PingOne Scope Consent Connector
The PingOne Scope Consent connector lets you view consent records on an application or user basis, revoke or update user consent records, or prompt users to provide or decline consent to sign-on policies and record these decisions.
You can use the PingOne Scope Consent connector to:
-
View a list of application consent records a user has granted, declined, or revoked
-
Determine whether a user has granted consent for an application
-
Accept or decline consent for an application on behalf of a user
-
Update the application consent record as revoked
-
Check, prompt for, and record user decisions regarding consent for an application
Setup
Requirements
To use the connector, you’ll need:
-
A PingOne license (Try PingOne for free)
-
A PingOne environment with a configured Worker app
Setting up PingOne
Adding a Worker application
Add a Worker application in the PingOne console before setting up the PingOne connector in DaVinci:
-
In the PingOne console, add a Worker app. See Adding an application.
Attribute mappings are not required.
-
Ensure that you set the authentication method as
Client secret basic
.The PingOne connector receives a token using your application’s credentials.
-
Enable the application. See Enabling or disabling an application.
The capabilities in the PingOne connector call endpoints in PingOne with a token received using the application’s credentials. To enable all capabilities, your application needs the required role assignments for the associated capability. If the application doesn’t have the required role assignment, you’ll see error messages stating that the required authorization isn’t configured.
Assigning Roles to the application
To use the appropriate capabilities, the Worker app used by the connector needs the Environment Admin and Identity Data Admin roles.
The user that creates the Worker app must have the Environment Admin and Identity Data Admin roles to assign the roles to a Worker app. |
-
In your PingOne environment, go to Applications → Applications.
If you haven’t added the application yet, see Adding an application.
-
Locate the appropriate application and click it to open the details panel.
-
Click the Roles tab and then click the Pencil icon to edit the roles.
-
Review the assigned roles to ensure that they include Environment Admin and Identity Data Admin roles. If not, click Add role to assign them.
Getting your application credentials
Get the Client ID and Client secret from the PingOne console before setting up the PingOne connector in DaVinci:
-
In your PingOne environment, go to Applications → Applications.
If you haven’t added the application yet, see Adding an application.
-
Locate the appropriate application and click it to open the details panel.
-
On the Configuration tab, expand General and locate the Client ID and Client secret. Copy these values to a secure location.
Setting up the PingOne connector configuration
In DaVinci, add a PingOne connection. For help, see Adding an application.
Connector configuration
Environment ID
The unique identifier for the appropriate PingOne environment. To find the environment ID, see Environment properties.
Client ID
The unique public identifier for the PingOne application. To find the client ID, see Viewing application details.
Client secret
The cryptographic secret that is known only to the application and the authorization server. To find the client secret, see Viewing a client secret.
Region
The geographic region that hosts your PingOne tenant. To find the region, see Environment properties.
Using the connector in a flow
Manage user consent
You can use the PingOne Scope Consent connector to view and manage user consent to an application as part of a DaVinci flow policy.
No special configuration is needed. Add the capability and populate its properties according to the help text.
Use one of the following capabilities to view information about consent records:
-
Read User Consent: Use to view a list of all application consent records a specific user has granted, declined, or revoked.
-
Check User Consent: Use to determine whether a user has granted consent for a specific application.
Use one of the following capabilities to manage and update user consent records:
-
Save User Consent: Use to accept or decline consent for an application on behalf of a user.
-
Revoke User Consent: Use to update the application consent record for a user as revoked.
Use Get User Consent to check, prompt for, and record user decisions regarding consent to application as part of a DaVinci flow policy. Use this capability in a flow at the point where you want to prompt the user for their consent. Use the Custom Screens tab to edit the HTML and CSS to customize the appearance and text of the prompt that is displayed to the user. For example, change Do you approve the request?
to Do you accept this request?
or change the buttons from Approve
and Decline
to Yes
and No
.
Capabilities
Read User Consent
Find information about consent users have granted for all applications.
Show details
- Properties
- PingOne Attribute
dropDown
required
-
Select the attribute you want to use to locate a user.
-
User ID
-
Username
-
Email
-
- User Identifier
textField
required
-
Enter the user ID, username, or email address of the user you want to locate.
- Input Schema
- default
object
- matchUserAttribute
string
required
-
PingOne user attribute to identify a user with.
- userIdentifier
string
required
-
User attribute to match user.
- Output Schema
- output
object
- consents
array
- properties
array
- type
object
- properties
- rawResponse
object
- properties
object
- _embedded
object
- properties
object
-
- consents
array
- items
array
- consents
- type
object
- properties
- count
number
- size
number
- statusCode
number
- headers
object
Check User Consent
Indicate whether users have granted consent for an application.
Show details
- Properties
- PingOne Attribute
dropDown
required
-
Select the attribute you want to use to locate a user.
-
User ID
-
Username
-
Email
-
- User Identifier
textField
required
-
Enter the user ID, username, or email address of the user you want to locate.
- Match Application Attribute
dropDown
required
-
Select the application attribute that you want to use to locate an application.
-
Application ID
-
Application Name
-
- Application Identifier
textField
required
-
Enter the application ID or name of the application you want to locate.
- Input Schema
- default
object
- matchUserAttribute
string
required
-
PingOne user attribute to identify a user with.
- userIdentifier
string
required
-
User attribute to match user.
- matchApplicationAttribute
string
required
-
PingOne application attribute to identify an application with.
- applicationIdentifier
string
required
-
Application attribute to match application.
- Output Schema
- output
object
- application
object
- properties
object
- id
string
- name
string
- type
string
- consentId
string
- consentStatus
string
- consentScopes
array
- rawResponse
object
- properties
object
- _embedded
object
- properties
object
-
- consents
array
- items
array
- consents
- type
object
- properties
- count
number
- size
number
- statusCode
number
- headers
object
Save User Consent
Accept or decline user consent for an application. It replaces the existing consent for the application if there is one.
Show details
- Properties
- PingOne Attribute
dropDown
required
-
Select the attribute you want to use to locate a user.
-
User ID
-
Username
-
Email
-
- User Identifier
textField
required
-
Enter the user ID, username, or email address of the user you want to locate.
- Match Application Attribute
dropDown
required
-
Select the application attribute that you want to use to locate an application.
-
Application ID
-
Application Name
-
- Application Identifier
textField
required
-
Enter the application ID or name of the application you want to locate.
- Scopes
textField
required
-
Enter the space-separated list of scopes that have been requested. These scopes are validated against the allowed scopes assigned to the PingOne application.
- Consent Result
textField
required
-
The accept or decline consent result from the user and indicated by "true", “false, “yes”, “no”, "accepted", or "declined".
- Input Schema
- default
object
- matchUserAttribute
string
required
-
PingOne user attribute to identify a user with.
- userIdentifier
string
required
-
User attribute to match user.
- matchApplicationAttribute
string
required
-
PingOne application attribute to identify an application with.
- applicationIdentifier
string
required
-
Application attribute to match application.
- scopes
string
required
-
Scopes.
- consentResult
string
required
-
Consent Result.
- Output Schema
- output
object
- application
object
- properties
object
- id
string
- name
string
- type
string
- consentId
string
- consentStatus
string
- consentScopes
array
- rawResponse
object
- statusCode
number
- headers
object
Revoke User Consent
Revoke and remove user consent for an application.
Show details
- Properties
- PingOne Attribute
dropDown
required
-
Select the attribute you want to use to locate a user.
-
User ID
-
Username
-
Email
-
- User Identifier
textField
required
-
Enter the user ID, username, or email address of the user you want to locate.
- Lookup Consent
dropDown
required
-
Enter the consent ID, application ID, or application name of the consent record you want to locate.
-
Consent ID
-
Application ID
-
Application Name
-
- Consent Identifier
textField
required
-
A unique identifier for the consent record.
- Input Schema
- default
object
- matchUserAttribute
string
required
-
PingOne user attribute to identify a user with.
- userIdentifier
string
required
-
User attribute to match user.
- matchConsentAttribute
string
required
-
PingOne consent attribute to identify an consent with.
- consentIdentifier
string
required
-
Consent attribute to match consent.
- Output Schema
- output
object
- application
object
- properties
object
- id
string
- name
string
- type
string
- consentId
string
- consentStatus
string
- consentScopes
array
- rawResponse
object
- statusCode
number
- headers
object
Get User Consent
This capability facilitates application consent by checking, prompting, and recording user decisions regarding consent. This action includes the HTML template and other resources like CSS. You can customize them under the Custom Screens tab.
Show details
- Properties
- Always Prompt for Consent
toggleSwitch
required
-
Indicates whether the user will always be prompted to consent to the application’s request. If disabled, users will only be prompted to consent to these requests if they have not already done so.
- PingOne Attribute
dropDown
required
-
Select the attribute you want to use to locate a user.
-
User ID
-
Username
-
Email
-
- User Identifier
textField
required
-
Enter the user ID, username, or email address of the user you want to locate.
- Application
dropDown
required
-
Select the application or specify an application identifier that will be used to check, prompt and store consent for the user.
-
Use PingOne Application ID
-
Use Custom Application Name
-
- Application ID
textField
required
-
Enter the unique identifier of the application that will be used to check, prompt and store consent for the user.
- Application Name
textField
required
-
Enter the name of the application that will be used to check, prompt and store consent for the user.
- Consent Scopes
textField
required
-
Scopes define the user information that the application wants to access and the user will need to consent to allowing, such as the user’s name, email address, and phone number. You must provide at least one scope. You may provide multiple scopes, each separated by a space.
- Output Schema
- output
object
- matchedUser
object
- application
object
- properties
object
- id
string
- name
string
- type
string
- consentId
string
- consentStatus
string
- consentScopes
array
- rawResponse
object
- statusCode
number
- headers
object