PingOne Advanced Identity Cloud

PingOne

The Advanced Identity Cloud PingOne application lets you manage and synchronize data between PingOne and Advanced Identity Cloud.

Configuration requires a PingOne administrator account and a properly configured PingOne environment.

Register the application

  1. In the Advanced Identity Cloud admin console, go to Applications, and click grid_view Browse App Catalog.

  2. In the Browse App Catalog modal, select an application, and click Next.

  3. Review the Application Integration information, and click Next.

  4. In the Application Details window, specify the name, description, application owners, and logo for the application.

  5. To make the application an Authoritative source of identity data, select the Authoritative check box. This option is not available for every application.

  6. Click Create Application.

PingOne requirements

Before you can configure the Advanced Identity Cloud application, you must register an application in PingOne. You need a PingOne environment to complete this procedure:

  1. In your PingOne environment, create a new application:

    1. From the menu, expand the Applications node, and click Applications.

    2. On the Applications page, click the add button.

    3. In the Add Application window, enter the necessary details, select the Worker application type, and click Save.

    Show Me
    Create an application in PingOne

  2. In the Application Name window, enable the application.

    Show Me
    Enable the application in PingOne

  3. On the Roles tab, click Grant Roles.

  4. On the Available Responsibilities tab, expand the Identity Data Admin node, select the applicable environment, and click Save.

    Show Me
    Add PingOne application role

  5. Click the Configuration tab, and make note of the following:

    • URLs > Token Endpoint

    • General > Client ID

    • General > Client Secret

    • General > Environment ID

    Use these values when you configure provisioning for an Advanced Identity Cloud PingOne application.

Configure provisioning

Configuration requires a PingOne administrator account and a properly configured PingOne environment.

  1. Complete PingOne requirements.

  2. In the Advanced Identity Cloud admin console, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • If editing existing settings, in the Connection area, click Settings.

  3. Configure the following fields:

    Field Description

    Service Uri

    The service endpoint URI. The URI top-level domain changes based on region. Learn more in Working with PingOne APIs.

    Token Endpoint

    The OAuth 2.0 access token endpoint.

    Environment Id

    The environment identifier for your PingOne environment.

    Client Id

    The client ID for OAuth 2.0 flow.

    Client Secret

    The client secret for OAuth 2.0 flow.

    Grant Type

    The OAuth 2.0 grant type to use (client_credentials or refresh_token).

  4. To use basic authentication to send the client ID and client secret to the remote service as authorization headers, select Use Basic Auth For OAuth Token Neg. If the option isn’t selected, the client ID and client secret are sent as form data.

  5. Optionally, click Show advanced settings to set any of the following options:

    Application specific settings
    Field Description

    Maximum Connections

    The maximum size of the HTTP connection pool. The default is 10 connections.

    Connection Timeout

    The timeout for the underlying HTTP connection in seconds. The default is 30 seconds.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.
    Pool configuration
    Field Description

    Max idle and active container instances

    The maximum number of idle and active container instances. The default value is 10.

    Max Idle Connector Instances

    The maximum number of idle connector instances. The default value is 10.

    Set Timeout Period

    Select to enable a timeout period for the connection. After enabling, configure the following:

    • Timeout period (ms): The timeout period in milliseconds.

    Set Minimum Idle Time

    Select to set a minimum time (in milliseconds) before an idle object is removed. After enabling, configure the following:

    • Min idle time (ms): The minimum idle time in milliseconds.

    Min Idle Instances

    The minimum number of idle connector instances.
    Result Handler configuration
    Field Description

    Enable for connectors with the attribute normalizer interface

    Enables the attribute normalizer interface for supported connectors.

    Enable local filtering/search features

    Enables local filtering and search capabilities.

    Enable case insensitive filter

    Configures filters to ignore case sensitivity.

    Enable configuration of search attributes; disable for local connectors

    Enables search attribute configuration. Disable this option for local connectors.

    1. In the Operation Timeouts (ms) area, select the operations to enforce timeouts on and enter the duration in milliseconds.

      Available operations include Create, Validate, Test, Enable a Script on the Connector, Schema, Delete, Update, Sync, Authenticate, Get, Enable a Script on the Target, and Search.

    2. In the Operation Rate Limits area, select the operations to enforce rate limits on.

      You can enforce limits on specific operations, including Create, Validate, Test, Script on Connector, Schema, Delete, Update, Sync, Authenticate, Get, Script on Target, and Search.

      For each selected operation, configure the following fields:

      Field Description

      Request Limit

      Requests allowed over time.

      Request Period

      Limit resets after this time (ms).

      Request Timeout

      Time before exception thrown (ms).

  6. Click Connect.

  7. Verify the information in the Details tab.

Provision side tabs

The object type determines the side tabs that display on the Provisioning tab. Use the object type list to select an object type, such as Group. Afterward, you can configure properties in the different sub-tabs under the Provisioning tab.

Sub-tabs under the Provisioning tab
Provisioning tab Description Related sections

Details

View and manage an application, including name, ID, and native type.

Select the specific application from Provision settings for an application.

Properties

View and manage properties for the selected object type.

Manage application attributes

Data

View data about the selected object type.

View user access data

Mapping

View and manage mappings from the Advanced Identity Cloud admin console properties to external system properties and from external system properties to the Advanced Identity Cloud admin console properties.

Manage mappings

Reconciliation

Preview mappings on target applications between external systems and the Advanced Identity Cloud admin console, and reconcile the data between the two systems.

View and manage rules for the users and groups that use your application.

View and manage schedules for Full and Incremental reconciliation.

Reconcile and synchronize end-user accounts

Privacy & Consent

Manage end-user data sharing and synchronization.

Configure end-user data sharing

Rules

View and manage provisioning rules for mappings between Advanced Identity Cloud and a target application.

Manage provisioning rules

Advanced Sync

Create and manage mappings between an identity profile and an application or between applications.

Manage advanced sync

Next steps