PingAM

Connect AM to PingOne

Connect your AM deployments to PingOne so that you can configure PingOne services such as PingOne Protect and PingOne Verify in your AM authentication journeys.

To connect AM to PingOne, you must:

  1. Set up PingOne environments

    Set up at least one PingOne environment using the Customer solution option. Use the same PingOne environment for integrating PingOne Protect and PingOne Verify into AM.

    Reusing environments reduces the number of PingOne environments and OIDC credentials you need to keep track of.

    You can use additional PingOne environments if required. For example, to separate development, test, and production deployments, or to serve users in different regions or countries.

  2. Create PingOne worker applications

    Create a worker application in each of your PingOne environments. These provide access to the PingOne admin APIs using OIDC.

  3. Create secrets for the OIDC credentials

    Store your worker application client secret in an AM secret store that’s accessible to the realm where you’ll create your PingOne Worker service configuration.

    Learn more in Secret stores.

  4. Create PingOne worker services

    For each worker application, create a PingOne worker service configuration in the realm where you’ll configure your PingOne journeys.

  5. Map secrets for the PingOne worker services

    Map the secret you created to the am.services.pingone.worker.identifier.clientsecret secret label.

    Where identifier is the value you entered in the Client Secret Label Identifier field when you created the PingOne Worker service configuration.

    Learn more in Map and rotate secrets.

Complete this setup for each PingOne environment that AM uses. After that, reuse the same AM worker service configuration across the PingOne Protect and PingOne Verify journeys that target that environment.

Create a worker application in PingOne

Create a worker application in PingOne for AM to use when calling PingOne APIs.

  1. In the PingOne admin console, open the target environment and click Manage Environment.

  2. Go to Applications > Applications, then click the icon.

  3. Add an application of type Worker and save your changes.

  4. Click Grant Roles.

  5. Select the Identity Data Admin role, choose your target environment, and save your changes.

  6. Go to the Overview tab and enable the worker application using the toggle switch in the top-right corner.

    The worker application should now resemble the following:

    AM Worker application
  7. Make a note of the following values:

    Environment ID
    Client ID
    Client Secret

    You’ll need them when you create the PingOne Worker service in AM.

Create a PingOne Worker service in AM

Create a PingOne Worker service configuration for your worker application.

  1. In the AM admin UI, go to Realms > realm name > Services and click Add a Service.

  2. Select PingOne Worker Service and click Create.

  3. On the Secondary Configurations tab, click Add a Secondary Configuration.

  4. Enter a name for the configuration, for example, AM Worker and click Create.

  5. Enter the client ID and environment ID you copied earlier in the Client ID and Environment ID fields.

  6. Enter an identifier in the Client Secret Label Identifier field. This identifier is used to create a secret label for the client secret.

    The secret label uses the template am.services.pingone.worker.identifier.clientsecret where identifier is the Client Secret Label Identifier value.

    This field can only contain characters a-z, A-Z, 0-9, and . and can’t start or end with a period.

  7. Ensure that the PingOne API Server URL and PingOne Authorization Server URL are correct for the region where your PingOne environment is located:

    Region API URL Authorization URL

    North America (excluding Canada)

    https://api.pingone.com/v1

    https://auth.pingone.com

    Canada

    https://api.pingone.ca/v1

    https://auth.pingone.ca

    Europe

    https://api.pingone.eu/v1

    https://auth.pingone.eu

    Asia-Pacific

    https://api.pingone.asia/v1

    https://auth.pingone.asia