PingOne Advanced Identity Cloud Access Request Connector
The PingOne Advanced Identity Cloud Access Request connector lets you manage users and create access requests in PingOne Advanced Identity Cloud in your PingOne DaVinci flow.
You can use the PingOne Advanced Identity Cloud Access Request connector to:
-
Manage users
-
Create access requests
-
Make custom API calls
Setup
Setting up PingOne Advanced Identity Cloud
- Setting up a service account
-
The service account acts like an administrator account and is required for all user CRUD capabilities as well as for System Requests using the Make a Custom API Call capability.
To set up a service account:
-
Sign on to the Advanced Identity Cloud admin portal.
-
Select Account, then Tenant Settings.
-
Under Service Accounts, select New Service Account.
-
Give the new service account a name and select
fr:idm:* All Identity Management APIs
. -
Click Save.
-
Note the ID. You will use it for the Service Account ID in the connector configuration.
-
Click Download Key to save the key as a
.jwk
file. You will use it for the Service Account Key in the connector configuration.
-
- Setting up an end user account
-
The end user account acts on behalf of any single user and is required for user-centric capabilities, such as Get Request, Get Requestable Items, and Create Request, as well as for the End User Requests using the Make a Custom API Call. This setup is not required for using the connector’s user CRUD capabilities or making a custom API call.
The Frodo command-line interface (CLI) is a Ping Identity-developed utility that allows for advanced management of Advanced Identity Cloud. The following steps create credentials that are unique to your DaVinci environment and you can only have one set of credentials for Advanced Identity Cloud for a given DaVinci environment. If you have multiple environments, such as for staging and production, repeat these steps so each DaVinci environment has its own end user credentials in your Advanced Identity Cloud tenant.
To set up an end user account:
-
Install Frodo CLI 2.0.0-36 or later.
-
In your CLI, enter the following command:
% brew tap rockcarver/frodo-cli
-
Install the latest pre-release by entering the following command:
% brew install frodo-cli-next
-
-
Link the Frodo CLI to your Identity Cloud environment. In your CLI, enter the following command, adding your Advanced Identity Cloud
email
andpassword
credentials:% frodo conn save https://openam-frodo-dev.forgeblocks.com/am
<email>
'<password>
' -
Use the Frodo CLI to create a client ID for the end user and the OIDC issuer.
-
For regular environments, enter the following command, adding your
client ID
,domain
,DaVinci environment ID
, andIdentity Cloud tenant ID
parameters:% frodo admin generate-rfc7523-authz-grant-artefacts --client-id <client ID> --scope "openid fr:am:* fr:idm:* fr:iga:*" --iss https://<domain>/<DaVinci environment ID>/davinci <Identity Cloud tenant ID>
See the following example of the command with the appropriate parameters:
+
% frodo admin generate-rfc7523-authz-grant-artefacts --client-id myclientid --scope "openid fr:am:* fr:idm:* fr:iga:*" --iss https://auth.pingone.eu/b5063c3e-d9c8-42c6-99bf-9e19a96a617b/davinci open-am-mycompany
-
For a custom domain environment, enter the following command, adding your
client ID
,domain
, andIdentity Cloud tenant ID
parameters:% frodo admin generate-rfc7523-authz-grant-artefacts --client-id <client ID> --scope "openid fr:am:* fr:idm:* fr:iga:*" --iss https://<domain>/davinci <Identity Cloud tenant ID>
See the following example of the command with the appropriate parameters:
+
% frodo admin generate-rfc7523-authz-grant-artefacts --client-id myclientid --scope "openid fr:am:* fr:idm:* fr:iga:*" --iss https://mydomain.com/davinci open-am-mydomain
-
-
Copy the End User Client ID and End User Client Private Key from that end user account to your PingOne Advanced Identity Cloud Access Request connector configuration.
-
Configuring the PingOne Advanced Identity Cloud Access Request connector
Add the connector in DaVinci as shown in Adding a connector, then configure it as follows.
Connector configuration
Service Account ID
The account ID from your PingOne Advanced Identity Cloud service account. Paste the ID that you noted when you set up the service account.
Using the connector in a flow
Manage users in Identity Cloud
The connector has several capabilities that allow you to manage users:
-
Find Users
-
Get User Information
-
Create User
-
Update User
-
Delete User
No special configuration is needed. Add the capability and populate its properties according to the help text.
Creating access requests
You can use the PingOne Advanced Identity Cloud Access Request connector to allow a user to create an access request. If you know the information about the access request you want to create, such as the IDs for the user and entitlements, you can use the Create Request capability directly. If you need to get that information at runtime, you can use the Get User Information or Get List of Requestable Items capabilities first and use the results in the Create Request capability.
To create an access request:
-
Add a node in the flow with the capability to capture a user identifier, such as email or username.
-
Add the PingOne Advanced Identity Cloud Access Request conenctor with Get Request in a subsequent node in the flow. Configure with the Identity Management Attribute and specific Identifier captured earlier in the field.
-
Add another node with the Get Requestable Items capability and configure with the Identity Management Attribute and specific Identifier captured earlier in the field.
-
Add another node with the Create Request capability and configure based on the help text.
You can get User IDs, Application IDs, Entitlement IDs and Role IDs using the Get Requestable Items capability and include them as variables in the Create Request capability configuration fields. The following screenshot shows the valid JSON structure for all of the ID fields as well as the format for a variable:
The above examples show a single ID. Separate multiple IDs with a comma, for example: ["1234", "2345", "3456"].
Creating a custom API call
If you want to do something that isn’t supported by one of the provided capabilities, you can use the Make a Custom API Call capability to define your own action.
This capability uses the credentials from your connector to make an API call with the HTTP method, headers, query parameters, and body you specify. You can use the Request Type list to change between System Requests
and End User Requests
.
System Requests are used for general administration of Advanced Identity Cloud, such as user management. End User Requests are used for user-centric tasks with Identity Governance, such as managing access requests and access reviews. |