Referencing PingOne data in the flow

You can reference data from PingOne within your flow.

The format for this information is global.parameters.<parameter name>. Some parameters depend on the protocol used to launch the flow, while others are supplied by the PingOne application.

OIDC parameters

Property Description

Property	Description
`authorizationRequest`	An object that specifies all the parameters from the OIDC authorization request.
`authorizationRequest.<customParameter>`	A string that specifies a custom URL parameter added to the OIDC authorization request. Replace <customParameter> with the name of the custom URL parameter.
`authorizationRequest.client_id`	A string that specifies the client ID of the application associated with this authorize request.
`authorizationRequest.redirect_uri`	A string that specifies the URL of the return entry point of the application.
`authorizationRequest.response_type`	A string that specifies the code or token type returned by an authorization request. Options are `token`, `id_token`, and `code`.
`authorizationRequest.scope`	A string that specifies the permissions that determine the resources that the application can access.
`authorizationRequest.state`	A string that maintains the state between the logout request and the callback to the endpoint specified by the `post_logout_redirect_uri` query parameter.
`authorizationRequest.nonce`	A string that is used to associate a client session with a token to mitigate replay attacks. The value is passed through unmodified from the authentication request to the token. This is an optional property for authorization requests that return a code.
`authorizationRequest.acr_values`	A string that is used by the flow designer to pass in useful information.
`authorizationRequest.login_hint`	A string that is used to designate a login identifier to pre-fill the username field of the sign-on screen.
`authorizationRequest.max_age`	A string that specifies the maximum amount of time allowed (in seconds) since the user last authenticated. If the `max_age` value is exceeded, the user must re-authenticate. If the `max_age` value is set to 0 (`max_age=0`), the user is always required to re-authenticate.
`authorizationRequest.prompt`	A string that specifies whether the user is prompted to sign on for re-authentication. The prompt parameter can be used as a way to check for existing authentication, verifying that the user is still present for the current session.
`authorizationRequest.response_mode`	A string that specifies the mechanism for returning authorization response parameters from the authorization endpoint. Options are `query`, `fragment`, and `form_post`.
`authorizationRequest.code_challenge`	A string that is computed from the `code_verifier` that is used in a Proof Key for Code Exchange (PKCE) authorization request.
`authorizationRequest.code_challenge_method`	A string that specifies the computation logic used to generate the `code_challenge` string. The token endpoint uses this method to verify the `code_verifier` for PKCE authorization requests. Options are `plain` and `S256`.
`authorizationRequest.code_verifier`	A string that is used to create the `code_challenge` value passed to the authorization server in the request.
`authorizationRequest.mobileRequest`	An object that specifies OIDC/OAuth2 request parameters.

authorizationRequest

An object that specifies all the parameters from the OIDC authorization request.

authorizationRequest.<customParameter>

A string that specifies a custom URL parameter added to the OIDC authorization request. Replace <customParameter> with the name of the custom URL parameter.

authorizationRequest.client_id

A string that specifies the client ID of the application associated with this authorize request.

authorizationRequest.redirect_uri

A string that specifies the URL of the return entry point of the application.

authorizationRequest.response_type

A string that specifies the code or token type returned by an authorization request. Options are token, id_token, and code.

authorizationRequest.scope

A string that specifies the permissions that determine the resources that the application can access.

authorizationRequest.state

A string that maintains the state between the logout request and the callback to the endpoint specified by the post_logout_redirect_uri query parameter.

authorizationRequest.nonce

A string that is used to associate a client session with a token to mitigate replay attacks. The value is passed through unmodified from the authentication request to the token. This is an optional property for authorization requests that return a code.

authorizationRequest.acr_values

A string that is used by the flow designer to pass in useful information.

authorizationRequest.login_hint

A string that is used to designate a login identifier to pre-fill the username field of the sign-on screen.

authorizationRequest.max_age

A string that specifies the maximum amount of time allowed (in seconds) since the user last authenticated. If the max_age value is exceeded, the user must re-authenticate. If the max_age value is set to 0 (max_age=0), the user is always required to re-authenticate.

authorizationRequest.prompt

A string that specifies whether the user is prompted to sign on for re-authentication. The prompt parameter can be used as a way to check for existing authentication, verifying that the user is still present for the current session.

authorizationRequest.response_mode

A string that specifies the mechanism for returning authorization response parameters from the authorization endpoint. Options are query, fragment, and form_post.

authorizationRequest.code_challenge

A string that is computed from the code_verifier that is used in a Proof Key for Code Exchange (PKCE) authorization request.

authorizationRequest.code_challenge_method

A string that specifies the computation logic used to generate the code_challenge string. The token endpoint uses this method to verify the code_verifier for PKCE authorization requests. Options are plain and S256.

authorizationRequest.code_verifier

A string that is used to create the code_challenge value passed to the authorization server in the request.

authorizationRequest.mobileRequest

An object that specifies OIDC/OAuth2 request parameters.

For example, the following code references the login hint in a flow launched using OIDC:

global.parameters.authorizationRequest.login_hint

SAML parameters

Property Description

Property	Description
`samlRequest`	A string that specifies all the parameters from the SAML request.
`samlRequest.spEntityId`	A string that specifies the service provider entity ID used to look up the application. This is a required property and is unique within the environment.
`samlRequest.forceAuthn`	A boolean that, when set to true, specifies that the identity provider must authenticate the presenter directly rather than rely on a previous security context. If a value is not provided, the default value is false.
`samlRequest.passive`	A boolean that, when set to true, specifies that the identity provider and the user agent itself must not visibly take control of the user interface from the requester and interact with the presenter in a noticeable fashion. If a value is not provided, the default value is false.
`samlRequest.signed`	A boolean that specifies whether the SAML assertion should be signed. The default value is false.
`samlRequest.subject`	A string that specifies the SAML subject ID.
`samlRequest.requestedAuthnContext`	A string that specifies the authentication methods for the request.

samlRequest

A string that specifies all the parameters from the SAML request.

samlRequest.spEntityId

A string that specifies the service provider entity ID used to look up the application. This is a required property and is unique within the environment.

samlRequest.forceAuthn

A boolean that, when set to true, specifies that the identity provider must authenticate the presenter directly rather than rely on a previous security context. If a value is not provided, the default value is false.

samlRequest.passive

A boolean that, when set to true, specifies that the identity provider and the user agent itself must not visibly take control of the user interface from the requester and interact with the presenter in a noticeable fashion. If a value is not provided, the default value is false.

samlRequest.signed

A boolean that specifies whether the SAML assertion should be signed. The default value is false.

samlRequest.subject

A string that specifies the SAML subject ID.

samlRequest.requestedAuthnContext

A string that specifies the authentication methods for the request.

For example, the following code references the subject ID in a flow launched using SAML:

global.parameters.samlRequest.subject

WS-Federation parameters

Property Description

Property	Description
`wsFedRequest.wfresh`	The maximum age of authentication in minutes. If the value is 0, the user should be prompted for authentication before a token is issued.
`wsFedRequest.wauth`	The required authentication level.
`wsFedRequest.wctx`	An opaque context value that can be passed in the request. When the invoked DaVinci flow completes successfully and returns to PingOne, PingOne echoes this value back to the service provider with the issued token if it was included by the service provider in the originating request.
`wsFedRequest.whr`	The account partner realm of the client.

wsFedRequest.wfresh

The maximum age of authentication in minutes. If the value is 0, the user should be prompted for authentication before a token is issued.

wsFedRequest.wauth

The required authentication level.

wsFedRequest.wctx

An opaque context value that can be passed in the request.

When the invoked DaVinci flow completes successfully and returns to PingOne, PingOne echoes this value back to the service provider with the issued token if it was included by the service provider in the originating request.

wsFedRequest.whr

The account partner realm of the client.

The WS-Federation parameters are currently in limited release. To request access to these parameters, open a support case.

Application parameters

Property Description

Property	Description
`application`	An object that specifies the configuration information about the PingOne application that initiated the authentication request.
`application.homePageUrl`	A string that specifies the custom home page URL for the application.
`application.id`	A string that specifies the application ID.
`application.name`	A string that specifies the application name.
`application.protocol`	A string that specifies the protocol for the application. Options are OPENID_CONNECT and SAML.
`application.type`	A string that specifies the application type. Valid values are `WEB_APP`, `NATIVE_APP`, `SINGLE_PAGE_APP`, `SERVICE`, `CUSTOM_APP`, `WORKER`, `PING_ONE_SELF_SERVICE`, `PING_ONE_ADMIN_CONSOLE`, `PING_ONE_PORTAL`, `TEMPLATE_APP`, and `PORTAL_LINK_APP`.

application

An object that specifies the configuration information about the PingOne application that initiated the authentication request.

application.homePageUrl

A string that specifies the custom home page URL for the application.

application.id

A string that specifies the application ID.

application.name

A string that specifies the application name.

application.protocol

A string that specifies the protocol for the application. Options are OPENID_CONNECT and SAML.

application.type

A string that specifies the application type. Valid values are WEB_APP, NATIVE_APP, SINGLE_PAGE_APP, SERVICE, CUSTOM_APP, WORKER, PING_ONE_SELF_SERVICE, PING_ONE_ADMIN_CONSOLE, PING_ONE_PORTAL, TEMPLATE_APP, and PORTAL_LINK_APP.

For example, the following code references the application ID in a flow, regardless of the protocol used to launch the flow:

global.parameters.application.id

Universal parameters

Property Description

Property	Description
`loginHint`	A string that specifies an identifier to pre-fill the username field of a sign-on screen.
`maxSecondsSinceLastSignOn`	An integer that specifies the maximum amount of time allowed (in seconds) since the user last authenticated. If the user’s last sign on in the session is greater than the integer value specified in this property, then existing session information cannot be used to skip authentication or influence any authentication logic. This value is set automatically to 0 if `prompt=login` is set for an OIDC application or if `ForceAuthn=true` is set for a SAML application. Otherwise, this value is set to the `max_age` property value for OIDC applications, if present, or omitted otherwise.

loginHint

A string that specifies an identifier to pre-fill the username field of a sign-on screen.

maxSecondsSinceLastSignOn

An integer that specifies the maximum amount of time allowed (in seconds) since the user last authenticated. If the user’s last sign on in the session is greater than the integer value specified in this property, then existing session information cannot be used to skip authentication or influence any authentication logic. This value is set automatically to 0 if prompt=login is set for an OIDC application or if ForceAuthn=true is set for a SAML application. Otherwise, this value is set to the max_age property value for OIDC applications, if present, or omitted otherwise.

For example, the following code references the login hint, regardless of the protocol used to launch the flow:

global.parameters.loginHint

PingOne DaVinci

Referencing PingOne data in the flow