--- title: Managing administrators description: Instructions for managing administrators from both the CAP and the PingOne Platform. component: pingoneadvancedservices page_id: pingoneadvancedservices:task_summary_table:p1as_platform_mng_admins canonical_url: https://docs.pingidentity.com/pingoneadvancedservices/task_summary_table/p1as_platform_mng_admins.html revdate: August 29, 2025 page_aliases: ["configuring_connections_for_sso:p1as_config_sso.adoc"] section_ids: _using_cap: Using the Customer Admin Portal _signon_cap: Signing on to the CAP steps: Steps _view_log: Viewing the activity log steps-2: Steps _mng_admins_cap: Managing administrators using the CAP steps-3: Steps _using_pingone: Using the PingOne platform before-you-begin: Before you begin steps-4: Steps p1as_custom_attributes: Creating custom user attributes steps-5: Steps steps-6: Steps p1as_create_app: Creating an OIDC application steps-7: Steps steps-8: Steps p1as_idp_config: Configuring the identity provider _users_same_env: Users are managed in the same environment that contains the OIDC application steps-9: Steps _users_diff_env: Users are managed in an environment that doesn't contain the OIDC application _task_1: Access the PingOne environment that contains your users steps-10: Steps _task_2: Access the PingOne environment that contains the OIDC application, which connects to PingOne Advanced Services steps-11: Steps _task_3: Access the PingOne environment that contains your users steps-12: Steps _users_another_idp: Users are managed by another identity provider _1_access_the_external_identity_provider_environment_that_contains_your_users: Access the external identity provider environment that contains your users steps-13: Steps _2_access_the_pingone_environment_that_contains_the_oidc_application: Access the PingOne environment that contains the OIDC application steps-14: Steps _3_access_the_external_identity_provider_environment_that_contains_your_users: Access the external identity provider environment that contains your users steps-15: Steps p1as_validating_config: Validating the configuration steps-16: Steps p1as_submit_request: Submitting a service request steps-17: Steps p1as_postman_config: Configuring Postman steps-18: Steps p1as_download_postman: Download the Postman collection steps-19: Steps p1as_troubleshooting: Troubleshooting p1as_environment: Users are managed in a PingOne environment steps-20: Steps steps-21: Steps p1as_external_environment: Users are managed by an external identity provider about-this-task: About this task steps-22: Steps p1as_admin_role_mappings: User access control roles section_gjg_jyc_qcc: P1AS Argo CD roles section_c2s_gyc_qcc: P1AS Grafana roles section_cqm_2yc_qcc: P1AS OpenSearch roles section_arb_byc_qcc: P1AS PingAccess roles section_l5t_xxc_qcc: P1AS PingFederate roles section_yrw_sxc_qcc: P1AS Prometheus roles section_yrw_sxc_xxx: P1AS Self-Service roles --- # Managing administrators PingOne Advanced Services administrators can be managed using one or both of the following applications: * **[Using the Customer Admin Portal (CAP)](#_using_cap)**: If you use the CAP, Ping Identity manages the roles and permissions your administrators are assigned. If you need to modify the permissions your administrators have, submit a service request through the [Support Portal](https://support.pingidentity.com/s/). * **[Using the PingOne Platform](#_using_pingone)**: If you use the PingOne Platform, you can manage the roles and permissions your administrators are assigned. PingOne must be integrated with your identity provider (IdP) or your identities must be hosted in PingOne. Using the CAP is the default, but using the PingOne Platform gives you more flexibility and allows you to manage the entire identity lifecycle for your administrators yourself. You are in control of provisioning to deprovisioning, and all the steps in between. The way you choose to manage your administrators applies to your entire PingOne Advanced Services instance. Administrator access to your environments is controlled by the roles they're assigned. Learn more about these roles in [User access control roles](#p1as_admin_role_mappings). ## Using the Customer Admin Portal When using the Customer Admin Portal (CAP) to manage users, you can view a list of your administrators, add and remove administrators from the system, and update their information any time it changes. However, note that you cannot change the roles and permissions assigned to your administrators yourself. If you need to modify the permissions your administrators have, submit a service request through the [Support Portal](https://support.pingidentity.com/s/). Learn more: * [Signing on to the CAP](#_signon_cap) * [Viewing the activity log](#_view_log) * [Managing administrators using the CAP](#_mng_admins_cap) ### Signing on to the CAP To sign on to the CAP, click the link you are provided. If this is the first time you've signed on, you'll need to complete these steps to authenticate. If you've signed on before, you'll only be prompted to enter your username and password to authenticate. #### Steps 1. On the sign-on screen, enter your username in the **Username** field. 2. Click **Forgot Password** and then **Submit**. You are emailed a password reset code to complete the multi-factor authentication process. 3. Enter the recovery code in the **Recovery Code** field and create a new password. Enter the new password in the **Enter New Password** and **Verify New Password** fields and click **Save**. 4. The first time you sign on, you will be prompted to read the End User License Agreement (EULA). Review this agreement and click **Accept** to continue. The system displays a green check mark when your authentication is complete. The dashboard opens and displays information about your environments, as shown in the following example. You will likely not see any environments listed the first time you log into the platform. In the future, if you forget your password or want to reset it, repeat this process. ### Viewing the activity log The activity log displays administrator sign-on information to the CAP. #### Steps 1. To view the activity log, click **Activity Log** on the left side of the page. This log provides a timestamp of the date and time the activity occurred, the environment or user affected, the action taken, and the user who performed the action. ![Example of the platform activity log, which displays the timestamp, the environment affected, the action taken, and the name of the user who performed the action.](_images/coq1580247519167.png) 2. Use this information to troubleshoot sign-on issues. ### Managing administrators using the CAP If you are an administrator, you can view a list of administrators who share the same customer with you, add and remove additional administrators from the system, and update their information any time it changes. #### Steps 1. To add a new administrator: 1. To access the **Administrators** page, click **Administrators**. You see a list of the administrators with whom you share customers. Clicking the expandable icon associated with each administrator reveals their first and last names, contact phone number, contact email address, and role. 2. To add an administrator, click **Add Administrator**. 3. Enter the new administrator's first name, last name, phone number, and email address in the appropriate fields and click **Save**. The resulting text provides new administrators with the sign-on URL, their username, and instructions for using a recovery code to complete the initial sign-on process. The new user's username is automatically created and cannot be changed. If the new administrator is not authorized to access customer information, or if the new administrator has the same first and last name as another administrator for the same customer, you can't add the new administrator to the system. 4. To inform the new IAM administrator that you have provisioned their account, copy and paste the text into an email and send it to the new administrator. 2. To edit an administrator's information or your own: 1. Click the **Pencil** icon. All the editable information, which is obtained from the PingOne database, shows on one page. 2. Update this information as necessary and click **Save**. 3. Inform the administrator that you updated the information. 3. To delete an administrator, click its associated **Delete** icon. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Understand that if you delete an administrator from the platform, they will not be able to sign on to the PingFederate or PingAccess consoles.You cannot delete yourself. | The administrator is removed from the platform and the PingOne database. ## Using the PingOne platform With the PingOne platform, you can manage the roles and permissions your administrators are assigned yourself. But before you can access the platform, you'll need to connect your PingOne environment to your PingOne Advanced Services environment. | | | | - | --------------------------------------------------------------------------------------------------- | | | PingOne Advanced Services version 1.19.1 or later is required to configure a connection to PingOne. | ### Before you begin Ensure that: * Your PingOne environment is provisioned. * You have administrator credentials to sign on to the environment. * You have the region domain and environment ID for the PingOne Advanced Services environment, which you can get from your Ping Identity team members. ### Steps 1. [Create custom attributes](#p1as_custom_attributes) to authenticate users when they sign on. 2. [Create an OIDC application](#p1as_create_app) and configure it to connect the PingOne environment to the PingOne Advanced Services environment. 3. [Configure the identity provider](#p1as_idp_config). There are a variety of ways the identity provider (IdP) can be configured. Users can be managed: 1. In the same PingOne environment that contains the OIDC application connection to PingOne Advanced Services, which is the default. 2. In a PingOne environment that does not contain the OIDC application connection. 3. By another identity provider who uses OIDC. 4. If you have the Postman application, you can [validate the configuration](#p1as_validating_config) by running a Postman collection. 5. [Submit a service request](#p1as_submit_request) to the Support and Professional Services teams to provide them with details regarding the OIDC application and the name that should display when users sign on. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If users report that they can't access the admin consoles, see [Troubleshooting](#p1as_troubleshooting), which provides step-by-step instructions for troubleshooting the connections. | ### Creating custom user attributes Create custom user attributes that you will use to authenticate users. You can use the **P1AS Customer Tenant Configuration Postman** collection, or add the attributes manually. If you're using Postman: #### Steps 1. Navigate to the first step in the collection: **P1AS Customer Tenant Configuration** > **Tenant Configuration** > **Step 1. Create User Custom Attributes**. 2. Drag and drop the step into the **Run order** window. 3. Click **Run** and determine if issues exist. If you're creating attributes manually: #### Steps 1. Go to **Directory** > **User Attributes**. 2. Click the **[icon: plus, set=fa]**icon, select **Declared** as the attribute type, and click **Next**. 3. Add the **ArgoCD** attribute: 1. In the **Name** field, enter `P1ASArgoCDRoles`. 2. In the **Display Name** field, enter `P1AS ArgoCD Roles`. 3. In the **Description** field, enter `P1AS app roles for ArgoCD`. 4. Select the **Allow multiple values** option. 5. Select the **Enumerated values** option and enter `argo-configteam` in the corresponding field. 6. Click **Save**. 4. Add the **Grafana** attribute: 1. In the **Name** field, enter `P1ASGrafanaRoles`. 2. In the **Display Name** field, enter `P1AS Grafana Roles`. 3. In the **Description** field, enter `P1AS app roles for Grafana`. 4. Select the **Allow multiple values** option. 5. Select the **Enumerated values** option and enter the appropriate administrative role attribute mappings for each of your environments. You can find a complete list of available roles in [Grafana roles](#section_c2s_gyc_qcc). For example, if you want to provide Grafana editor access to the development environment, enter `dev-graf-editor` in the corresponding field. To set it up for production and staging environments, enter `prod-graf-editor` and `stage-graf-editor`. 6. Click **Save**. 5. Add the **OpenSearch** attribute: 1. In the **Name** field, enter `p1asOpensearchRoles`. 2. In the **Display Name** field, enter `P1AS Opensearch Roles`. 3. In the **Description** field, enter `P1AS app roles for Opensearch`. 4. Select the **Allow multiple values** option. 5. Select the **Enumerated values** option and enter `os-configteam` in the corresponding field. 6. Click **Save**. 6. Add the **PingAccess** attribute: 1. In the **Name** field, enter `P1ASPingAccessRoles`. 2. In the **Display Name** field, enter `P1AS PingAccess Roles`. 3. In the **Description** field, enter `P1AS app roles for Grafana`. 4. Select the **Allow multiple values** option. 5. Select the **Enumerated values** option and enter the appropriate administrative role attribute mappings for each of your environments. You can find a complete list of available roles in [PingAccess roles](#section_arb_byc_qcc). For example, if you want to provide PingAccess admin access to the development environment, enter `dev-pa-admin` in the corresponding field. To set it up for production and staging environments, enter `prod-pa-admin` and `stage-pa-admin`. 6. Click **Save**. 7. Add the **PingFederate** attribute: 1. In the **Name** field, enter `P1ASPingFederateRoles`. 2. In the **Display Name** field, enter `P1AS PingFederate Roles`. 3. In the **Description** field, enter `P1AS app roles for PingFederate`. 4. Select the **Allow multiple values** option. 5. Select the **Enumerated values** option and enter the appropriate administrative role attribute mappings for each of your environments. You can find a complete list of available roles in [PingFederate roles](#section_l5t_xxc_qcc). For example, if you want to provide PingFederate audit access to the development environment, enter `dev-pf-audit` in the corresponding field. To set it up for production and staging environments, enter `prod-pf-audit` and `stage-pf-audit`. 6. Click **Save**. 8. Add the **Prometheus** attribute: 1. In the **Name** field, enter `P1ASPrometheusRoles`. 2. In the **Display Name** field, enter `P1AS Prometheus Roles`. 3. In the **Description** field, enter `P1AS app roles for Prometheus`. 4. Select the **Allow multiple values** option. 5. Select the **Enumerated values** option and enter `prom` in the corresponding field. 6. Click **Save**. 9. Add the **Self-Service** attribute: 1. In the **Name field**, enter `p1asSelfServiceRoles`. 2. In the **Display Name** field, enter `P1AS Self-Service Roles`. 3. In the **Description** field, enter `P1AS app roles for Self-Service`. 4. Select the **Allow multiple values** option. 5. Select the **Enumerated values** option and enter the appropriate administrative role attribute mappings for each of your environments. You can find a complete list of available roles in [Self-Service roles](#section_yrw_sxc_xxx). For example, if you want to provide TLS self-service admin access to the development environment, enter `dev-tls-admin` in the corresponding field. To set it up for production and staging environments, enter `prod-tls-admin` and `stage-tls-admin`. 6. Click **Save**. ### Creating an OIDC application Now, create an OpenID Connect (OIDC) application and configure it to connect the PingOne environment to the PingOne Advanced Services environment. You can use the **P1AS Customer Tenant Configuration Postman collection** or create the application manually. If you're using Postman: #### Steps 1. Go to the second step in the collection: **P1AS Customer Tenant Configuration** > **Tenant Configuration** > **Step 2. Create OIDC Application**. 2. Drag and drop the step into the **Run order** window. 3. Click **Run** and determine if issues exist. 4. Add an MFA (multi-factor authentication) policy to the application. You can find instructions in [Adding an MFA policy](https://docs.pingidentity.com/pingone/authentication/p1_creating_an_mfa_policy.html) in the PingOne documentation. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Adding this additional layer of security is highly recommended if your users are created and stored in your PingOne environment. If your users are created and stored in an external IdP, we recommend configuring an MFA policy in the third-party OIDC application that's connected to the external IdP. | If you're creating the application manually: #### Steps 1. In the PingOne admin console, go to **Applications** > **Applications**. 2. Click the **[icon: plus, set=fa]**icon. 3. Complete the following fields: * **Application Name**: Enter the name of the application. * **Description**: Enter a meaningful description for the application. * **Application Type**: Select **OIDC Web App**. 4. Click **Save**. 5. On the **Configuration** tab, enter the appropriate URL in the **Redirect URIs** field using the following format: `https://auth.pingone.com//rp/callback/openid_connect` Use the **REGION\_ID** provided by your Ping Identity team members. 6. Click **Save**. 7. Add a multi-factor authentication (MFA) policy to the application. Learn more in [Adding an MFA policy](https://docs.pingidentity.com/pingone/authentication/p1_creating_an_mfa_policy.html) in the PingOne documentation. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Adding this additional layer of security is highly recommended if your users are created and stored in your PingOne environment. If your users are created and stored in an external IdP, we recommend configuring an MFA policy in the third-party OIDC application that is connected to the external IdP. | 8. On the **Attribute Mappings** tab, enter the following mappings: ``` "sub" = "User ID" "email" = "Email Address" "familyName" = "Family Name" "givenName" = "Given Name" "username" = "Username" "p1asArgoCDRoles" = "P1AS ArgoCD Roles" "p1asGrafanaRoles" = "P1AS Grafana Roles" "p1asOpensearchRoles" = "P1AS Opensearch Roles" "p1asPingAccessRoles" = "P1AS PingAccess Roles" "p1asPingFederateRoles" = "P1AS PingFederate Roles" "p1asPrometheusRoles" = "P1AS Prometheus Roles" "p1asSelfServiceRoles" = "P1AS Self-Service Roles" ``` 9. Click **Save** and click the toggle switch to enable the application. ### Configuring the identity provider There are a variety of ways the identity provider can be configured: * [Users are managed in the same environment that contains the OIDC application](#_users_same_env) that connects to PingOne Advanced Services. * [Users are managed in an environment that doesn't contain the OIDC application](#_users_diff_env). * [Users are managed by another identity provider](#_users_another_idp). #### Users are managed in the same environment that contains the OIDC application In this configuration, which is the default, users are managed in the same environment as the OIDC application, which connects to PingOne Advanced Services, as shown in the diagram. > **Collapse: Network diagram** > > ![Screen capture of the default network configuration.](_images/Default_config.jpeg) If you have this type of configuration, most of your work is done. #### Steps 1. First, [submit a service request](#p1as_submit_request) to the Support and Professional Services teams to provide them with details regarding the OIDC application and the name that should display when users sign on. 2. Then, you can begin adding users to this environment and assigning roles. You can find a complete list of PingOne Advanced Services attribute mappings for each administrator role and the permissions each role is assigned in [User access roles](#p1as_admin_role_mappings). #### Users are managed in an environment that doesn't contain the OIDC application In this configuration, users are managed in a PingOne environment that doesn't contain the OIDC application that connects to PingOne Advanced Services, as shown in the diagram. > **Collapse: Network diagram** > > ![Diagram of a network where users are managed in an environment that doesn't contain the OIDC application.](_images/xjp1725570970429.jpg) If you have this type of configuration, you need to configure a connection from the environment containing your users to the environment containing the OIDC application that connects to PingOne Advanced Services. To set this up, you'll need to: 1. [Access the PingOne environment that contains your users](<#_task_1 >). 2. [Access the PingOne environment that contains the OIDC application](#_task_2), which connects to PingOne Advanced Services. 3. [Access the PingOne environment that contains your users](#_task_3) and complete the process. ##### Access the PingOne environment that contains your users ##### Steps 1. Ensure that the custom user attributes are defined, as described in [Creating custom user attributes](#p1as_custom_attributes). 2. Create a new OIDC application to connect these environments. Learn how to create this application in [Creating an OIDC application](#p1as_create_app). 3. Copy and save the application client ID, client secret, and OIDC Discovery Endpoint URL, which you'll need to provide in the next task. ##### Access the PingOne environment that contains the OIDC application, which connects to PingOne Advanced Services ##### Steps 1. Access the appropriate PingOne environment. 2. Create an external IdP to configure a connection to the user environment: 1. Go to **Integrations** > **External IdPs**. 2. Click **[icon: plus, set=fa]Add Provider**. 3. Click **OpenID Connect**. 4. On the **Create Profile** page, enter the following: * **Name**: A unique identifier for the IdP. * **Description** (optional): A brief description of the IdP. * **Icon** (optional): An image to represent the identity provider. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format. Use a 90 X 90 pixel image. * **Login button** (optional): An image to use for the login button displayed to the end user. Use a 300 X 42 pixel image. 5. Click **Continue**. 6. Enter the connection and discovery details you copied and saved in step 3 of the previous task: * **Client ID**: Enter the client ID for the OIDC application you just created. * **Client secret**: Enter the client secret generated for the OIDC application. * **Discovery document URI**: Enter the OIDC Discovery Endpoint URL from the OIDC application, and then click **Use Discovery document** to populate the remaining settings. Learn more in [Discovery document URI](https://docs.pingidentity.com/pingone/integrations/p1_discovery_document_uri.html) in the PingOne documentation. 7. Click **Save and Continue**. 8. On the **Map Attributes** page, enter the following mappings: ``` "Username" = "providerAttributes.username" "External ID" = "providerAttributes.sub" "Email" = "providerAttributes.email" "Family Name" = "providerAttributes.familyName" "Given Name" = "providerAttributes.givenName" "P1AS ArgoCD Roles" = "providerAttributes.p1asArgoCDRoles "P1AS Grafana Roles" = "providerAttributes.p1asGrafanaRoles" "P1AS Opensearch Roles" = "providerAttributes.p1asOpensearchRoles" "P1AS PingAccess Roles" = "providerAttributes.p1asPingAccessRoles" "P1AS PingFederate Roles" = "providerAttributes.p1asPingFederateRoles" "P1AS Prometheus Roles" = "providerAttributes.p1asPrometheusRoles" "P1AS Self-Service Roles" = "providerAttributes.p1asSelfServiceRoles" ``` 9. Click **Save and Finish**. 10. Locate the new external IdP in the list, expand it, and click the **Connections** tab. 11. Copy and save the **Callback URL** to use in a later step. 12. Click the toggle switch to enable the application. 3. Create an authentication policy for the external IdP: 1. Go to **Authentication** > **Authentication**. 2. Click **[icon: plus, set=fa]Add Policy**. 3. Enter a policy name. 4. In the**Step Type** list, select **External identity provider**. 5. In the **External identity provider** list, select the external provider you just configured and click **Save**. 4. Add the authentication policy to the OIDC application: 1. Go to **Applications** > **Applications**, and select the OIDC application you created in the previous step. 2. Select the **Policies** tab and click **[icon: plus, set=fa]Add Policies**. 3. Select the authentication policy you created in the previous step and click **Save**. ##### Access the PingOne environment that contains your users ##### Steps 1. Go to **Applications** > **Applications** and select the new OIDC application. 2. Click the **Configuration** tab and then click the **Pencil** icon. 3. In the **Redirect URIs** field, enter the **Callback URL** you copied and saved in the previous task and click **Save**. 4. [Submit a service request](#p1as_submit_request) to the Support and Professional Services teams to provide them with details regarding the OIDC application and the name that should display when users sign on. 5. Now, you can begin adding users to this environment and assigning roles. You can find a complete list of PingOne Advanced Services attribute mappings for each administrator role and the permissions each role is assigned in [User access control roles](#p1as_admin_role_mappings). #### Users are managed by another identity provider In this configuration, users are managed in an OIDC identity provider external to PingOne, as shown in the diagram. > **Collapse: Network diagram** > > ![Diagram of a network where users are managed by another identity provider.](_images/wwb1725578119767.jpg) If you have this type of configuration, you must configure a connection from the external identity provider that manages your users to the PingOne environment that contains the OIDC application that connects PingOne to PingOne Advanced Services. To set this up, you must: 1. [Access the external identity provider environment that contains your users](#_1_access_the_external_identity_provider_environment_that_contains_your_users). 2. [Access the PingOne environment that contains the OIDC application](#_2_access_the_pingone_environment_that_contains_the_oidc_application). 3. [Access the external identity provider environment that contains your users](#_3_access_the_external_identity_provider_environment_that_contains_your_users) ##### Access the external identity provider environment that contains your users ##### Steps 1. Ensure that the custom user attributes are defined in the external identity provider as described in [Creating custom attributes](#p1as_custom_attributes). 2. Create a new OIDC application to connect these environments. Learn more about creating and configuring an OIDC application in your external identity provider's documentation. 1. Ensure the following configuration is set: * The **Response Type** is **Code**. * The **Grant Type** is **Authorization Code**. * The **Token Auth Method** is **Client Secret Basic**. 2. Add a multi-factor authentication (MFA) policy to the application. Refer to your external identity provider documentation for instructions on adding an MFA policy. 3. Ensure the following attribute mappings are set: ``` "sub" = "User ID" "email" = "Email Address" "familyName" = "Family Name" "givenName" = "Given Name" "username" = "Username" "p1asArgoCDRoles" = "P1AS ArgoCD Roles" "p1asGrafanaRoles" = "P1AS Grafana Roles" "p1asOpensearchRoles" = "P1AS Opensearch Roles" "p1asPingAccessRoles" = "P1AS PingAccess Roles" "p1asPingFederateRoles" = "P1AS PingFederate Roles" "p1asPrometheusRoles" = "P1AS Prometheus Roles" "p1asSelfServiceRoles" = "P1AS SelfService Roles" ``` 4. Copy and save the application client ID, client secret, and OIDC Discovery Endpoint URL, which you'll need to provide in the next step. ##### Access the PingOne environment that contains the OIDC application ##### Steps 1. Access the appropriate PingOne environment. 2. Create an external IdP to configure a connection to the user environment: 1. Go to select **Integrations** > **External IDPs**. 2. Click **[icon: plus, set=fa]Add Provider**. 3. Click **OpenID Connect**. 4. On the **Create Profile** page, enter the following: * **Name**: A unique identifier for the IdP. * **Description** (optional): A brief description of the IdP. * **Icon** (optional): An image to represent the identity provider. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format. Use a 90 X 90 pixel image. * **Login button** (optional): An image to use for the login button displayed to the end user. Use a 300 X 42 pixel image. 5. Click **Continue**. 6. Enter the connection and discovery details you copied and saved in step 2 of the previous task: * **Client ID**: Enter the client ID for the OIDC application you just created. * **Client secret**: Enter the client secret generated for the OIDC application. * **Discovery document URI:** Enter the OIDC Discovery Endpoint URL from the OIDC application, and then click **Use Discovery document** to populate the remaining settings. Learn more in [Discovery document URI](https://docs.pingidentity.com/pingone/integrations/p1_discovery_document_uri.html) in the PingOne documentation. 7. Click **Save and Continue**. 8. On the **Map Attributes** page, enter the following mappings: ``` "Username" = "providerAttributes.username" "External ID" = "providerAttributes.sub" "Email" = "providerAttributes.email" "Family Name" = "providerAttributes.familyName" "Given Name" = "providerAttributes.givenName" "P1AS ArgoCD Roles" = "providerAttributes.p1asArgoCDRoles "P1AS Grafana Roles" = "providerAttributes.p1asGrafanaRoles" "P1AS Opensearch Roles" = "providerAttributes.p1asOpensearchRoles" "P1AS PingAccess Roles" = "providerAttributes.p1asPingAccessRoles" "P1AS PingFederate Roles" = "providerAttributes.p1asPingFederateRoles" "P1AS Prometheus Roles" = "providerAttributes.p1asPrometheusRoles" "P1AS SelfService Roles" = "providerAttributes.p1asSelfServiceRoles" ``` 9. Click **Save and Finish**. 10. Locate the new external IdP in the list, expand it, and click on the **Connections** tab. 11. Copy and save the **Callback URL** to use in a later step 12. Click the toggle at the top of the details panel to enable the application. 3. Create an authentication policy for the external IdP: 1. Go to **Authentication** > **Authentication**. 2. Click **[icon: plus, set=fa]Add Policy**. 3. Enter a policy name. 4. From the **Step Type** list, select **External identity provider**. 5. From the **External identity provider** list, select the external provider you just configured and click **Save**. 4. Add an authentication policy to the OIDC application: 1. Go to select **Applications** > **Applications**, and select the OIDC application you created in the previous step. 2. Select the **Policies** tab and click **[icon: plus, set=fa]Add Policies**. 3. Select the authentication policy you created in the previous step and click **Save**. ##### Access the external identity provider environment that contains your users ##### Steps 1. Go to the OIDC application in the external identity provider that you created and add the **Callback URL** you copied and saved in the previous task to the Redirect URIs. Learn more about setting the redirect URIs of the OIDC application in your external identity provider's documentation. 2. [Submit a service request](#p1as_submit_request) to the Support and Professional Services teams to provide them with details regarding the OIDC application and the name that should display when users sign on. 3. Now, you can begin adding users to this environment and assigning roles. You can find a complete list of these roles and their permissions in [User access control roles](#p1as_admin_role_mappings). ### Validating the configuration If you have Postman, you can validate the configuration by running Postman collections. To validate the custom user attributes that you created: #### Steps 1. Navigate to the following folder: **P1AS Customer Tenant Configuration** > **Tenant Validation** > **Validate User Attributes**. 2. Drag and drop the step into the **Run order** window. 3. Click **Run** and determine if issues exist. To validate the OIDC application that you created: 1. Navigate to the following folder: **P1AS Customer Tenant Configuration** > **Tenant Validation** > **Validate OIDC application**. 2. Drag and drop the step into the **Run order** window. 3. Click **Run** and determine if issues exist. ### Submitting a service request To complete the connection, submit a service request through the [Support Portal](https://support.pingidentity.com/s/). #### Steps 1. Complete the following fields: * **Subject**: Enter a description of your request, including the action to be taken. * **Environment Type**: Specify the type of environment affected by this request. * **Proposed Change Window**: Specify the dates or times in which you want the work complete. 2. In the **Capability** list, select **Advanced/Other**. 3. In the **Business Priority** list, select the appropriate description: * Change needed by deadline to avoid business impact * Change modifies existing functionality * Change adds new functionality 4. In the **Description** field, provide the following information regarding the OIDC application you created: * The **Client ID**, which displays on the **OIDC application Overview** page. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Don't provide the client secret in the service request. When our Support team receives the request, they'll provide you with a secure link that you can use to share the client secret. | * The **Issuer URL**, which displays on the **OIDC application Configuration** page, in the URLs section. * The **Display Name**, which is the name that you want displayed to your users when they sign on, as shown here. ![Screen capture of a sign-on page.](_images/mqo1725582273226.jpg) 5. If you are tracking your request within your organization, enter the tracking ID or ticket number associated with it in the **Customer Tracking ID** field. 6. To submit your request, click **Save**. ### Configuring Postman If you plan to use Postman to configure your connections, you'll need to ensure that several collection variables are set and that Postman is correctly configured. You'll also need to download the collection. Learn more in [Download the Postman collection](#p1as_download_postman). #### Steps 1. Add the API domain for your PingOne region to the collection variable *apiPath*, and then add the auth domain for the region to the collection variable *authPath*. Learn more in [API requests](https://apidocs.pingidentity.com/pingone/main/v1/api/#api-requests) in the PingOne Developers documentation. 2. Get an access token from a worker application. You can use an existing worker application or create a new one. Either way, ensure that the **Environment Admin** and **Client Application Developer** roles are assigned. Learn more in [Create an admin Worker app connection](https://apidocs.pingidentity.com/pingone/tutorial/v1/api/#create-an-admin-worker-app-connection) in the PingOne Developers documentation. Then, get the token. Learn more in [Get a PingOne admin access token](https://apidocs.pingidentity.com/pingone/tutorial/v1/api/#post-step-1-get-a-pingone-admin-access-token) in the PingOne Developers documentation. To get a token from a different worker application in a different sandbox environment, run the token request endpoint using the client ID and client secret of the worker application to authenticate the request. Learn more in [Worker applications](https://apidocs.pingidentity.com/pingone/main/v1/api/#worker-applications) in the PingOne Developers documentation. Add the access token to the collection variable *accessToken*. 3. Choose the PingOne environment that will act as the OIDC identity provider, which will connect to the PingOne Advanced Services environment. 4. Add the environment ID to the collection variable *envID*. 5. Request the region domain and environment ID for your primary region from PingOne Advanced Services. 6. Add the auth domain for the PingOne Advanced Services environment to the collection variable *p1asAuthPath*. 7. Add the environment ID for the PingOne Advanced Services tenant to the collection variable *p1asEnvID*. #### Download the Postman collection There are two different methods you can use to retrieve a Postman collection into your workspace: 1. Fork the collection into your workspace. The Postman application retains an association between the source and your fork. If Ping Identity changes the source collection, you can pull those changes into the fork in your workspace. 2. Import the collection into your workspace. This is a one-time transfer and retains no association to the source collection. To retrieve the collection: #### Steps 1. Click **Run in Postman**. [Run in Postman](https://god.gw.postman.com/run-collection/18568624-17510248-4436-4472-b5aa-f32201839338?action=collection%2Ffork\&source=rip_markdown\&collection-url=entityId%3D18568624-17510248-4436-4472-b5aa-f32201839338%26entityType%3Dcollection%26workspaceId%3Dbb0f6b4b-addb-49c6-bd57-435c61ed2cb3) 2. At the prompt, click **Fork Collection** at the bottom of the dialog or click **import a copy** near the bottom of the dialog. | | | | - | ------------------------------------------------------------------------- | | | You must be signed on to your Postman account to retrieve the collection. | ![Screen capture of the screen that offers the options to either fork the collection or import a copy.](_images/p1_RunInPostman.png) 3. Follow the on-screen instructions to fork or import the collection. You might be prompted to open your Postman app and to select a Postman workspace for the retrieved collection. When you fork a Postman collection, you create a copy of it in a different workspace. Forking a collection creates a linked version that synchronizes with its source collection. You'll see this synchronization when you click the ellipsis icon on the forked collection. If changes are available, the context menu displays a **Pull changes** button, which you can click to compare the fork to the source collection and pull changes into your fork. You can also watch the collection so that you are notified when the source changes. If you import a collection, a copy is created with no link back to the source. The collection is static, which might be useful in some situations. For example, if you intend to keep and consume only portions of the collection, a link back to the source is not needed. But you don't have to choose between these two methods. You can fork a copy to track the source *and* import a copy for experimentation. The environment downloaded with the collection of requests contains every variable used in the collection. Each request that creates a new object with an ID has a script that: 1. If not available, create an environment variable unique to that service. 2. Assigns the id of the newly created object to that environment variable. ## Troubleshooting If your users are having trouble accessing their admin consoles, determine where the users are managed and complete the appropriate set of steps: * [Users are managed in a PingOne environment](#p1as_environment) * [Users are managed by an external identity provider](#p1as_external_environment) ### Users are managed in a PingOne environment If your users are managed in a PingOne environment, test the connection between that environment and the environment containing the OIDC application that connects to PingOne Advanced Services. To test this connection, create a test user in the environment and use the new user credentials to sign on to the appropriate console. Use Postman to create the test user, or create the user manually. If you're using Postman: #### Steps 1. Navigate to the following step in the collection: **P1AS Customer Tenant Configuration** > **Troubleshooting** > **Create Test User to Validate P1AS Connection**. 2. Drag and drop the step into the **Run order** window. 3. Click **Run** and determine if issues exist. If you're creating a test user manually: #### Steps 1. Ensure that the user is added to the appropriate population and that the appropriate IdP is selected. For instructions, refer to [Adding a user](https://docs.pingidentity.com/pingone/directory/p1_adduser.html) in the PingOne documentation. 2. Assign the user the appropriate roles and user attributes. You can find a complete list of PingOne Advanced Services attribute mappings for each administrator role, and the permissions each role is assigned, in [User access control roles](#p1as_admin_role_mappings). 3. Use the appropriate console URL and the new test user's credentials to sign on. If you're able to sign on, that means that the connection works and the issue likely involves users' roles, permissions, or the user attributes assigned. 4. If you're not able to sign on, access the user's profile and determine if they have the appropriate roles and user attributes assigned. ### Users are managed by an external identity provider If your users are managed by an external identity provider, test the connections between the environments. #### About this task There are two different connections to test: * The connection between the environment containing the users and the environment containing the OIDC application. To test this connection, complete the troubleshooting steps outlined in [Users are managed in a PingOne environment](#p1as_environment). * The connection between the external IdP and the environment that contains the OIDC application. To test this connection, attempt to access the admin consoles from the external identity provider: #### Steps 1. Get the username and password for the user. 2. Open a browser window and enter the admin console URL. 3. Enter the username and password and click **Sign On**. * If you're able to sign on, that means that the connection works. * If you're not redirected to the external identity provider, ensure that the authentication policy that the OIDC application is using includes the external identity provider: * If you're using login authentication, ensure that the external identity provider is added as a **Presented identity provider**. To learn more, refer to [Adding a login authentication step](https://docs.pingidentity.com/pingone/authentication/p1_add_login_auth_step.html) in the PingOne documentation. * If you're using identifier-first authentication, ensure that the external IdP is added as a rule or as a **Presented identity provider**. To learn more, refer to [Adding an identifier-first authentication step](https://docs.pingidentity.com/pingone/authentication/p1_add_identifier_first_auth.html). * If you're using external identity provider authentication policies, ensure that the external IdP is added as an **External identity provider**. To learn more, refer to [Adding an external identity provider sign-on step](https://docs.pingidentity.com/pingone/authentication/p1_add_idp_signon_step.html). * If you receive an error message regarding missing roles: * Ensure that the user has the appropriate roles and attributes assigned. * Ensure that the custom user attributes are correctly defined and mapped. ## User access control roles PingOne Advanced Services has a variety of different user access control roles. Refer to the following: * [P1AS Argo CD roles](#section_gjg_jyc_qcc) * [P1AS Grafana roles](#section_c2s_gyc_qcc) * [P1AS OpenSearch roles](#section_cqm_2yc_qcc) * [P1AS PingAccess roles](#section_arb_byc_qcc) * [P1AS PingFederate roles](#section_l5t_xxc_qcc) * [P1AS Prometheus roles](#section_yrw_sxc_qcc) * [P1AS Self-Service roles](#section_yrw_sxc_xxx) ### P1AS Argo CD roles > **Collapse: Argo CD attribute mappings and permissions** > > | Attribute mapping | Permissions | > | ------------------- | --------------------------------------------------------------------- | > | **argo-configteam** | Argo CD restart statefulset access for the Dev and Test environments. | ### P1AS Grafana roles > **Collapse: Grafana attribute mappings and permissions** > > | Attribute mapping | Permissions | > | --------------------- | ------------------------------------------------ | > | **dev-graf-editor** | Grafana editor access for the Dev environment. | > | **test-graf-editor** | Grafana editor access for the Test environment. | > | **stage-graf-editor** | Grafana editor access for the Stage environment. | > | **prod-graf-editor** | Grafana editor access for the Prod environment. | ### P1AS OpenSearch roles > **Collapse: OpenSearch attribute mappings and permissions** > > | Attribute mapping | Permissions | > | ----------------- | --------------------------------------------- | > | **os-configteam** | OpenSearch admin access for all environments. | ### P1AS PingAccess roles > **Collapse: PingAccess attribute mapping and permissions** > > | Attribute mapping | Permissions | > | --------------------- | ----------------------------------------------------- | > | **dev-pa-admin** | PingAccess admin access for the Dev environment. | > | **dev-pa-audit** | PingAccess audit access for the Dev environment. | > | **dev-pa-platform** | PingAccess platform access for the Dev environment. | > | **test-pa-admin** | PingAccess admin access for the Test environment. | > | **test-pa-audit** | PingAccess audit access for the Test environment. | > | **test-pa-platform** | PingAccess platform access for the Test environment. | > | **stage-pa-admin** | PingAccess admin access for the Stage environment. | > | **stage-pa-audit** | PingAccess audit access for the Stage environment. | > | **stage-pa-platform** | PingAccess platform access for the Stage environment. | > | **prod-pa-admin** | PingAccess admin access for the Prod environment. | > | **prod-pa-audit** | PingAccess audit access for the Prod environment. | > | **prod-pa-platform** | PingAccess platform access for the Prod environment. | ### P1AS PingFederate roles > **Collapse: PingFederate attribute mapping and permissions** > > | Attribute mapping | Permissions | > | ----------------------- | --------------------------------------------------------- | > | **dev-pf-audit** | PingFederate audit access for the Dev environment. | > | **dev-pf-crypto** | PingFederate crypto access for the Dev environment. | > | **dev-pf-expression** | PingFederate expression access for the Dev environment. | > | **dev-pf-roleadmin** | PingFederate role admin access for the Dev environment. | > | **dev-pf-useradmin** | PingFederate user admin access for the Dev environment. | > | **test-pf-audit** | PingFederate audit access for the Test environment. | > | **test-pf-crypto** | PingFederate crypto access for the Test environment. | > | **test-pf-expression** | PingFederate expression access for the Test environment. | > | **test-pf-roleadmin** | PingFederate role admin access for the Test environment. | > | **test-pf-useradmin** | PingFederate user admin access for the Test environment. | > | **stage-pf-audit** | PingFederate audit access for the Stage environment. | > | **stage-pf-crypto** | PingFederate crypto access for the Stage environment. | > | **stage-pf-expression** | PingFederate expression access for the Stage environment. | > | **stage-pf-roleadmin** | PingFederate role admin access for the Stage environment. | > | **stage-pf-useradmin** | PingFederate user admin access for the Stage environment. | > | **prod-pf-audit** | PingFederate audit access for the Prod environment. | > | **prod-pf-crypto** | PingFederate crypto access for the Prod environment. | > | **prod-pf-expression** | PingFederate expression access for the Prod environment. | > | **prod-pf-roleadmin** | PingFederate role admin access for the Prod environment. | > | **prod-pf-useradmin** | PingFederate user admin access for the Prod environment. | ### P1AS Prometheus roles > **Collapse: Prometheus attribute mapping and permissions** > > | Attribute mapping | Permissions | > | ----------------- | --------------------------------------------- | > | **prom** | Prometheus admin access for all environments. | ### P1AS Self-Service roles > **Collapse: Self-Service attribute mappings and permissions** > > | Attribute mapping | Permissions | > | ------------------- | ------------------------------------------------ | > | **dev-tls-audit** | TLS read-only access for the Dev environments. | > | **dev-tls-admin** | TLS admin access for the Dev environment. | > | **test-tls-audit** | TLS read-only access for the Test environment. | > | **test-tls-admin** | TLS admin access for the Test environment. | > | **stage-tls-audit** | TLS read-only access for the Stage environment. | > | **stage-tls-admin** | TLS admin access in the Stage environment. | > | **prod-tls-audit** | TLS read-only access for the Prod environment. | > | **prod-tls-admin** | TLS admin access for the Prod environment. | > | **all-tls-audit** | TLS read-only audit access for all environments. | > | **all-tls-admin** | TLS admin access for all environments. |