Connectors

PingOne Advanced Identity Cloud Access Request Connector

The PingOne Advanced Identity Cloud Access Request connector lets you manage users and create access requests in PingOne Advanced Identity Cloud in your PingOne DaVinci flow.

You can use the PingOne Advanced Identity Cloud Access Request connector to:

  • Manage users

  • Create access requests

  • Make custom API calls

Setup

Resources

For information and setup help, see the following:

Requirements

To use the connector, you’ll need:

  • A PingOne Advanced Identity Cloud environment

  • An Access Request license for Identity Governance

Setting up PingOne Advanced Identity Cloud

Setting up a service account

The service account acts like an administrator account and is required for all user CRUD capabilities as well as for System Requests using the Make a Custom API Call capability.

To set up a service account:

  1. Sign on to the Advanced Identity Cloud admin portal.

  2. Select Account, then Tenant Settings.

  3. Under Service Accounts, select New Service Account.

  4. Give the new service account a name and select fr:idm:* All Identity Management APIs.

  5. Click Save.

  6. Note the ID. You will use it for the Service Account ID in the connector configuration.

  7. Click Download Key to save the key as a .jwk file. You will use it for the Service Account Key in the connector configuration.

Setting up an end user account

The end user account acts on behalf of any single user and is required for user-centric capabilities, such as Get Request, Get Requestable Items, and Create Request, as well as for the End User Requests using the Make a Custom API Call. This setup is not required for using the connector’s user CRUD capabilities or making a custom API call.

The Frodo command-line interface (CLI) is a Ping Identity-developed utility that allows for advanced management of Advanced Identity Cloud. The following steps create credentials that are unique to your DaVinci environment and you can only have one set of credentials for Advanced Identity Cloud for a given DaVinci environment. If you have multiple environments, such as for staging and production, repeat these steps so each DaVinci environment has its own end user credentials in your Advanced Identity Cloud tenant.

To set up an end user account:

  1. Install Frodo CLI 2.0.0-36 or later.

    1. In your CLI, enter the following command:

      % brew tap rockcarver/frodo-cli

    2. Install the latest pre-release by entering the following command:

      % brew install frodo-cli-next

  2. Link the Frodo CLI to your Identity Cloud environment. In your CLI, enter the following command, adding your Advanced Identity Cloud email and password credentials:

    % frodo conn save https://openam-frodo-dev.forgeblocks.com/am  <email> '<password>'

  3. Use the Frodo CLI to create a client ID for the end user and the OIDC issuer.

    1. For regular environments, enter the following command, adding your client ID, domain, DaVinci environment ID, and Identity Cloud tenant ID parameters:

      % frodo admin generate-rfc7523-authz-grant-artefacts --client-id <client ID> --scope "openid fr:am:* fr:idm:* fr:iga:*" --iss https://<domain>/<DaVinci environment ID>/davinci <Identity Cloud tenant ID>

      See the following example of the command with the appropriate parameters:

      +

      % frodo admin generate-rfc7523-authz-grant-artefacts --client-id myclientid --scope "openid fr:am:* fr:idm:* fr:iga:*" --iss https://auth.pingone.eu/b5063c3e-d9c8-42c6-99bf-9e19a96a617b/davinci open-am-mycompany

    2. For a custom domain environment, enter the following command, adding your client ID, domain, and Identity Cloud tenant ID parameters:

      % frodo admin generate-rfc7523-authz-grant-artefacts --client-id <client ID> --scope "openid fr:am:* fr:idm:* fr:iga:*" --iss https://<domain>/davinci <Identity Cloud tenant ID>

      See the following example of the command with the appropriate parameters:

      +

      % frodo admin generate-rfc7523-authz-grant-artefacts --client-id myclientid --scope "openid fr:am:* fr:idm:* fr:iga:*" --iss https://mydomain.com/davinci open-am-mydomain

  4. Copy the End User Client ID and End User Client Private Key from that end user account to your PingOne Advanced Identity Cloud Access Request connector configuration.

Configuring the PingOne Advanced Identity Cloud Access Request connector

Add the connector in DaVinci as shown in Adding a connector, then configure it as follows.

Connector configuration

Identity Cloud Base URL

The API URL to target.

Realm

The PingOne Advanced Identity Cloud realm.

Service Account ID

The account ID from your PingOne Advanced Identity Cloud service account. Paste the ID that you noted when you set up the service account.

Service Account Private Key

The private key from your PingOne Advanced Identity Cloud service account. Paste the complete contents of the .jwk file that you downloaded when you set up the service account.

End User Client ID

The client ID from the end user account.

End User Client Private Key

The client private key from the end user account.

Using the connector in a flow

Manage users in Identity Cloud

The connector has several capabilities that allow you to manage users:

  • Find Users

  • Get User Information

  • Create User

  • Update User

  • Delete User

No special configuration is needed. Add the capability and populate its properties according to the help text.

Creating access requests

You can use the PingOne Advanced Identity Cloud Access Request connector to allow a user to create an access request. If you know the information about the access request you want to create, such as the IDs for the user and entitlements, you can use the Create Request capability directly. If you need to get that information at runtime, you can use the Get User Information or Get List of Requestable Items capabilities first and use the results in the Create Request capability.

To create an access request:

  1. Add a node in the flow with the capability to capture a user identifier, such as email or username.

  2. Add the PingOne Advanced Identity Cloud Access Request conenctor with Get Request in a subsequent node in the flow. Configure with the Identity Management Attribute and specific Identifier captured earlier in the field.

  3. Add another node with the Get Requestable Items capability and configure with the Identity Management Attribute and specific Identifier captured earlier in the field.

  4. Add another node with the Create Request capability and configure based on the help text.

    You can get User IDs, Application IDs, Entitlement IDs and Role IDs using the Get Requestable Items capability and include them as variables in the Create Request capability configuration fields. The following screenshot shows the valid JSON structure for all of the ID fields as well as the format for a variable:

    A screenshot showing two examples of how to populate the User IDs field, with either JSON or a variable.

    The above examples show a single ID. Separate multiple IDs with a comma, for example: ["1234", "2345", "3456"].

Creating a custom API call

If you want to do something that isn’t supported by one of the provided capabilities, you can use the Make a Custom API Call capability to define your own action.

This capability uses the credentials from your connector to make an API call with the HTTP method, headers, query parameters, and body you specify. You can use the Request Type list to change between System Requests and End User Requests.

System Requests are used for general administration of Advanced Identity Cloud, such as user management.

End User Requests are used for user-centric tasks with Identity Governance, such as managing access requests and access reviews.

Capabilities

Find Users

Search for users based on identifier or filter.

Show details
Custom Filter toggleSwitch

When enabled, you can search for users based on a custom filter instead of an identifier.

Filter textField

The Common REST filter query to use, such as "givenName eq 'John' and sn eq 'Doe'

". For help, see the IDM documentation > REST API Reference > Common REST > Query."

Identity Management Attributes textFieldArrayView

Select the attribute(s) that contains the user identifier provided in the identifier field. Used to identify the user.

Identifier textField

The unique identifier, such as "jsmith@example.com". This is checked against the selected Identity Management Attribute(s).

Get User Information

Get information about a user.

Show details
Identity Management Attribute dropDown

Select the attribute that contains the user identifier provided in the identifier field. Used to identify the user.

  • User ID (Default)

  • Username

  • Email

Identifier textField

The unique identifier, such as "jsmith@example.com". This is checked against the selected Identity Management Attribute(s).

Create User

Create a new user account.

Show details
Username textField required

The username assigned to the new user.

First Name textField required

The first name of the new user.

Last Name textField required

The last name of the new user.

Email Address textField required

The email address of the new user.

Password textField required

The password for the new user.

User Attributes variableInputList

Add user attributes and their values.

Update User

Update information about a user.

Show details
Identity Management Attribute dropDown

Select the attribute that contains the user identifier provided in the identifier field. Used to identify the user.

  • User ID (Default)

  • Username

  • Email

Identifier textField

The unique identifier, such as "jsmith@example.com". This is checked against the selected Identity Management Attribute(s).

User Attributes variableInputList

Add user attributes and their values.

Delete user

Delete a user account.

Show details
Identity Management Attribute dropDown

Select the attribute that contains the user identifier provided in the identifier field. Used to identify the user.

  • User ID (Default)

  • Username

  • Email

Identifier textField

The unique identifier, such as "jsmith@example.com". This is checked against the selected Identity Management Attribute(s).

Get Requestable Items

Get a list of requestable items.

Show details
Identity Management Attribute dropDown

Select the attribute that contains the user identifier provided in the identifier field. Used to identify the user.

  • User ID (Default)

  • Username

  • Email

Identifier textField

The unique identifier, such as "jsmith@example.com". This is checked against the selected Identity Management Attribute(s).

Create Request

Start an access request by providing a list of requested items.

Show details
Identity Management Attribute dropDown

Select the attribute that contains the user identifier provided in the identifier field. Used to identify the user.

  • User ID (Default)

  • Username

  • Email

Identifier textField

The unique identifier, such as "jsmith@example.com". This is checked against the selected Identity Management Attribute(s).

User IDs textField

Array of user IDs in JSON array format, such as ["1d0e…​ca94b","debd…2bcf","11e4…cd95"].

Application IDs textField

Array of application IDs in JSON array format, such as ["1d0e…​ca94b","debd…2bcf","11e4…cd95"].

Entitlement IDs textField

Array of entitlement IDs in JSON array format, such as ["1d0e…​ca94b","debd…2bcf","11e4…cd95"].

Role IDs textField

Array of role IDs in JSON array format, such as ["1d0e…​ca94b","debd…2bcf","11e4…cd95"].

Priority dropDown required

Select a priority level for the request. Your organization can consider the priority level when reviewing the request.

  • Low (Default)

  • Medium

  • High

Request Action dropDown required

Select an action for the request.

  • Add (Default)

  • Remove

Expiry Date dateTimePicker required

The date that the request should expire. Use this when the resource is required before a certain date and the request won’t be relevant after that date.

Justification textField required

Comment on the reason for requesting access to the selected resources.

Get Request

Get information about an existing request.

Show details
Identity Management Attribute dropDown

Select the attribute that contains the user identifier provided in the identifier field. Used to identify the user.

  • User ID (Default)

  • Username

  • Email

Identifier textField

The unique identifier, such as "jsmith@example.com". This is checked against the selected Identity Management Attribute(s).

Request ID textField required

The unique ID of the request, such as "bcac0387-e5ea-4c22-981c-df0ea340f1ee".

Make Custom API Call

Define and use your own API call to Identity Cloud.

Show details
Request Type dropDown required

The type of request.

  • System Request (Default)

  • End User Request

Identity Management Attribute dropDown

Select the attribute that contains the user identifier provided in the identifier field. Used to identify the user.

  • User ID (Default)

  • Username

  • Email

Identifier textField

The unique identifier, such as "jsmith@example.com". This is checked against the selected Identity Management Attribute(s).

Endpoint textField required

The Identity Cloud API endpoint.

HTTP Method dropDown required

The HTTP method of the API call.

  • GET

  • POST

  • PUT

  • DELETE

  • PATCH

Query Parameters keyValueList

Define additional query parameters for the request.

Additional Headers keyValueList

Additional headers for the request.

Body codeEditor

The body of the API call.