You can use the PingOne Scope Consent connector to:

  • View a list of application consent records a user has granted, declined, or revoked
  • Determine whether a user has granted consent for an application
  • Accept or decline consent for an application on behalf of a user
  • Update the application consent record as revoked
  • Check, prompt for, and record user decisions regarding consent for an application

Setup

Resources

For information and setup help, see the following sections of the PingOne documentation:

Requirements

To use the connector, you'll need:

Setting up PingOne

Setting up your PingOne environment

See Getting started with PingOne.

Adding a Worker application

Add a Worker application in the PingOne console before setting up the PingOne connector in DaVinci:

  1. In the PingOne console, add a Worker app. See Adding an application.
    Note:

    Attribute mappings are not required.

  2. Ensure that you set the authentication method as Client secret basic.

    The PingOne connector receives a token using your application’s credentials.

  3. Enable the application. See Enabling or disabling an application.

    The capabilities in the PingOne connector call endpoints in PingOne with a token received using the application’s credentials. To enable all capabilities, your application needs the required role assignments for the associated capability. If the application doesn't have the required role assignment, you'll see error messages stating that the required authorization isn't configured.

Assigning Roles to the application

To use the appropriate capabilities, the Worker app used by the connector needs the Environment Admin and Identity Data Admin roles.

Note:

The user that creates the Worker app must have the Environment Admin and Identity Data Admin roles to assign the roles to a Worker app.

  1. In your PingOne environment, go to Applications > Applications.

    If you haven't added the application yet, see Adding an application.

  2. Locate the appropriate application and click it to open the details panel.
  3. Click the Roles tab and then click the Pencil icon to edit the roles.
  4. Review the assigned roles to ensure that they include Environment Admin and Identity Data Admin roles. If not, click + Add role to assign them.

Getting your application credentials

Get the Client ID and Client secret from the PingOne console before setting up the PingOne connector in DaVinci:

  1. In your PingOne environment, go to Applications > Applications.

    If you haven't added the application yet, see Adding an application.

  2. Locate the appropriate application and click it to open the details panel.
  3. On the Configuration tab, expand General and locate the Client ID and Client secret. Copy these values to a secure location.

Getting your environment details

Get your Environment ID and Region before setting up the PingOne connector in DaVinci:

  1. In your PingOne environment, go to Settings > Environment Properties.
  2. Locate the Environment ID and Region. Copy these values to a secure location.

Setting up the PingOne connector configuration

In DaVinci, add a PingOne connection. For help, see Adding a connector.

Connector configuration

Environment ID
The unique identifier for the appropriate PingOne environment. To find the environment ID, see Environment properties.
Client ID
The unique public identifier for the PingOne application. To find the client ID, see Viewing application details.
Client secret
The cryptographic secret that is known only to the application and the authorization server. To find the client secret, see Viewing a client secret.
Region
The geographic region that hosts your PingOne tenant. To find the region, see Environment properties.

Using the connector in a flow

Manage user consent

You can use the PingOne Scope Consent connector to view and manage user consent to an application as part of a DaVinci flow policy.

No special flow configuration is needed. Add the capability and populate its properties according to the help text.

Use one of the following capabilities to view information about consent records:

  • Read User Consent: Use to view a list of all application consent records a specific user has granted, declined, or revoked.
  • Check User Consent: Use to determine whether a user has granted consent for a specific application.

Use one of the following capabilities to manage and update user consent records:

  • Save User Consent: Use to accept or decline consent for an application on behalf of a user.
  • Revoke User Consent: Use to update the application consent record for a user as revoked.

Use Get User Consent to check, prompt for, and record user decisions regarding consent to application as part of a DaVinci flow policy. Use this capability in a flow at the point where you want to prompt the user for their consent. Use the Custom Screens tab to edit the HTML and CSS to customize the appearance and text of the prompt that is displayed to the user. For example, change Do you approve the request? to Do you accept this request? or change the buttons from Approve and Decline to Yes and No.

Capabilities

Read User Consent

Find information about consent users have granted for all applications.

Details
Details
Properties
PingOne Attribute dropDown required

Select the attribute you want to use to locate a user.

  • User ID
  • Username
  • Email
User Identifier textField required

Enter the user ID, username, or email address of the user you want to locate.

Input Schema
default object
matchUserAttribute string required

PingOne user attribute to identify a user with.

userIdentifier string required

User attribute to match user.

Output Schema
output object
consents array
properties array
type object
properties
rawResponse object
properties object
_embedded object
properties object
consents array
items array
type object
properties
count number
size number
statusCode number
headers object
Check User Consent

Indicate whether users have granted consent for an application.

Details
Details
Properties
PingOne Attribute dropDown required

Select the attribute you want to use to locate a user.

  • User ID
  • Username
  • Email
User Identifier textField required

Enter the user ID, username, or email address of the user you want to locate.

Match Application Attribute dropDown required

Select the application attribute that you want to use to locate an application.

  • Application ID
  • Application Name
Application Identifier textField required

Enter the application ID or name of the application you want to locate.

Input Schema
default object
matchUserAttribute string required

PingOne user attribute to identify a user with.

userIdentifier string required

User attribute to match user.

matchApplicationAttribute string required

PingOne application attribute to identify an application with.

applicationIdentifier string required

Application attribute to match application.

Output Schema
output object
application object
properties object
id string
name string
type string
consentId string
consentStatus string
consentScopes array
rawResponse object
properties object
_embedded object
properties object
consents array
items array
type object
properties
count number
size number
statusCode number
headers object
Save User Consent

Accept or decline user consent for an application. It replaces the existing consent for the application if there is one.

Details
Details
Properties
PingOne Attribute dropDown required

Select the attribute you want to use to locate a user.

  • User ID
  • Username
  • Email
User Identifier textField required

Enter the user ID, username, or email address of the user you want to locate.

Match Application Attribute dropDown required

Select the application attribute that you want to use to locate an application.

  • Application ID
  • Application Name
Application Identifier textField required

Enter the application ID or name of the application you want to locate.

Scopes textField required

Enter the space-separated list of scopes that have been requested. These scopes are validated against the allowed scopes assigned to the PingOne application.

Consent Result textField required

The accept or decline consent result from the user and indicated by "true", “false, “yes”, “no”, "accepted", or "declined".

Input Schema
default object
matchUserAttribute string required

PingOne user attribute to identify a user with.

userIdentifier string required

User attribute to match user.

matchApplicationAttribute string required

PingOne application attribute to identify an application with.

applicationIdentifier string required

Application attribute to match application.

scopes string required

Scopes.

consentResult string required

Consent Result.

Output Schema
output object
application object
properties object
id string
name string
type string
consentId string
consentStatus string
consentScopes array
rawResponse object
statusCode number
headers object
Revoke User Consent

Revoke and remove user consent for an application.

Details
Details
Properties
PingOne Attribute dropDown required

Select the attribute you want to use to locate a user.

  • User ID
  • Username
  • Email
User Identifier textField required

Enter the user ID, username, or email address of the user you want to locate.

Lookup Consent dropDown required

Enter the consent ID, application ID, or application name of the consent record you want to locate.

  • Consent ID
  • Application ID
  • Application Name
Consent Identifier textField required

A unique identifier for the consent record.

Input Schema
default object
matchUserAttribute string required

PingOne user attribute to identify a user with.

userIdentifier string required

User attribute to match user.

matchConsentAttribute string required

PingOne consent attribute to identify an consent with.

consentIdentifier string required

Consent attribute to match consent.

Output Schema
output object
application object
properties object
id string
name string
type string
consentId string
consentStatus string
consentScopes array
rawResponse object
statusCode number
headers object
Get User Consent

This capability facilitates application consent by checking, prompting, and recording user decisions regarding consent. This action includes the HTML template and other resources like CSS. You can customize them under the Custom Screens tab.

Details
Details
Properties
Always Prompt for Consent toggleSwitch required

Indicates whether the user will always be prompted to consent to the application’s request. If disabled, users will only be prompted to consent to these requests if they have not already done so.

PingOne Attribute dropDown required

Select the attribute you want to use to locate a user.

  • User ID
  • Username
  • Email
User Identifier textField required

Enter the user ID, username, or email address of the user you want to locate.

Application dropDown required

Select the application or specify an application identifier that will be used to check, prompt and store consent for the user.

  • Use PingOne Application ID
  • Use Custom Application Name
Application ID textField required

Enter the unique identifier of the application that will be used to check, prompt and store consent for the user.

Application Name textField required

Enter the name of the application that will be used to check, prompt and store consent for the user.

Consent Scopes textField required

Scopes define the user information that the application wants to access and the user will need to consent to allowing, such as the user’s name, email address, and phone number. You must provide at least one scope. You may provide multiple scopes, each separated by a space.

Output Schema
output object
matchedUser object
application object
properties object
id string
name string
type string
consentId string
consentStatus string
consentScopes array
rawResponse object
statusCode number
headers object