---
title: Connect AM to PingOne
description: Set up the shared PingOne configuration that PingAM uses for PingOne Protect and PingOne Verify.
component: pingam
version: 8.1
page_id: pingam:integrations:connect-am-to-pingone
canonical_url: https://docs.pingidentity.com/pingam/8.1/integrations/connect-am-to-pingone.html
llms_txt: https://docs.pingidentity.com/pingam/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
section_ids:
  create-worker-application: Create a worker application in PingOne
  create-worker-service: Create a PingOne Worker service in AM
---

# Connect AM to PingOne

Connect your AM deployments to PingOne so that you can configure PingOne services such as PingOne Protect and PingOne Verify in your AM authentication journeys.

To connect AM to PingOne, you must:

1. **Set up PingOne environments**

   Set up at least one [PingOne environment](https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_getting_started_adding_environment.html) using the Customer solution option. Use the same PingOne environment for integrating PingOne Protect and PingOne Verify into AM.

   Reusing environments reduces the number of PingOne environments and OIDC credentials you need to keep track of.

   You can use additional PingOne environments if required. For example, to separate development, test, and production deployments, or to serve users in different regions or countries.

2. **Create PingOne worker applications**

   Create a [worker application](https://docs.pingidentity.com/pingone/applications/p1_applications_add_applications.html) in each of your PingOne environments. These provide access to the PingOne admin APIs using OIDC.

   Learn more in [Create a worker application in PingOne](#create-worker-application).

3. **Create secrets for the OIDC credentials**

   Store your worker application client secret in an AM secret store that's accessible to the realm where you'll create your PingOne Worker service configuration.

   Learn more in [Secret stores](../security/secret-stores.html).

4. **Create PingOne worker services**

   For each worker application, create a PingOne worker service configuration in the realm where you'll configure your PingOne journeys.

   Learn more in [Create a PingOne Worker service in AM](#create-worker-service).

5. **Map secrets for the PingOne worker services**

   Map the secret you created to the `am.services.pingone.worker.identifier.clientsecret` secret label.

   Where identifier is the value you entered in the Client Secret Label Identifier field when you created the PingOne Worker service configuration.

   Learn more in [Map and rotate secrets](../security/secret-mapping.html).

6. **Test the PingOne worker service configuration**

   Before you configure any journeys, verify that AM can use the worker service configuration to connect to PingOne.

   Learn more in [Test the connection](../setup/services-configuration.html#test-connection).

|   |                                                                                                                                                                                                                |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Complete this setup for each PingOne environment that AM uses. After that, reuse the same AM worker service configuration across the PingOne Protect and PingOne Verify journeys that target that environment. |

## Create a worker application in PingOne

Create a [worker application](https://docs.pingidentity.com/pingone/applications/p1_applications_add_applications.html) in PingOne for AM to use when calling PingOne APIs.

1. In the PingOne admin console, open the target environment and click Manage Environment.

2. Go to Applications > Applications, then click the [icon: plus, set=fas]icon.

3. Add an application of type `Worker` and save your changes.

4. Click Grant Roles.

5. Select the `Identity Data Admin` role, choose your target environment, and save your changes.

6. Go to the Overview tab and enable the worker application using the toggle switch in the top-right corner.

   The worker application should now resemble the following:

   ![AM Worker application](_images/am-worker-app.png)

7. Make a note of the following values:

   Environment ID\
   Client ID\
   Client Secret

   You'll need them when you create the PingOne Worker service in AM.

## Create a PingOne Worker service in AM

Create a [PingOne Worker service](../setup/services-configuration.html#realm-pingone-worker-service) configuration for your worker application.

1. In the AM admin UI, go to Realms > *realm name* > Services and click Add a Service.

2. Select `PingOne Worker Service` and click Create.

3. On the Secondary Configurations tab, click Add a Secondary Configuration.

4. Enter a name for the configuration, for example, `AM Worker` and click Create.

5. Enter the client ID and environment ID you copied earlier in the Client ID and Environment ID fields.

6. Enter an identifier in the Client Secret Label Identifier field. This identifier is used to create a secret label for the client secret.

   The secret label uses the template `am.services.pingone.worker.identifier.clientsecret` where identifier is the Client Secret Label Identifier value.

   This field can only contain characters `a-z`, `A-Z`, `0-9`, and `.` and can't start or end with a period.

7. Ensure that the PingOne API Server URL and PingOne Authorization Server URL are correct for the region where your PingOne environment is located:

   | Region                           | API URL                       | Authorization URL           |
   | -------------------------------- | ----------------------------- | --------------------------- |
   | North America (excluding Canada) | `https://api.pingone.com/v1`  | `https://auth.pingone.com`  |
   | Canada                           | `https://api.pingone.ca/v1`   | `https://auth.pingone.ca`   |
   | Europe                           | `https://api.pingone.eu/v1`   | `https://auth.pingone.eu`   |
   | Asia-Pacific                     | `https://api.pingone.asia/v1` | `https://auth.pingone.asia` |
