PingOne Advanced Identity Cloud

Remote proxy authentication methods

The remote proxy supports two authentication methods:

Bearer authentication (OAuth 2.0)

Use for Advanced Identity Cloud tenant-to-tenant connections.

{
  "enabled": true,
  "authType": "bearer",
  "instanceUrl": "https://<receiving-tenant-env-fqdn>/openidm/",
  "clientId": "idmprovisioning",
  "clientSecret": "&{esv.idmprovisioning.client.secret}", (1)
  "scope": ["fr:idm:*"],
  "tokenEndpoint": "https://<receiving-tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/access_token",
  "tokenEndpointAuthMethod": "client_secret_post",
  "scopeDelimiter": " "
}
1 Use an ESV secret for clientSecret instead of a plaintext value.
After creating the ESV, restart Advanced Identity Cloud services so the placeholder resolves.

Required properties: authType, clientId, clientSecret, instanceUrl, tokenEndpoint, tokenEndpointAuthMethod, and scope.

Basic authentication

Use for connecting to self-managed PingIDM instances.

{
  "enabled": true,
  "authType": "basic",
  "instanceUrl": "https://idm.example.com:8443/openidm/",
  "userName": "openidm-admin",
  "password": "openidm-admin"
}

Required properties: authType, userName, instanceUrl, and password.

Configuration properties reference

External IDM proxy configuration properties
Property Required Description

enabled

No

Enable or disable the proxy. Default is true.

authType

Yes

Authentication method: basic or bearer.

instanceUrl

Yes

Receiving instance URL. Must end with a trailing slash (/).

scope

Yes (bearer only)

OAuth 2.0 scopes, for example ["fr:idm:*"].

scopeDelimiter

No

Scope delimiter. Default is a space.

userName

Yes (basic only)

Username for basic auth.

password

Yes (basic only)

Password for basic auth.

clientId

Yes (bearer only)

OAuth 2.0 client ID.

clientSecret

Yes (bearer only)

OAuth 2.0 client secret. Use an ESV secret rather than a plaintext value.

tokenEndpoint

Yes (bearer only)

OAuth 2.0 token endpoint URL.

tokenEndpointAuthMethod

Yes (bearer only)

Must be client_secret_post.

For any request forwarded to the receiving tenant or instance that includes an X-Requested-With header, the remote proxy sets the header value to RemoteIDMProxy.