PingOne Advanced Identity Cloud

Set up PingOne product connections

RAPID only

Integrate your Advanced Identity Cloud tenant environments with PingOne product connections so that you can configure PingOne services (such as PingOne Protect and PingOne Verify) in your Advanced Identity Cloud authentication journeys.

PingOne product connections are preconfigured OIDC integrations designed for quick setup. They streamline the connection process by automatically providing the necessary client credentials and PingOne environment ID within a signed JWT for easier consumption by Advanced Identity Cloud. Advanced Identity Cloud can consume the JWT credential and automatically configure a worker service that’s ready to use in your authentication journeys.

If you’re looking for the previous instructions for setting up PingOne integrations, refer to Set up PingOne OIDC clients and configure Advanced Identity Cloud services (PDF).
You only need to set up a product connection once for each of your Advanced Identity Cloud tenant environments and their mapped PingOne environments.

Task 1: Create a product connection for your development tenant environment

Create a product connection for your development tenant environment. Product connections give access to the PingOne admin APIs using OIDC and provide a single JWT credential containing connection information.

In the PingOne admin console:

  1. In the sidebar, click the Ping Identity logo to open the Environments page.

  2. Select the environment that’s mapped to your development tenant environment from the list, then click Manage Environment.

  3. Go to Integrations > Products, then click the add icon ().

  4. In the Add Connection modal:

    1. In the Target Product field, select Advanced Identity Cloud.

    2. In the Name field, enter a unique name for the connection. For example, PingOne Connection AIC.

    3. (Optional) Enter a Description for the connection.

    4. Click Save.

  5. In the New Credential Created modal:

    1. Click the copy icon (copy) to copy the new JWT credential to your clipboard. Make a note of the JWT credential, as you won’t be able to access it again after closing the modal.

    2. Click Close.

Task 2: Create a PingOne integration in your development tenant environment

Create a PingOne Integration in your Advanced Identity Cloud development tenant environment using the JWT credential from its mapped PingOne environment.

In your development tenant environment:

  1. In the Advanced Identity Cloud admin console, go to PingOne Integrations.

  2. Click add Add PingOne Integration.

  3. In the Add a PingOne Integration modal:

    1. Paste the JWT credential from the development tenant environment’s mapped PingOne environment.

    2. Review the Decoded Claims. In particular, check that the environmentName corresponds to the name of the correct PingOne environment.

    3. Click Next.

    4. In the Name field, accept the default value (derived from the environmentName claim) or enter a name of your choice (for example, PingOne-Integration-AIC). Only alphanumeric characters and hyphens are allowed.

    5. Click Connect.

    6. Wait for Advanced Identity Cloud to perform these steps:

      • Create an ESV for the JWT credential with the value of the JWT you entered.

      • Create a PingOne Worker Service in the current realm of your development tenant environment.

      • Map the ESV to the secret label identifier of the worker service.

      • Perform a connection test to the PingOne environment to verify that the integration is working correctly.

    7. In the PingOne Integrations page, confirm that the new integration is listed with a status of Active.

Task 3: Promote the integration to your other tenant environments

Once you have successfully created the integration in your development tenant environment, you can promote the worker service configuration to your other tenant environments (UAT[1], staging, production).

  1. Determine the promotion order of your tenant environments. This will depend on whether you have a standard promotion group of environments or whether you also have additional UAT environments.

  2. In promotion order, for each upper tenant environment in your promotion group, perform the following steps:

    1. Create a product connection in the mapped PingOne environment for the upper tenant environment. To do this, repeat the steps in task 1, but substitute your upper tenant environment details wherever the development tenant environment is mentioned.

    2. Create the necessary ESV in the upper tenant environment. To do this, repeat task 2, steps 1 — 3e, but substitute your upper tenant environment details wherever the development tenant environment is mentioned.

      As the upper tenant environments are immutable, this step doesn’t create the worker configuration. This is created when you run a promotion in the next step.

    3. Run a promotion to move the worker configuration to the upper tenant environment from its respective lower tenant environment. Learn more in:

    4. In the PingOne Integrations page in the upper tenant environment, confirm that the new integration is listed with a status of Active.

  3. (Optional) If you have sandbox[2] tenant environments, repeat tasks 1 and 2 for each of those.