PingOne

Scenario 6: Sensitive variable creation (early access)

The goal of this scenario is to demonstrate the creation of sensitive variables when you select a configuration resource that requires them.

In this scenario, you’ll promote the Test IdP external identity provider (IdP) from the Promotion-Source environment to the Promotion-Target environment. This promotion requires the creation of a sensitive variable for the IdP’s client secret. For the purposes of this scenario, let’s assume you don’t account for that when you start creating variables, and show how the promotion workflow prompts you for it anyway.

A series of screenshots showing the configuration of Test IdP in the Promotion-Source environment.

Configure promotion variables in the source environment

As you prepare for your promotion, you’ve determined that although you want most of the configuration for Test IdP to be the same in both the source and target environments, you want to use a different User Information Endpoint and Redirect URIs settings. You decide to create a promotion variable in the Promotion-Source environment.

Steps

  1. Sign on to the PingOne admin console for the Promotion-Source environment.

  2. Go to Promote > Promotion Variables and click Create Promotion Variable.

  3. On the Select Target Environment modal, select Promotion-Target in the Target Environment list.

  4. Select The correct environment is selected and I want to continue and click Confirm.

    After you confirm the target environment, PingOne determines the resources for which you can create variables.

  5. On the Create Variables page, in the Resource Details section, select IdentityProvider in the Category list.

    A screen capture of the first page of the Create Variables workflow with the Category list expanded.

    Categories allow you to narrow down the list and find what you’re looking for more easily.

    You might need to click Reload resources list to pick up categories for configuration resources that were recently added to the environment.

    Result

    The subcategory auto-fills with OPENID_CONNECT because in this environment there is only one IdP configured, and it uses OIDC. Because there are no other IdPs in this environment, Test IdP is also selected automatically in the Resource list.

    The Attributes list shows all of the IdP configuration attributes for which you can create variables.

    A screen capture of the Create Variables workflow showing Identity Provider in the Category field, OPENID_CONNECT in the Sub-category field, and TestIdP in the Resource field.

    Note that Client Secret is selected and marked as required. Although you didn’t plan for the creation of this variable, it’s required, and you can’t continue without creating it. You can’t promote the client secret value from the source environment to the target environment.

  6. Select User Information Endpoint, then click Next.

    On the Set Variable Values for the Target Environment page, note that there’s no value in the Client Secret field in the Current Environment section. You can’t view or change the value for the source environment, because it’s a sensitive variable.

    A screen capture of the second page of the Create Variables workflow showing the empty Client Secret field in the source environment section and placeholder characters in the target environment section.

    In the Client Secret field in the Target Environment section, you see only placeholders. If you click the Eye icon (), you’ll see only asterisks and no actual value. You must enter a value for the target environment to promote the IdP.

  7. Set the following variable values to use in the Promotion-Target environment:

    • Client Secret: TestSecret123!

      You can view the contents of the Client Secret field only until you click Next. After you save the variable, the value is hashed and can’t be viewed or copied.

      Always save your client secrets and other sensitive variable values in a secure location outside of PingOne for future reference.

    • User Information Endpoint: https://auth.pingone.com/42e12d49-6649-43ee-9c62-6eae7aec93a3/as/test.userinfo

      A screen capture of the second page of the Create Variables workflow showing the empty Client Secret field in the source environment, the source environment value for the User Information Endpoint, and the new values for both in the target environment on the right.

  8. Click Next and confirm the variable configuration on the Review and Save page.

    A screen capture of the second page of the Create Variables workflow showing the empty Client Secret field in the source environment, the source environment value for the User Information Endpoint, and the new values for the target environment on the right.

  9. Click Save.

Result

You’re returned to the Promotion Variables page. Test IdP is listed in the Resources with Variables section.

A screen capture showing the Promotion Variables page with Test IdP added to the Resources with Variables list.

Configure and run the promotion in the source environment

To configure the promotion, you’ll confirm the target environment, select the resource to promote (Test IdP), and determine whether the resource should be created as new in the target environment or mapped to an existing resource. Then you’ll run the promotion.

Steps

  1. In the PingOne admin console for the Promotion-Source environment, go to Promote > Promotions.

  2. Click Run a Promotion.

  3. On the Confirm Target Environment modal, ensure that Promotion-Target is selected in the Target Environment list.

  4. Select The correct environment is selected and I want to continue and click Confirm.

    A screenshot of the Confirm Target Environment modal with Promotion-Target selected in the Target Environment list and the confirmation checkbox selected.

    After you confirm the target environment, PingOne takes snapshots of both environments, compares configuration resources, and lists the resources that you can promote.

    A screenshot of the Select Resources to Promote page without anything selected.

  5. On the Select Resources to Promote page, search for Test IdP and select it.

    A screenshot of the Select Resources to Promote page with app in the search bar and Test IdP selected.

  6. Click Next.

  7. If the Auto-Selected Dependencies modal opens, click Continue.

  8. On the Confirm Promotion page, review the details for the promotion and add release notes.

    A screenshot of the Confirm Promotion page, showing Test IdP and release notes text.

  9. Click the View All link next to Variables applied to this resource to open the Promotion Variables modal and click Test IdP to expand it and confirm the variables you created for this scenario.

    A screenshot of the Promotion Variables modal showing the variables created for Test IdP. The Client Secret variable shows no value in the Promotion-Source environment and an encrypted value in the Promotion-Target environment.

  10. Click Close to close the Promotion Variables modal.

  11. Click Run Promotion.

Result

You’re returned to the Promotions page and the current promotion is listed with a status of In Progress. After about 30 seconds, refresh the page. The status will change to Success for a successful promotion.

A screenshot of the Promotions page showing a successful promotion.

Verify the promotion

To verify the results of the promotion, first confirm the details of the promotion in the source environment, then ensure that Test IdP exists in the target environment and that the variables match what you expect.

Steps

  1. In the PingOne admin console for the Promotion-Source environment, go to Promote > Promotions.

  2. Locate the promotion in the list, click the More Options icon (⋮), and select View.

    Promotions are listed in reverse chronological order, so the most recent promotion appears at the top of the list.
    Overview tab

    The Overview tab shows information about when the promotion was started and completed, the source and target environments, the status of the promotion, and any release notes that were added.

    A screenshot of the Overview tab for the initial promotion of Test IdP.
    Promoted Resources tab

    The Promoted Resources tab shows the details about the resources that were promoted.

    A screenshot of the Promoted Resources tab for the initial promotion of Test IdP.

  3. On the Overview tab, click View Target Environment.

    You’re taken to the PingOne admin console for the target environment so that you can confirm that the promoted resources exist and match what you expect.

  4. For this scenario, go to Integrations > External IdPs, browse or search for Test IdP, and click it to open the details panel.

    A screenshot of the details panel for Test IdP in the target environment, showing the settings defined in variables in the source environment.

Result

Test IdP now exists in the Promotion-Target environment, and the value for the User Information Endpoint matches the value you configured when you added variables for the promotion. You also see that the value for the Client Secret is hidden, which confirms that the sensitive variable you created for the promotion was used in the target environment.