PingOne Advanced Identity Cloud Access Request Connector

The PingOne Advanced Identity Cloud Access Request connector lets you manage users and create access requests in PingOne Advanced Identity Cloud in your PingOne DaVinci flow.

You can use the PingOne Advanced Identity Cloud Access Request connector to:

Manage users
Create access requests
Make custom API calls

Setup

Resources

For information and setup help, see the following:

Identity Cloud documentation:
- About Identity Governance
- Identity Governance REST API
DaVinci documentation:

Requirements

To use the connector, you’ll need:

A PingOne Advanced Identity Cloud environment
An Access Request license for Identity Governance

Setting up PingOne Advanced Identity Cloud

Setting up a service account

The service account acts like an administrator account and is required for all user CRUD capabilities as well as for System Requests using the Make a Custom API Call capability.

To set up a service account:

Sign on to the Advanced Identity Cloud admin portal.
Select Account, then Tenant Settings.
Under Service Accounts, select New Service Account.
Give the new service account a name and select fr:idm:* All Identity Management APIs.
Click Save.
Note the ID. You will use it for the Service Account ID in the connector configuration.
Click Download Key to save the key as a .jwk file. You will use it for the Service Account Key in the connector configuration.

Setting up an end user account

The end user account acts on behalf of any single user and is required for user-centric capabilities, such as Get Request, Get Requestable Items, and Create Request, as well as for the End User Requests using the Make a Custom API Call. This setup is not required for using the connector’s user CRUD capabilities or making a custom API call.

The Frodo command-line interface (CLI) is a Ping Identity-developed utility that allows for advanced management of Advanced Identity Cloud. The following steps create credentials that are unique to your DaVinci environment and you can only have one set of credentials for Advanced Identity Cloud for a given DaVinci environment. If you have multiple environments, such as for staging and production, repeat these steps so each DaVinci environment has its own end user credentials in your Advanced Identity Cloud tenant.

To set up an end user account:

Install Frodo CLI 2.0.0-36 or later.
1. In your CLI, enter the following command:
  % brew tap rockcarver/frodo-cli
2. Install the latest pre-release by entering the following command:
  % brew install frodo-cli-next
Link the Frodo CLI to your Identity Cloud environment. In your CLI, enter the following command, adding your Advanced Identity Cloud email and password credentials:
```
% frodo conn save https://openam-frodo-dev.forgeblocks.com/am  <email> '<password>'
```

Use the Frodo CLI to create a client ID for the end user and the OIDC issuer.

For regular environments, enter the following command, adding your client ID, domain, DaVinci environment ID, and Identity Cloud tenant ID parameters:

% frodo admin generate-rfc7523-authz-grant-artefacts --client-id <client ID> --scope "openid fr:am:* fr:idm:* fr:iga:*" --iss https://<domain>/<DaVinci environment ID>/davinci <Identity Cloud tenant ID>

See the following example of the command with the appropriate parameters:

% frodo admin generate-rfc7523-authz-grant-artefacts --client-id myclientid --scope "openid fr:am:* fr:idm:* fr:iga:*" --iss https://auth.pingone.eu/b5063c3e-d9c8-42c6-99bf-9e19a96a617b/davinci open-am-mycompany

For a custom domain environment, enter the following command, adding your client ID, domain, and Identity Cloud tenant ID parameters:

% frodo admin generate-rfc7523-authz-grant-artefacts --client-id <client ID> --scope "openid fr:am:* fr:idm:* fr:iga:*" --iss https://<domain>/davinci <Identity Cloud tenant ID>

See the following example of the command with the appropriate parameters:

% frodo admin generate-rfc7523-authz-grant-artefacts --client-id myclientid --scope "openid fr:am:* fr:idm:* fr:iga:*" --iss https://mydomain.com/davinci open-am-mydomain

Copy the End User Client ID and End User Client Private Key from that end user account to your PingOne Advanced Identity Cloud Access Request connector configuration.

Configuring the PingOne Advanced Identity Cloud Access Request connector

Add the connector in DaVinci as shown in Adding a connector, then configure it as follows.

Connector configuration

Identity Cloud Base URL

The API URL to target.

Realm

The PingOne Advanced Identity Cloud realm.

Service Account ID

The account ID from your PingOne Advanced Identity Cloud service account. Paste the ID that you noted when you set up the service account.

Service Account Private Key

The private key from your PingOne Advanced Identity Cloud service account. Paste the complete contents of the .jwk file that you downloaded when you set up the service account.

End User Client ID

The client ID from the end user account.

End User Client Private Key

The client private key from the end user account.

Using the connector in a flow

Manage users in Identity Cloud

The connector has several capabilities that allow you to manage users:

Find Users
Get User Information
Create User
Update User
Delete User

No special configuration is needed. Add the capability and populate its properties according to the help text.

Creating access requests

You can use the PingOne Advanced Identity Cloud Access Request connector to allow a user to create an access request. If you know the information about the access request you want to create, such as the IDs for the user and entitlements, you can use the Create Request capability directly. If you need to get that information at runtime, you can use the Get User Information or Get List of Requestable Items capabilities first and use the results in the Create Request capability.

To create an access request:

Add a node in the flow with the capability to capture a user identifier, such as email or username.
Add the PingOne Advanced Identity Cloud Access Request conenctor with Get Request in a subsequent node in the flow. Configure with the Identity Management Attribute and specific Identifier captured earlier in the field.
Add another node with the Get Requestable Items capability and configure with the Identity Management Attribute and specific Identifier captured earlier in the field.

Add another node with the Create Request capability and configure based on the help text.

You can get User IDs, Application IDs, Entitlement IDs and Role IDs using the Get Requestable Items capability and include them as variables in the Create Request capability configuration fields. The following screenshot shows the valid JSON structure for all of the ID fields as well as the format for a variable:

A screenshot showing two examples of how to populate the User IDs field, with either JSON or a variable.

The above examples show a single ID. Separate multiple IDs with a comma, for example: ["1234", "2345", "3456"].

Creating a custom API call

If you want to do something that isn’t supported by one of the provided capabilities, you can use the Make a Custom API Call capability to define your own action.

This capability uses the credentials from your connector to make an API call with the HTTP method, headers, query parameters, and body you specify. You can use the Request Type list to change between System Requests and End User Requests.

System Requests are used for general administration of Advanced Identity Cloud, such as user management.

End User Requests are used for user-centric tasks with Identity Governance, such as managing access requests and access reviews.

Connectors