PingOne

Configuration resources requiring special handling (early access)

Some configuration resources require special handling or behave a bit differently than other resources. Others can’t be promoted directly because they’re environment specific or include attributes that aren’t compatible with the promotion process.

Resources excluded from promotion

Some resources can’t be promoted at all. Excluded resources generally fall into the following categories:

  • User and operational data: Resources that contain user-specific or operational data, such as audit logs, user profiles, or device and session data, are excluded from promotion to prevent data integrity issues.

  • Environment-specific secrets and keys: These resources are inherently tied to a specific environment for security reasons and can’t be promoted or used by another environment. These resources should always be configured in the promotion as sensitive promotion variables.

  • Roles and permissions: Although you can promote resources that require permissions or roles, the administrative access to them isn’t promoted. This includes administrator role assignment and application role assignments. After the resource is promoted, you must manually assign the appropriate roles and permissions to the resource in the target environment.

You can find a complete list of excluded resources in the Excluded Resources (early access) section of the PingOne API documentation.

Deleted configuration resources

When you delete a configuration resource from the source environment after it has been promoted to the target environment, that resource remains in the target environment until you explicitly delete it there. You can use the promotion service to handle the deletion. A deletion promotion works similarly to a standard promotion, but instead of creating or updating the resource in the target environment, the promotion service deletes it.

Learn more in scenario 5.

DaVinci resources

The promotion service fully supports the promotion of PingOne DaVinci resources, including flows, subflows, flow policies, connectors, and DaVinci applications. However, there are several differences in how certain types of DaVinci resources are processed during promotion.

As with other configuration resources, you can map DaVinci dependencies to existing resources in the target environment or create them as new resources, but dependency behavior varies depending on the type of DaVinci resource you select for direct promotion.

DaVinci flows

When you promote a DaVinci flow, the promotion service identifies all of the dependent configurations used in the flow if they’re referenced correctly. Only the most recent deployed version of the flow is promoted to the target environment. For example, if your flow has four versions, and version 3 is the most recent deployed version, only version 3 is promoted. Similarly, if the flow includes subflows, only the subflow versions referenced by the flow are promoted.

Learn more in Flows in the DaVinci documentation.

DaVinci flow policies

When you promote a DaVinci flow policy, the promotion service identifies the flows referenced by the policy and the specific versions of the flows referenced. All flow versions used in the policy are promoted as dependencies of the policy.

For example, you decide to promote a a flow policy that references two flows, and the policy uses version 2 of flow A and versions 1 and 3 of flow B. In this case, version 2 of flow A and versions 1 and 3 of flow B are all promoted as dependencies of the flow policy.

DaVinci flow policies are always linked to a DaVinci application. If you promote a flow policy directly, the associated DaVinci application is promoted as a dependency of the flow policy. This application isn’t listed on the Auto-Selected Dependencies page when you configure the promotion, but it will be listed when you confirm the promotion configuration.

If the application has additional flow policies associated with it, those policies aren’t promoted as dependencies of the application.

To promote all flow policies associated with a DaVinci application, promote the application directly instead of promoting the flow policies individually.

Learn more in Flow Policies in the DaVinci documentation.

DaVinci applications

When you promote a DaVinci application, the promotion service identifies all associated flow policies and promotes them as dependencies of the application. The specific versions of the flow policies referenced by the application are promoted.

Learn more in Applications in the DaVinci documentation.

Secrets and passwords

Many configuration resources in PingOne use secrets or passwords to connect third-party services, such as an external identity provider (IdP) or a PingOne DaVinci connector. When you select a resource to promote that includes attributes for secrets or passwords, PingOne requires you to create sensitive variables for promotion, which are stored securely and encrypted anywhere they appear. Learn more in Sensitive variables.

Certificates

Certificates can’t be promoted directly, and certificate references in other resources require special handling:

  • Default certificates: If a resource in the source environment references a default certificate, the promotion service automatically maps that reference to the default certificate in the target environment during the promotion.

  • Certificates as variables: For non-default certificates, you must create promotion variables to store the certificate IDs for both the source and target environments. During the promotion, the service substitutes the variable value for the certificate ID in the target environment.

The following example illustrates this process:

  1. Create verification certificates in both the source and target environments.

  2. Create a SAML application in the source environment that uses the verification certificate for that environment.

  3. Create a promotion variable for the certificate ID attribute of the SAML application, setting the source environment value to the certificate ID in the source environment and the target environment value to the certificate ID in the target environment.

  4. Promote the SAML application from the source environment to the target environment.

The SAML application in the source environment uses the certificate ID defined in the variable for that environment. The SAML application promoted to the target environment uses the certificate ID defined in the variable for the target environment.

Learn more about certificates in Certificates.

User attributes

Individual user attributes are supported for promotion. However, when you promote an application or FIDO policy that references custom user attributes, all schema attributes are added to the promotion plan. You can manually exclude them before you run the promotion.

Learn more in User Attributes.

LDAP gateway

Gateway credentials can’t be promoted or managed using promotion variables. These credentials must be created in each environment after the gateway is promoted.

Learn more in LDAP gateways.