--- title: "Scenario 6: Sensitive variable creation (early access)" description: Learn how to create sensitive variables for a promotion in PingOne when you select a resource that requires them. component: pingone page_id: pingone:early-access-features:ea-p1_config_promotion_scenario_6 canonical_url: https://docs.pingidentity.com/pingone/early-access-features/ea-p1_config_promotion_scenario_6.html revdate: February 25, 2026 section_ids: p1-promote-scenario-6-configure-variables: Configure promotion variables in the source environment steps: Steps result: Result result-2: Result configure-and-run-the-promotion-in-the-source-environment: Configure and run the promotion in the source environment steps-2: Steps result-3: Result verify-the-promotion: Verify the promotion steps-3: Steps result-4: Result --- # Scenario 6: Sensitive variable creation (early access) The goal of this scenario is to demonstrate the creation of sensitive variables when you select a configuration resource that requires them. In this scenario, you'll promote the **Test IdP** external identity provider (IdP) from the **Promotion-Source** environment to the **Promotion-Target** environment. This promotion requires the creation of a sensitive variable for the IdP's client secret. For the purposes of this scenario, let's assume you don't account for that when you start creating variables, and show how the promotion workflow prompts you for it anyway. ![A series of screenshots showing the configuration of Test IdP in the Promotion-Source environment.](_images/p1-promote-scenario-6-idp-config.png) ## Configure promotion variables in the source environment As you prepare for your promotion, you've determined that although you want most of the configuration for **Test IdP** to be the same in both the source and target environments, you want to use a different **User Information Endpoint** and **Redirect URIs** settings. You decide to create a promotion variable in the **Promotion-Source** environment. ### Steps 1. Sign on to the PingOne admin console for the **Promotion-Source** environment. 2. Go to **Promote > Promotion Variables** and click **Create Promotion Variable**. 3. On the **Select Target Environment** modal, select **Promotion-Target** in the **Target Environment** list. 4. Select **The correct environment is selected and I want to continue** and click **Confirm**. After you confirm the target environment, PingOne determines the resources for which you can create variables. 5. On the **Create Variables** page, in the **Resource Details** section, select **IdentityProvider** in the **Category** list. ![A screen capture of the first page of the Create Variables workflow with the Category list expanded.](_images/p1-promote-variables-select-category.png) Categories allow you to narrow down the list and find what you're looking for more easily. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------ | | | You might need to click **Reload resources list** to pick up categories for configuration resources that were recently added to the environment. | #### Result The subcategory auto-fills with **OPENID\_CONNECT** because in this environment there is only one IdP configured, and it uses OIDC. Because there are no other IdPs in this environment, **Test IdP** is also selected automatically in the **Resource** list. The **Attributes** list shows all of the IdP configuration attributes for which you can create variables. ![A screen capture of the Create Variables workflow showing Identity Provider in the Category field, OPENID\_CONNECT in the Sub-category field, and TestIdP in the Resource field.](_images/p1-promote-scenario6-create-variable-client-secret-selected.png) Note that **Client Secret** is selected and marked as required. Although you didn't plan for the creation of this variable, it's required, and you can't continue without creating it. You can't promote the client secret value from the source environment to the target environment. 6. Select **User Information Endpoint**, then click **Next**. On the **Set Variable Values for the Target Environment** page, note that there's no value in the **Client Secret** field in the **Current Environment** section. You can't view or change the value for the source environment, because it's a sensitive variable. ![A screen capture of the second page of the Create Variables workflow showing the empty Client Secret field in the source environment section and placeholder characters in the target environment section.](_images/p1-promote-scenario6-create-variable-set-target-values.png) In the **Client Secret** field in the **Target Environment** section, you see only placeholders. If you click the **Eye** icon ([icon: eye, set=fa]), you'll see only asterisks and no actual value. You must enter a value for the target environment to promote the IdP. 7. Set the following variable values to use in the **Promotion-Target** environment: * **Client Secret**: `TestSecret123!` | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can view the contents of the **Client Secret** field only until you click **Next**. After you save the variable, the value is hashed and can't be viewed or copied.Always save your client secrets and other sensitive variable values in a secure location outside of PingOne for future reference. | * **User Information Endpoint**: `https://auth.pingone.com/42e12d49-6649-43ee-9c62-6eae7aec93a3/as/test.userinfo` ![A screen capture of the second page of the Create Variables workflow showing the empty Client Secret field in the source environment, the source environment value for the User Information Endpoint, and the new values for both in the target environment on the right.](_images/p1-promote-scenario6-create-variable-with-target-values.png) 8. Click **Next** and confirm the variable configuration on the **Review and Save** page. ![A screen capture of the second page of the Create Variables workflow showing the empty Client Secret field in the source environment, the source environment value for the User Information Endpoint, and the new values for the target environment on the right.](_images/p1-promote-scenario6-create-variable-review.png) 9. Click **Save**. ### Result You're returned to the **Promotion Variables** page. **Test IdP** is listed in the **Resources with Variables** section. ![A screen capture showing the Promotion Variables page with Test IdP added to the Resources with Variables list.](_images/p1-promote-scenario6-create-variable-done.png) ## Configure and run the promotion in the source environment To configure the promotion, you'll confirm the target environment, select the resource to promote (**Test IdP**), and determine whether the resource should be created as new in the target environment or mapped to an existing resource. Then you'll run the promotion. ### Steps 1. In the PingOne admin console for the **Promotion-Source** environment, go to **Promote > Promotions**. 2. Click **Run a Promotion**. 3. On the **Confirm Target Environment** modal, ensure that **Promotion-Target** is selected in the **Target Environment** list. 4. Select **The correct environment is selected and I want to continue** and click **Confirm**. ![A screenshot of the Confirm Target Environment modal with Promotion-Target selected in the Target Environment list and the confirmation checkbox selected.](_images/p1-promote-confirm-target-env.png) After you confirm the target environment, PingOne takes snapshots of both environments, compares configuration resources, and lists the resources that you can promote. ![A screenshot of the Select Resources to Promote page without anything selected.](_images/p1-promote-select-resources.png) 5. On the **Select Resources to Promote** page, search for **Test IdP** and select it. ![A screenshot of the Select Resources to Promote page with app in the search bar and Test IdP selected.](_images/p1-promote-select-resource-testidp.png) 6. Click **Next**. 7. If the **Auto-Selected Dependencies** modal opens, click **Continue**. 8. On the **Confirm Promotion** page, review the details for the promotion and add release notes. ![A screenshot of the Confirm Promotion page, showing Test IdP and release notes text.](_images/p1-promote-confirm-promotion-testidp.png) 9. Click the **View All** link next to **Variables applied to this resource** to open the **Promotion Variables** modal and click **Test IdP** to expand it and confirm the variables you created for this scenario. ![A screenshot of the Promotion Variables modal showing the variables created for Test IdP. The Client Secret variable shows no value in the Promotion-Source environment and an encrypted value in the Promotion-Target environment.](_images/p1-promote-scenario6-promotion-variables-modal.png) 10. Click **Close** to close the **Promotion Variables** modal. 11. Click **Run Promotion**. ### Result You're returned to the **Promotions** page and the current promotion is listed with a status of **In Progress**. After about 30 seconds, refresh the page. The status will change to **Success** for a successful promotion. ![A screenshot of the Promotions page showing a successful promotion.](_images/p1-promote-promotion-successful.png) ## Verify the promotion To verify the results of the promotion, first confirm the details of the promotion in the source environment, then ensure that **Test IdP** exists in the target environment and that the variables match what you expect. ### Steps 1. In the PingOne admin console for the **Promotion-Source** environment, go to **Promote > Promotions**. 2. Locate the promotion in the list, click the **More Options** icon (⋮), and select **View**. | | | | - | ------------------------------------------------------------------------------------------------------------------ | | | Promotions are listed in reverse chronological order, so the most recent promotion appears at the top of the list. | * Overview tab The **Overview** tab shows information about when the promotion was started and completed, the source and target environments, the status of the promotion, and any release notes that were added. ![A screenshot of the Overview tab for the initial promotion of Test IdP.](_images/p1-promote-promotion-successful-testidp.png) * Promoted Resources tab The **Promoted Resources** tab shows the details about the resources that were promoted. ![A screenshot of the Promoted Resources tab for the initial promotion of Test IdP.](_images/p1-promote-promotion-complete-promoted-resources-tab-testidp.png) 3. On the **Overview** tab, click **View Target Environment**. You're taken to the PingOne admin console for the target environment so that you can confirm that the promoted resources exist and match what you expect. 4. For this scenario, go to **Integrations > External IdPs**, browse or search for **Test IdP**, and click it to open the details panel. ![A screenshot of the details panel for Test IdP in the target environment, showing the settings defined in variables in the source environment.](_images/p1-promote-scenario6-verify-in-target-idp.png) ### Result **Test IdP** now exists in the **Promotion-Target** environment, and the value for the **User Information Endpoint** matches the value you configured when you [added variables](#p1-promote-scenario-6-configure-variables) for the promotion. You also see that the value for the **Client Secret** is hidden, which confirms that the sensitive variable you created for the promotion was used in the target environment.