SELF_SERVICE. |
applyDefaultTheme |
Boolean | Required | Mutable | If true , applies the default theme to the self service application. |
enableDefaultThemeFooter |
Boolean | Required | Mutable | If true , shows the default theme footer on the self service application. Applies only if applyDefaultTheme is also true . |
Applications OIDC settings data model for PING_ONE_PORTAL
For applications of type
PING_ONE_PORTAL only. Ignored for all other application types.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
applyDefaultTheme |
Boolean | Required | Mutable | If true , applies the default theme to the app portal application. |
Applications SAML settings data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
acsUrls |
String[] | Required | Mutable | The Assertion Consumer Service URLs. The first URL in the list is used as default (there must be at least one URL). |
assertionDuration |
Integer | Required | Mutable | The assertion validity duration in seconds. |
assertionSigned |
Boolean | Optional | Mutable | Indicates whether the SAML assertion itself should be signed. The default value is true . |
corsSettings |
Object | Optional | Mutable | Enables you to customize how the Authorization and Authentication APIs interact with CORS requests that reference the application. If omitted, the application allows CORS requests from any origin except for operations that expose sensitive information (such as, operations from /as/authorize and /as/token ). We recommend you use corsSettings , rather than omitting this property. |
corsSettings.behavior |
String | Required | Mutable | Options are "ALLOW_NO_ORIGINS" and "ALLOW_SPECIFIC_ORIGINS". ALLOWS_NO_ORIGINS rejects all CORS requests. ALLOW_SPECIFIC_ORIGINS rejects all CORS requests except those listed in corsSettings.origins . |
corsSettings.origins |
String[] | Optional | Mutable | This must be specified when corsSettings.behavior is ALLOW_SPECIFIC_ORIGINS, and must be omitted or empty when corsSettings.behaviour is ALLOW_NO_ORIGINS. Limited to 20 values. The values are the origins from which CORS requests to the Authorization and Authentication APIs are allowed. Each value is an HTTP or HTTPS URL without a path. The host may be a domain name (including localhost), or an IPv4 address. Subdomains can be specified using the wildcard (*) to match any string. |
defaultTargetUrl |
String | Optional | Mutable | This is used as the RelayState parameter by the IdP to deep link into the application after authentication. This value can be overridden by the applicationUrl query parameter for GET Identity Provider Initiated SSO. Although both of these parameters are generally URLs, because they are used as deep links, this is not enforced. If neither defaultTargetUrl nor applicationUrl is specified during a SAML authentication flow, no RelayState value is supplied to the application. The defaultTargetUrl (or the applicationUrl ) value is passed to the SAML application’s ACS URL as a separate RelayState key value (not within the SAMLResponse key value). |
enableRequestedAuthnContext |
Boolean | Optional | Mutable | Indicates whether requestedAuthnContext is taken into account in policy decision-making. |
idpSigning.algorithm |
String | Optional | Mutable | The algorithm used by the IdP signing key. Algorithms supported: SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA256withECDSA, SHA384withECDSA, and SHA512withECDSA. |
idpSigning.key.id |
String | Optional | Mutable | The certificate to be used by the identity provider to sign assertions and responses. If this property is omitted, the default signing certificate for the environment is used. |
nameIdFormat |
String | Optional | Mutable | The format of the Subject NameID attribute in the SAML assertion. Options are
|
responseSigned |
Boolean | Optional | Mutable | Indicates whether the SAML assertion response itself should be signed. The default value is False . |
sloBinding |
String | Optional | Mutable | The binding protocol to be used for the logout response. Options are HTTP_REDIRECT or HTTP_POST . The default is HTTP_POST ; existing configurations with no data default to HTTP_POST . This is an optional property. |
sloEndpoint |
String | Optional | Mutable | The logout endpoint URL. This is an optional property. However, if a sloEndpoint logout endpoint URL is not defined, logout actions result in an error. |
sloResponseEndpoint |
String | Optional | Mutable | The endpoint URL to submit the logout response. If a value is not provided, the sloEndpoint property value is used to submit SLO response. |
sloWindow |
Integer | Optional | Mutable | Defines how long PingOne can exchange logout messages with the application, specifically a LogoutRequest from the application, since the initial request. PingOne can also send a LogoutRequest to the application when a single logout is initiated by the user from other session participants, such as an application or identity provider. This setting is per application. The SLO logout is separate from the user session logout that revokes all tokens. |
spEncryption |
Object | Optional | Mutable | Enables PingOne to encrypt SAML assertions to be sent to the application. Assertions are not encrypted by default. |
spEncryption.algorithm |
String | Required | Mutable | The algorithm for encrypting the assertions (AES_128, AES_256, or TRIPLEDES). |
spEncryption.certificate |
Object | Required | Mutable | Contains the ID of the encryption public certificate that has been uploaded to PingOne. |
spEncryption.certificate.id |
String | Required | Mutable | The unique identifier of the encryption public certificate that has been uploaded to PingOne. |
spEntityId |
String | Required | Immutable | The service provider entity ID used to lookup the application. This must be unique within the environment. |
spVerification.authnRequestSigned |
Boolean | Optional | Mutable | Whether the Authn Request signing should be enforced. Default is false . |
spVerification.certificates[].id |
String[] | Optional | Mutable | An array that specifies the certificate IDs used to verify the service provider signature. |
template |
Object | Optional | Mutable | Valid only when the application type is TEMPLATE_APP . This identifies the application as integration in Integration Catalog. |
template.configuration |
Object | Required | Mutable | Contains a key/value map of the parameters required by the integration in Integration Catalog. |
template.integration.id |
String | Required | Mutable | The UUID of the integration in Integration Catalog. |
template.version.id |
String | Required | Mutable | The UUID of the integration version in Integration Catalog. |
Applications SAML metadata settings data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
acsBindings |
String | Optional | Mutable | The assertion consumer service binding protocol. Options are: HTTP_REDIRECT or HTTP_POST |
acsUrls |
String[] | Optional | Mutable | The assertion consumer service URLs. |
authnRequestsSigned |
Boolean | Optional | Mutable | Indicates whether the SAML authentication request is signed. |
encryptionCertificate.pkcs7Der |
Byte[] | Optional | Mutable | The PKCS7 encryption certificate in DER format. |
sloBinding |
String | Optional | Mutable | The SAML single logout binding protocol used for logout response. Options are: HTTP_REDIRECT or HTTP_POST . |
sloEndpoint |
String | Required | Mutable | The SAML single logout endpoint URL. |
signingCertificates[].pkcs7Der |
Byte[] | Optional | Mutable | The PKCS7 signing certificates in DER format. |
Applications WS-Federation settings data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
audienceRestriction |
String | Optional | Mutable | The service provider ID. Defaults to urn:federation:MicrosoftOnline . |
corsSettings |
Object | Optional | Mutable | Enables you to customize how the Authorization and Authentication APIs interact with CORS requests that reference the application. If omitted, the application allows CORS requests from any origin except for operations that expose sensitive information (such as, operations from /as/authorize and /as/token ). We recommend you use corsSettings , rather than omitting this property. |
corsSettings.behavior |
String | Required | Mutable | Options are "ALLOW_NO_ORIGINS" and "ALLOW_SPECIFIC_ORIGINS". ALLOWS_NO_ORIGINS rejects all CORS requests. ALLOW_SPECIFIC_ORIGINS rejects all CORS requests except those listed in corsSettings.origins . |
corsSettings.origins |
String[] | Optional | Mutable | This must be specified when corsSettings.behavior is ALLOW_SPECIFIC_ORIGINS, and must be omitted or empty when corsSettings.behaviour is ALLOW_NO_ORIGINS. Limited to 20 values. The values are the origins from which CORS requests to the Authorization and Authentication APIs are allowed. Each value is an HTTP or HTTPS URL without a path. The host may be a domain name (including localhost), or an IPv4 address. Subdomains can be specified using the wildcard (*) to match any string. |
domainName |
String | Required | Mutable | The federated domain name (for example, the Azure custom domain). |
idpSigning |
Object | Required | Mutable | Contains the information about the signing of requests by the identity provider (IdP). |
idpSigning.algorithm |
String | Required | Mutable | The signature algorithm to be used for signing. Algorithms supported: SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA256withECDSA, SHA384withECDSA, and SHA512withECDSA. |
idpSigning.key |
String | Required | Mutable | The key pair to be used by the IdP to sign requests. If this isn't specified, the default signing certificate for the environment is used. |
idpSigning.key.id |
String | Required | Mutable | The ID of the key specified for idpSigning.key . |
kerberos |
Object | Optional | Mutable | Contains the Kerberos authentication settings. Set this to null to disable Kerberos authentication. |
kerberos.gateways |
Object[] | Optional | Mutable | Contains the gateway properties. |
kerberos.gateways.id |
String | Required | Mutable | The UUID of the LDAP gateway. |
kerberos.gateways.type |
String | Required | Mutable | The gateway type. This must be "LDAP". |
kerberos.gateways.userType.id |
String | Required | Mutable | The UUID of a user type in the list of userTypes for the LDAP gateway. |
replyUrl |
String | Required | Mutable | The URL that the replying party (such as, Office365) uses to accept submissions of RequestSecurityTokenResponse messages that are a result of SSO requests. |
sloEndpoint |
String | Optional | Mutable | The single logout endpoint URL. |
subjectNameIdentifierFormat |
String | Optional | Mutable | The format to use for the SubjectNameIdentifier element. This value must be one of the following: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Audit reporting events
To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.
Service | Event |
---|---|
applications | APPLICATION.CREATED |
applications | APPLICATION.UPDATED |
applications | APPLICATION.DELETED |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request, or your license is exceeded. |
404 | The requested resource was not found. |
500 | An unexpected error occurred. |
Related topics
Create Application (OIDC Protocol - Web App)
Create Application (OIDC Protocol - Native App)
Create Application (OIDC Protocol - Single Page App)
Create Application (OIDC Protocol - Service App)
Create Application (OIDC Protocol - Worker App)
Create Application (OIDC Protocol - Worker Interactive App)
Create Application (OIDC Protocol - PingFederate Worker App)
Create Application (OIDC Device Authorization Grant)
Create Application (OIDC Mobile App)
Create Application (SAML Protocol)
Create Application (WS-Federation Protocol)
Read All Applications
Read One Application
Update Application (OIDC)
Update Application (SAML)
Update Application (WS-Federation)
Delete Application
Application Attribute Mapping
ID token and SAML assertion customization
The application attributes service lets you customize the content of an ID token or a SAML assertion by adding custom attributes and their values. Custom attributes have a cumulative length constraint of 16 Kb. See Custom attributes in Schemas for more information.
In the Authorization request header field of all samples, the accessToken
value is your full base64url-encoded JSON web token generated by the authentication service.
OpenID Connect application attribute mappings
For OpenID Connect (OIDC) applications, the user claim defined by the custom attribute mapping is returned in the ID token, regardless of the scopes specified in the authorization request. For example, suppose you want to include a user's accountId
in ID tokens associated with the specified OIDC application, a custom application attribute resource can be created to map the user's account ID to the accountId
PingOne user attribute. The request looks like this:
curl -X "POST" "https://api.pingone.com/v1/environments/{{envID}}/applications/{{appID}}/attributes" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer {{accessToken}}' \
-d '{
"name": "userAccountID",
"value": "${user.accountId}",
"required": true
}'
SAML application attribute mappings
For SAML applications, the user claim defined by the custom attribute mapping is returned in the SAML assertion.
For example, suppose you want to include an externalId
in assertions associated with the specified SAML application, a custom application attribute resource can be created to map the SAML externalId
attribute to the user's external ID attribute. The request looks like this:
curl -X "POST" "https://api.pingone.com/v1/environments/{{envID}}/applications/{{appID}}/attributes" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer {{accessToken}}' \
-d '{
"name": "externalId",
"value": "${user.externalId}",
"required": true
}'
Advanced attribute mapping
You can use PingOne's expression language for advanced attribute mapping. The supported expression language is an augmentation of SpEL. SpEL is a powerful expression language used for querying and manipulating an object graph at runtime.
For example, with advanced attribute mapping capabilities, you can write an expression that concatenates two or more user attributes in the value
property:
curl -X "POST" "https://api.pingone.com/v1/environments/{{envID}}/applications/{{appID}}/attributes" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer {{accessToken}}' \
-d '{
"name": "fullName",
"value": "${user.name.given + ', ' + user.name.family}",
"required": true
}'
In this request, the fullName
mapped attribute includes the user's first name and last name in the response.
Applications attribute mapping data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
application.id |
String | Required | Read-only | The application associated with the application mapping resource. |
createdAt |
Date | N/A | Read-only | The time the resource was created. |
environment.id |
String | Required | Read-only | The environment associated with the application mapping resource. |
id |
UUID | Required | Read-only | The application mapping ID. |
mappingType |
String | Optional | Mutable | The mapping type of the attribute. Options are CORE , SCOPE , and CUSTOM . The CORE and SCOPE mapping types are for reserved attributes managed by the API and cannot be removed. Attribute values for these mapping types can be updated. The CUSTOM mapping type is for user-defined attributes. Attributes of this type can be updated and deleted. |
name |
String | Required | Immutable | The name of attribute. Must be unique within an application. The property is set on create only and cannot be changed after creation. For SAML applications, the samlAssertion.subject name is a reserved case-insensitive name which indicates the mapping to be used for the subject in an assertion. For OpenID Connect applications, the following names are reserved and cannot be used:
|
nameFormat |
String | Optional | Mutable | A URI reference representing the classification of the attribute. Helps the service provider interpret the attribute format. |
required |
Boolean | Required | Mutable | Whether a mapping value is required for this attribute. If true, a value must be set and a non-empty value must be available in the SAML assertion or ID token. |
updatedAt |
Date | N/A | Read-only | The time the resource was updated. |
value |
String | Required | Mutable | The string constants or expression for mapping the attribute path against a specific source. The expression format is: ${<source>.<attribute_path>} . The only supported source is user (for example, ${user.id} ). |
idToken |
Boolean | Optional | Mutable | Whether the attribute mapping should be available in the ID Token. This property is applicable only when the application's protocol property is OPENID_CONNECT . If omitted, the default is true . Note that the idToken and userInfo properties cannot both be set to false . At least one of these properties must have a value of true . |
userInfo |
Boolean | Optional | Mutable | Whether the attribute mapping should be available through the /as/userinfo endpoint. This property is applicable only when the application's protocol property is OPENID_CONNECT . If omitted, the default is true . Note that the idToken and userInfo properties cannot both be set to false . At least one of these properties must have a value of true . |
oidcScopes |
List | Optional | Mutable | OIDC resource scope IDs that this attribute mapping is available for exclusively. This setting overrides any global OIDC resource scopes that contain an attribute mapping with the same name. The list can contain only scope IDs that have been granted for the application through the /grants endpoint. A null value is accepted for backwards compatibility. However, an empty set is invalid, and one scope ID is expected. If null, the response includes this mapping in the openid scope. |
OIDC application core mapping attributes
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
sub |
String | Required | Mutable | A string that specifies the core OIDC application mapping attribute. The default user attribute value is ${user.id} and the required property value must be set to true . |
SAML application core mapping attributes
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
saml_subject |
String | Required | Mutable | A string that specifies the core SAML mapping attribute. The default user attribute value is ${user.id} and the required property value must be set to true . |
Audit reporting events
To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.
Service | Event |
---|---|
applications | ATTRIBUTE.CREATED |
applications | ATTRIBUTE.UPDATED |
applications | ATTRIBUTE.DELETED |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
500 | An unexpected error occurred. |
Create Application Attribute Mapping
Read All Application Attribute Mappings
Read One Application Attribute Mapping
Update Application Attribute Mapping
Delete Application Attribute Mapping
Application Flow Policy Assignments
Flow policy assignment endpoints manage the flow policies associated with the specified application. An application can have zero or more flow policies assigned to it that determine how users are authenticated. The number of flow policies assigned to an application also controls how the authentication flow progresses.
No flow policy assignments
Applications that have no flow policy assignments use the environment resource's default sign-on policy to authenticate users (or a designated sign-on policy assignment).
One flow policy assignment
Applications that have one flow policy assignment always use that flow policy to authenticate users.
Two or more flow policy assignments
If an application has two or more assigned flow policies, the authentication flow uses the flow policy with the highest priority (priority 1) first. If authentication is successful, the flow is complete. If authentication fails, the flow initiates the flow policy with the next highest priority. The flow continues until one of the assigned flow policies completes successfully or all policies have been tried and failed.
OIDC applications can request a lower-priority policy by using the acr_values
OIDC parameter with the desired PingOne authentication name or DaVinci flow policy ID. See OpenID Connect/OAuth2 data model.
SAML applications can request a lower-priority policy by sending a SAML 2.0 authentication request with the RequestedAuthnContext
parameter, where the value indicates the desired PingOne authentication name or DaVinci flow policy ID. Note that the enableRequestAuthnContext
must be set to true
for the SAML application. See SAML settings data model.
Flow policies and the PingOne application portal
If the PingOne application portal is not configured with any flow policies, it will use the default PingOne policy.
You can apply policies other than the default to the PingOne application portal by appending the policy
query parameter to your Application Portal Home Page URL. For example, the Home Page URL https://apps.pingone.com/<envID>/myapps/
would become https://apps.pingone.com/<envID>/myapps/?policy=<value>
, where <value>
is the name of a configured PingOne policy, or the ID of a configured DaVinci flow policy. If the policy name or ID doesn't match any configured policy, then PingOne returns an error.
Application flow policy assignments data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
application.id |
String | Required | Read only | A string that specifies the application resource ID associated with the flow policy assignment. |
environment.id |
String | Required | Read only | A string that specifies the environment associated with the application. |
flowPolicy.id |
String | Required | Mutable | A string that specifies the flow policy resource ID associated with the flow policy assignment. |
id |
String | Required | Read only | A string that specifies the flow policy assignment resource's unique identifier. |
priority |
Integer | Required | Mutable | The order in which the policy referenced by this assignment is evaluated during an authentication flow relative to other policies. An assignment with a lower priority will be evaluated first. |
Audit reporting events
To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.
Service | Event |
---|---|
applications | FLOW_POLICY_ASSIGNMENT.CREATED |
applications | FLOW_POLICY_ASSIGNMENT.UPDATED |
applications | FLOW_POLICY_ASSIGNMENT.DELETED |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
500 | An unexpected error occurred. |
Related topics
Create an Application Flow Policy Assignment
Read All Application Flow Policy Assignments
Read One Application Flow Policy Assignment
Update an Application Flow Policy Assignment
Delete an Application Flow Policy Assignment
Application MFA Push Credentials
Push credentials are required for the purpose of sending push notifications to a native application. Push credentials must be defined for the application.
The push credentials endpoint implements functions to create, read, update and delete the push credentials associated with native application resources.
There are three types of push credentials:
APNS
(Apple)FCM_HTTP_V1
(Google)HMS
(Huawei)
The FCM
type, used previously for Google Play-based applications, has been deprecated. Use FCM_HTTP_V1
instead.
MFA push credentials data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
type | String | Required | Immutable | Specifies the push credential type. Valid values:
|
clientId | String | Required | Immutable | Used only if type is set to HMS . OAuth 2.0 Client ID from the Huawei Developers API console. |
clientSecret | String | Required | Immutable | Used only if type is set to HMS . The client secret associated with the OAuth 2.0 Client ID. |
googleServiceAccountCredentials | String | Required | Immutable | Used when type is set to FCM_HTTP_V1 . The value should be the contents of the JSON file that represents your Service Account Credentials. |
key | String | Required | Immutable | Used when type is set to APNS . The value should be the key ID. Before the deprecation of the FCM type, this was also used for the server key. |
teamId | String | Required | Immutable | Used only if type is set to APNS . Used to identify teams. |
token | String | Required | Immutable | Used only if type is set to APNS . Used as the authentication token signing key to securely connect to APNS. This is a p8 file with a private key format. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
500 | Unexpected server error. |
Related topics
Create MFA Push Credential (APNS)
Create MFA Push Credential (FCM_HTTP_V1)
Create MFA Push Credential (HMS)
Read All MFA Push Credentials
Read One MFA Push Credential
Update MFA Push Credential
Delete MFA Push Credential
Application Resource Grants
Resources are the protected endpoints that applications request access to using OAuth 2 authorization services. A resource access grant specifies the identifier of the resource associated with the specified application.
Applications resource grant data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
application.id |
String | N/A | Read-only | The application resource ID associated with the resource grant. |
createdAt |
Date | N/A | Read-only | The time the resource was created. |
id |
String | N/A | Read-only | The application resource grant ID. |
resource.id |
String | N/A | Read-only | The ID of the protected resource associated with this grant. |
scopes.id |
String[] | Required | Mutable | The IDs of the scopes associated with this grant. |
updatedAt |
Date | N/A | Read only | The time the resource was last updated. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
500 | An unexpected error occurred. |
Related topics
Create Grant
Read All Grants for an Application
Read One Grant for an Application
Update Grant
Delete Grant
Application Role Assignments
The role assignments endpoint implements functions to create, read, and delete the role assignments associated with applications resources. For more information about roles and the permissions associated with each role, see Roles.
Role assignments are defined by the role itself, and at a more granular level by the scope
attribute associated with the role assignment. The role assignment scope identifies the type of platform resource that defines the scope, and the id
of the specific resource to which the scope applies. The following sample shows the scope
attribute, which includes the resource type
and id
attributes. In this case, the scope is restricted to the environment resource identified by its id
.
{
"scope": {
"id": "d928aa51-c194-4333-9cf5-0fd0c9b7d62f",
"type": "ENVIRONMENT"
}
}
Role assignment scopes can be:
-
Organization
-
Environment
-
Population
-
Application
Applications role assignments data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
application.id |
String | Required | Read only | The application resource ID associated with the role assignment. |
environment.id |
String | Required | Read only | The environment associated with the application role assignment. |
id |
String | Required | Read only | The application role assignment ID. |
readOnly |
Boolean | Optional | Mutable | Indicates whether this role assignment can be deleted by the current actor. |
role.id |
String | Required | Mutable | The role ID. |
scope.id |
String | Required | Mutable | The role assignment scope ID. When this is an application ID, because an application ID is guarenteed to be globally unique (across all environments), the application ID here eliminates the need to also specify the application environment ID. |
scope.type |
String | Required | Mutable | The type of resource defining the scope of the Role assignment. Options are ORGANIZATION , ENVIRONMENT , and POPULATION , APPLICATION . |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
404 | The requested resource was not found. |
Related topics
Create Application Role Assignments
Read Application Role Assignments
Read One Application Role Assignment
Delete Application Role Assignment
Application Secret
The client secret endpoint is available to users or worker applications only if they have a superset of the application's role assignments.
Access to the application's client secret is restricted based on the accessing user's or application's role assignments. For example, if a client has the Environment Admin role, an actor with an Identity Admin role cannot see the client secret. This restriction addresses privilege escalation issues by preventing the Identity Admin user from doing things with the client that the Identity Admin role assignment does not allow. You need the Client Application Developer role to perform operations on application resources.
Best practices
-
Do not store an application secret in applications that are publicly available.
-
For security purposes, regenerate application secrets regularly.
-
If you suspect an application secret has been compromised, generate a new application secret immediately.
Applications secret data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
environment.id |
String | Read-only | The environment associated with the application. | |
previous |
Object | Optional | Read only | An object that specifies the previous secret, when it expires, and when it was last used. |
previous.secret |
String | N/A | Read only | A string that specifies the previous application secret. This property is returned in the response if the previous secret is not expired. |
previous.expiresAt |
Timestamp | Optional | Read only | A timestamp that specifies how long this secret is saved (and can be used) before it expires. Supported time range is 1 minute to 30 days. |
previous.lastUsed |
Timestamp | Optional | Read only | A timestamp that specifies when the previous secret was last used. |
secret |
String | Required | Read-only | The application secret ID used to authenticate to the authorization server. The secret has a minimum length of 64 characters per SHA-512 requirements when using the HS512 algorithm to sign ID tokens using the secret as the key. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
500 | An unexpected error occurred. |
Related topics
Update Application Secret
Read Application Secret
Delete Previous Application Secret
Application Sign-On Policy Assignments
Sign-on policy assignment endpoints manage the sign-on policies associated with the specified application. An application can have zero or more sign-on policies assigned to it that determine how users are authenticated. The number of sign-on policies assigned to an application also controls how the authentication flow progresses.
No sign-on policy assignments
Applications that have no sign-on policy assignments use the environment resource's default sign-on policy to authenticate users. Every environment has one designated sign-on policy as its default policy. If the environment's default sign-on policy changes, then the application's sign-on policy changes to use the updated default policy.
One sign-on policy assignment
Applications that have one sign-on policy assignment always use that sign-on policy to authenticate users. For example, if the application has the Single_Factor
sign-on policy assigned, the application will always use this basic authentication method that prompts users to enter a username and password to authenticate the account.
Two or more sign-on policy assignments
If an application has two or more assigned sign-on policies, the authentication flow uses the sign-on policy with the highest priority (priority 1) first. If authentication is successful, the sign-on flow is complete. If authentication fails, the flow initiates the sign-on policy with the next highest priority. If authentication fails again, the sign-on flow initiates the next sign-on policy. The sign-on flow continues until one of the assigned sign-on policies completes successfully or all policies have been tried and failed.
Sign-on policy priority when acr_values
is set
For applications with the protocol
property set to OPENID_CONNECT
, the acr_values
property (set on the authorize request) identifies the exact list of sign-on policies that can execute at sign on. At sign-on, only the sign-on policies listed in the acr_values
property are evaluated, and they are evaluated based on the order of the policies listed in this property. In addition, if there are numerous sign-on policies assigned to an application, setting the acr_values
property limits the number of sign-on policies evaluated to only those listed in this property.
For example, if the authorize request includes acr_values=Multi_Factor Single_Factor
, the authentication flow executes the Multi_Factor
policy first. If the multi-factor sign-on flow completes all conditions for the policy, the flow completes and the user is issued a token. If the multi-factor policy fails, the Single_Factor
policy executes. If that policy completes all conditions, the flow completes and the user is issued a token. If the single-factor policy is the last policy in the acr_values
list, and it fails, then the sign-on flow fails. No other sign-on policies are tried, even if the application has additional sign-on policy assignments.
Applications sign-on policy assignments data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
application.id |
String | Required | Read-only | The application resource ID associated with the sign-on policy assignment. |
environment.id |
String | Required | Read-only | The environment associated with the application sign-on policy assignment. |
id |
String | Required | Read-only | The sign-on policy assignment resource’s unique identifier. |
priority |
Integer | Required | Mutable | The order in which the policy referenced by this assignment is evaluated during an authentication flow relative to other policies. An assignment with a lower priority will be evaluated first. |
signOnPolicy.id |
String | Required | Mutable | The sign-on policy resource's unique identifier associated with this sign-on policy assignment. |
Audit reporting events
To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.
Service | Event |
---|---|
applications |
SIGN_ON_POLICY_ASSIGNMENT.CREATED |
applications |
SIGN_ON_POLICY_ASSIGNMENT.UPDATED |
applications |
SIGN_ON_POLICY_ASSIGNMENT.DELETED |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
500 | An unexpected error occurred. |
Related topics
Create SOP Assignment
Read All SOP Assignments
Read One SOP Assignment
Update SOP Assignment
Delete SOP Assignment
Integration Catalog
Use the endpoints in the Integration Catalog to discover and retrieve integration metadata, SAML metadata, and download integration kits as a compressed file.
Integration data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
categories |
String[] | Optional | Mutable | The list of categories used to classify the integration. Valid strings include alphanumeric characters, underscore, hyphen, and space. |
createdAt |
Date | Required | Immutable | Creation date of the integration. |
description |
String | Optional | Mutable | The description of the integration in HTML to be used for the integration listing. You can use class and style attributes for inline styling. There's a 4000 character limit for the description. |
id |
String | Required | Immutable | The platform-generated ID of this integration. |
logo |
String | Optional | Mutable | A logo to use for the integration. If specified, the associated properties are required. |
logo.href |
String | Required | Mutable | The href to the absolute URL of the image. |
logo.id |
String | Required | Mutable | The image ID generated by the Image service. |
marketingLandingPageUrl |
String | Optional | Mutable | Absolute URL link to the marketing landing page. |
name |
String | Required | Mutable | Name of the integration. |
pingProductNames |
String[] | Required | Mutable | The Ping product associated with the integration. Can include: PINGID , PINGONE_ENTERPRISE , PINGONE , PINGACCESS , PINGFEDERATE , PINGDIRECTORY , PINGDATAGOVERNANCE , orPINGINTELLIGENCE_FOR_APIS , PINGONE_ADVANCED_SERVICES |
publisher |
String | Required | Mutable | Name of the publisher. |
tags |
String[] | Optional | Mutable | Tags to apply to the integration metadata. Can include: SSO , AUTHENTICATION , MFA , INTELLIGENCE , GOVERNANCE , IDAAS , ACCESS , DIRECTORY , or PROVISIONING . |
thirdParty |
Object | Optional | Mutable | Metadata that defines the third party related to this integration. |
thirdParty.companyName |
String | Required | Mutable | Name of the third party company for the listing. |
thirdParty.products |
String[] | Optional | Mutable | Names of the third party products for the integration. |
Integration version data model
Each integration can have versions. Valid integration version numbers match the regular expression (^\d+.\d+(.\d+)?$). So, 1.0.2
and 2.06
are valid versions. Examples of invalid versions include v.1.2
and 1.2.3.4
.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
configuration |
Object | Optional | Mutable | The configuration of the integration version. If specified, configuration.schema and configuration.properties is required. |
configuration.schema |
Object | Required | Mutable | Contains a JSON schema defining the integration version. |
configuration.properties |
Object | Required | Mutable | Contains the property names and assigned values for the integration version. |
description |
String | Optional | Mutable | Unicode characters. The description of this integration metadata version. |
id |
String | Required | Immutable | The platform-generated ID of this integration metadata version. |
integration |
Object | Required | Read only | The parent integration of the integration version. |
integration.id |
String | Required | Immutable | The platform-generated ID of the parent integration. |
name |
String | Required | Mutable | A unique name for the integration metadata version. |
number |
String | Required | Mutable | A unique number for the integration version. |
type |
String | Optional | Mutable | The type of integration for this version. Currently, the only valid values are PRODUCT_INTEGRATION_KIT and SAML . |
Integration Kit data model (extends Integration Version)
Integration version metadata with a type of PRODUCT_INTEGRATION_KIT
will include this data.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
documentationUrl |
String | Optional | Mutable | Absolute URL to the documentation. |
endOfLifeOn |
Date | Optional | Mutable | EOL support date in the form yyyy-mm-dd . |
integratedWith |
Object | Optional | Mutable | Ping product integration details. |
integratedWith.name |
String | Required | Mutable | Name of the compatible Ping product with which this version integrates. Can include: PINGID , PINGONE_ENTERPRISE , PINGONE , PINGACCESS , PINGFEDERATE , PINGDIRECTORY , or PINGDATAGOVERNANCE |
integratedWith.minVersion |
String | Optional | Mutable | Earliest version of the integrated Ping product. |
integratedWith.maxVersion |
String | Optional | Mutable | Latest version of the integrated Ping product. |
number |
String | Required | Mutable | Unique number for the integration version. |
releasedOn |
Date | Required | Mutable | Release date in the form yyyy-mm-dd . |
SAML data model (extends Integration Version)
Integration version metadata with a type of SAML
will include the following data.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
assertionConsumerService |
String | Required | Mutable | The URL to which PingOne sends SAML responses. Parameterize the URL using ${_paremter_} . For example, https://${subdomain}.slack.com. The maximum length is 2000 characters. |
assertionEncrypted |
Boolean | Optional | Mutable | The state of assertion encryption. True if encrypted. |
defaultTarget |
String | Optional | Mutable | After an IdP-initiated SSO, this URL is passed in the RelayState value in the SAML response. Informs the IdP where to send its response. Parameterize the URL using ${_paremter_} . For example, https://${subdomain}.slack.com. |
entityId |
String | Optional | Mutable | Unique ID for the application. |
nameIdFormat |
String | Optional | Mutable | This can be one of the following:
|
protocolVersion |
String | Required | Mutable | The SAML protocol version supported: 2.0 , 1.1 , or 1.0 . |
slo |
Object | Optional | Mutable | The Single Logout information. |
slo.requestEndpoint |
String | Optional | Mutable | The endpoint where SLO requests are sent. |
slo.responseEndpoint |
String | Optional | Mutable | The endpoint where SLO responses are sent. |
slo.binding |
String | Optional | Mutable | The SLO binding. Must be either HTTP_POST or HTTP_REDIRECT |
thirdParty |
Object | Optional | Mutable | Third-party IdP information. |
thirdParty.metadata |
Object | Optional | Mutable | The third-party IdP metadata. |
thirdParty.metadata.href |
String | Optional | Mutable | URL of IdP's SAML metadata XML. |
thirdParty.instructions.href |
String | Optional | Mutable | URL of IdP's setup instructions. |
Attribute data model
Only available for SAML integration metadata. The attribute data is used to store any attributes that are predefined by providers.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
id |
String | Required | Mutable | Auto-generated ID of this attribute. |
integration |
Object | Required | Read only | The parent integration of the integration version. |
integration.id |
String | Required | Immutable | The platform-generated ID of the parent integration. |
name |
String | Optional | Mutable | Attribute name the application expects. Unique within the integration version and in the form urn:oasis:names:tc:SAML:2.0:attrname-format:uri . |
required |
Boolean | Optional | Mutable | Whether or not the attribute is required. If true, the value property must be set with a non-empty value. Default is false. |
schema |
String | Required | Mutable | A JSON schema describing the current attribute mapping. |
version |
Object | Required | Read only | The relationship to the parent integration version. |
version.id |
String | Required | Immutable | The platform-generated ID of the parent integration version. |