Application resources define the connection between PingOne and the actual application (also known as a client connection). The applications service implements functions to create, read, update, delete, and search for applications resources.

Applications data model

Property Description
accessControl.role.type A string that specifies the user role required to access the application. Options are ADMIN_USERS_ONLY. A user is an admin user if the user has one or more of the following roles: Organization Admin, Environment Admin, Identity Data Admin, or Client Application Developer.
accessControl.group.type A string that specifies the group type required to access the application. Options are ANY_GROUP (the actor must belong to at least one group listed in the accessControl.group.groups property) and ALL_GROUPS (the actor must belong to all groups listed in the accessControl.group.groups property).
accessControl.group.groups A set that specifies the group IDs for the groups the actor must belong to for access to the application.
assignActorRoles A boolean that specifies whether the permissions service should assign default roles to the application. This property is set only on the POST request. The property is ignored when included in a PUT request.
createdAt The time the resource was created.
description A string that specifies the description of the application.
enabled A string that specifies the current enabled state of the application. Options are ENABLED or DISABLED.
environment A string that specifies the environment associated with the application.
icon The HREF and the ID for the application icon.
id A string that specifies the application ID.
loginPageUrl A string that specifies the custom login page URL for the application. If you set the loginPageUrl property for applications in an environment that sets a custom domain, the URL should include the top-level domain and at least one additional domain level. Warning: To avoid issues with third-party cookies in some browsers, a custom domain must be used, giving your PingOne environment the same parent domain as your authentication application. For more information about custom domains, see Custom domains.
name A string that specifies the name of the application. This is a required property.
protocol A string that specifies the protocol for the Application. Options are OPENID_CONNECT and SAML.
tags An array that specifies the list of labels associated with the application. Options are PING_FED_CONNECTION_INTEGRATION.
type A string that specifies the type associated with the application. This is a required property. Options are WEB_APP, NATIVE_APP, SINGLE_PAGE_APP, and WORKER.
updatedAt The time the resource was last updated.
bundleId A string that specifies the bundle associated with the application, for push notifications in native apps. The value of the bundleId property is unique per environment, and once defined, is immutable.
packageName A string that specifies the package name associated with the application, for push notifications in native apps. The value of the packageName property is unique per environment, and once defined, is immutable.
supportUnsignedRequestObject A boolean that specifies whether the request query parameter JWT is allowed to be unsigned. If false or null (default), an unsigned request object is not allowed.

The following table shows the relationships between the application type attribute and the default grantTypes, response_type, and tokenEndpointAuthMethod attributes.

Application type Grant type Response type Token endpoint authentication method
Worker/Non-interactive CLIENT_CREDENTIALS TOKEN CLIENT_SECRET_BASIC
Native AUTHORIZATION_CODE, IMPLICIT TOKEN, ID_TOKEN, CODE NONE
Web AUTHORIZATION_CODE CODE CLIENT_SECRET_BASIC
Single-page IMPLICIT TOKEN, ID_TOKEN NONE

Applications OIDC settings data model

Property Description
grantTypes A string that specifies the grant type for the authorization request. This is a required property. Options are authorization_code, implicit, refresh_token, and client_credentials.
homePageUrl A string that specifies the custom home page URL for the application.
pkceEnforcement A string that specifies how PKCE request parameters are handled on the authorize request. Options are: OPTIONAL: PKCE code_challenge is optional and any code challenge method is acceptable. REQUIRED: PKCE code_challenge is required and any code challenge method is acceptable. S256_REQUIRED: PKCE code_challege is required and the code_challenge_method must be S256.
postLogoutRedirectUris A string that specifies the URLs that the browser can be redirected to after logout.
redirectUris A string that specifies the callback URI for the authentication response.
refreshTokenDuration An integer that specifies the lifetime in seconds of the refresh token. If a value is not provided, the default value is 2592000, or 30 days. Valid values are between 60 and 2147483647. If the refreshTokenRollingDuration property is specified for the application, then this property must be less than or equal to the value of refreshTokenRollingDuration. After this property is set, the value cannot be nullified. This value is used to generate the value for the exp claim when minting a new refresh token.
refreshTokenRollingDuration An integer that specifies the number of seconds a refresh token can be exchanged before re-authentication is required. If a value is not provided, the refresh token is valid forever. Valid values are between 60 and 2147483647. After this property is set, the value cannot be nullified. This value is used to generate the value for the exp claim when minting a new refresh token.
responseTypes A string that specifies the code or token type returned by an authorization request. Options are TOKEN, ID_TOKEN, and CODE. Note that CODE cannot be used in an authorization request with TOKEN or ID_TOKEN because PingOne does not currently support OIDC hybrid flows.
tokenEndpointAuthMethod A string that specifies the client authentication methods supported by the token endpoint. This is a required property. Options are NONE, CLIENT_SECRET_BASIC, and CLIENT_SECRET_POST.

Applications SAML settings data model

Property Description
acsUrls A string that specifies the Assertion Consumer Service URLs. The first URL in the list is used as default (there must be at least one URL). This is a required property.
assertionDuration An integer that specifies the assertion validity duration in seconds. This is a required property.
assertionSigned A boolean that specifies whether the SAML assertion itself should be signed. The default value is true.
idpSigning.key.id A string that specifies the certificate to be used by the identity provider to sign assertions and responses. If this property is omitted, the default signing certificate for the environment is used.
required A boolean that indicates if the attribute is mandatory to include the attribute in SAML assertion response. If true, and the attribute does have a value when building the assertion, the SSO flow will fail.
responseSigned A boolean that specifies whether the SAML assertion response itself should be signed. The default value is False.
sloBinding A string that specifies the binding protocol to be used for the logout response. Options are HTTP_REDIRECT or HTTP_POST. The default is HTTP_POST; existing configurations with no data default to HTTP_POST. This is an optional property.
sloEndpoint A string that specifies the logout endpoint URL. This is an optional property. However, if a sloEndpoint logout endpoint URL is not defined, logout actions result in an error.
sloResponseEndpoint A string that specifies the endpoint URL to submit the logout response. If a value is not provided, the sloEndpoint property value is used to submit SLO response.
spEntityId A string that specifies the service provider entity ID used to lookup the application. This is a required property and is unique within the environment.
spVerification.certificates[].id An array that specifies the certificate IDs used to verify the service provider signature.

Applications SAML metadata settings data model

Property Description
acsBindings A string that specifies the assertion consumer service binding protocol. Options are: HTTP_REDIRECT or HTTP_POST
acsUrls A string that specifies the assertion consumer service URLs.
authnRequestsSigned A boolean that specifies whether the SAML authentication request is signed.
encryptionCertificate.pkcs7Der A byte array that specifies the PKCS7 encryption certificate in DER format.
sloBinding A string that specifies the SAML single logout binding protocol used for logout response. Options are: HTTP_REDIRECT or HTTP_POST.
sloEndpoint A string that specifies the SAML single logout endpoint URL. This property is required.
signingCertificates[].pkcs7Der A byte array that specifies the PKCS7 signing certificates in DER format.
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request, or your license is exceeded.
404 The requested resource was not found.
500 An unexpected error occurred.