PingCentral makes it possible for application owners to promote their OAuth, OIDC, and SAML SP applications to development environments themselves. This section explains how these promotion processes work.
After applying the templates to their applications, application owners enter information about their target environments into PingCentral and promote their applications to the designated environment.
The templates contain the raw JSON from the model applications on which the templates were based. Although PingCentral saves this information, it does not modify it. Instead, the saved JSON is used as a starting point for creating new applications and is modified only in memory with the environment-specific information during the promotion process.
After an application is promoted, application owners can revert them to previously promoted versions. The reverted version of the application will not exist outside of PingCentral until it is promoted again, at which point it will also be available in PingFederate. See Reverting applications to previously promoted versions for details.
OAuth and OIDC application promotions
When promoting OAuth and OpenID Connect applications, application owners provide the following information:
- Redirect URIs: The trusted location that the application will be redirected to with the authorization code or access token after the OAuth flow is complete. Redirect URIs are only required when promoting applications that use an authorization code and implicit grant types.
- Client secret: Used if a client secret is required to authenticate the application. Application owners can generate a client secret or create one of their own.
Refer to Using OAuth and OIDC templates in the PingCentral for Application Owners guide to learn more about this process.
During the promotion process, the application name and description remains the same. If PingCentral identifies an identical client in PingFederate, the application JSON, along with the information that the application owner provides, will overwrite the PingFederate OAuth client within the target environment. If the client does not already exist, PingCentral will create all of the items defined in the application JSON, along with the information that the application owner provided.
If OAuth clients have ATMs, OIDC policies, or scopes that conflict with the target environment during the promotion process, PingCentral will not change them because they could be shared across clients. Otherwise, PingCentral will add the ATMs, OIDC policies, and scopes specified in the original JSON file. If scopes are added, they are defined as exclusive scopes and are associated with the client upon promotion.
While PingCentral does not yet promote the policy contract to persistent grant mappings, it promotes all access token mappings associated with the client, which are determined by the access token managers associated with the client. Only access token mappings that use the default, client credentials, or authentication policy contract contexts will be promoted.
SAML SP application promotions
When application owners add an application to PingCentral, they can provide an .xml file that contains service provider metadata from a similar SAML application. This file could contains any or all of the following items:
- Entity ID: Used to uniquely identify the application and obtained from the service provider.
- ACS URL: The application's URL to which SAML assertions from the IdP will be sent after user authentication occurs.
- Attribute mapping information: The application attributes mapped to the identity attributes required to fulfill the authentication policy contract in PingFederate.
- SP public certificate: Used to prove ownership of a public key and obtained from the service provider.
- Assertion encryption certificates: Used to prove that the SAML assertion is encrypted.
Or, they can provide the Entity ID, ACS URL, and certificates during the promotion process.
Refer to Using SAML SP templates in the PingCentral for Application Owners guide to learn more about this process.
During the promotion process, the application name and description remains the same. If PingCentral identifies an identical connection in PingFederate, the application JSON, along with the information that the application owner provides, will overwrite the PingFederate connection within the target environment. If the connection does not already exist, PingCentral will create items defined in the application JSON, along with the information that the application owner provided.
PingCentral generates a self-signed IdP certificate with a 1-year expiration for each application and environment. This certificate cannot be uploaded, selected, or rotated in this release. If a connection is re-promoted, the same certificate is used and orchestrated to PingFederate.