Use the Applications page to edit existing Native applications.
- Go to .
- Browse or search for the application you want to edit.
- Click the application entry to open the details panel. Click the tab that you want to edit, and then click the pencil icon.
For Overview, enter or edit the following
- Application Name. A unique identifier for the application.
- Description. A brief characterization of the application (optional).
- Icon (optional). A pictorial representation of the application. Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.
- Home page URL. The default home page for the application.
- Signon URL. The URL to which the application requests that the end user be redirected to sign on.
For Configuration, enter or edit the following:
Select code, token, or ID token for the response type. See Response types.
Select authorization code, implicit, refresh token, or client credentials for the grant type. See Grant types.
Select a value for PKCE code challenge enforcement. This value determines how the application creates the code challenge from the code verifier. See PKCE enforcement.Note:
PKCE enforcement is available for Authorization Code grant type applications only.
The address PingOne forwards the authentication.
Allow Redirect URI patterns
Use a wildcard for flexibility in managing redirect URIs. See Redirect URIs.
Token Endpoint Authentication Method
Select none, client secret basic, or client secret post for the token endpoint authentication method.
Initiate Login URI
The application's login initiation endpoint for third-parties to begin the sign-on process for the application.
If provided, PingOne redirects users to this URI to initiate SSO to PingOne. The application is responsible for implementing the relevant OIDC flow when the Initiate Login URI is requested.
For more information, see Initiating Login from a Third Party in the OIDC specification. This URI is required if you want the application to show in the PingOne Application Portal. For more information, see Application portal.
Target Link URI
The URI for the application. If provided, PingOne redirects application users to this URI after the user is authenticated. The target_link_uri parameter value in Initiate Single Sign-On URL, as shown as part of the application configuration in the PingOne console, is also updated with the value specified here.
The URL to which the application requests that the browser be redirected using the post_logout_redirect_uri parameter after a logout has been performed.
Allow unsigned JWT requests
Select this option to allow the optional request object on the authorization request to be unsigned.
For Resources, select the OAuth scopes for the application
by selecting the check box for the appropriate scopes. Click the Selected
scopes tab to see the scopes that are currently selected for the
The OAuth scopes determine the resources that the application can access. If you add OIDC scopes here, the application inherits the attributes associated with that scope.
For Policies, select the authentication policies for the
If you have a DaVinci license, you can select PingOne policies or DaVinci Flow policies, but not both. If you don’t have a DaVinci license, you’ll see PingOne policies only.
To use a PingOne policy, Click + Add policies and then select the policies that you want to apply to the application. Click Add. The policies are applied in the order in which they appear in the list. PingOne evaluates the first policy in the list first. If the requirements of the policy are not met, PingOne moves to the next policy in the list. For more information, see Authentication policies for applications.
To use a DaVinci Flow policy, you must clear all PingOne policies. Click the Deselect all PingOne policies button. In the confirmation message, click Continue. Click the DaVinci Policies tab, and then select the policies that you want to apply to the application. PingOne applies the first policy in the list. For OAuth-based applications, you can specify another policy in the acr_values parameter in the authorization request.
For Attribute mappings, select a PingOne user attribute and map
it to an attribute in the application you are adding. For more information, see
Enter an application attribute and then select the corresponding PingOne attribute from the list.Click the gears icon to use the expression builder to build an attribute mapping. See Using the expression builder.
For Access, enter or edit the following:
- Application portal display. Determines whether an application icon appears in the application portal even if the user is allowed to access the application in the application portal based on the group membership policy. For more information, see Application access control.
- Admin only access. Specifies that a user with an administrator role is required to access the application. The user must have one of the following roles: Organization Admin, Environment Admin, Identity Data Admin, or Client Application Developer.
- Group membership policy. Select the group membership policy for the application. For more information, see Groups.
For Mobile, allow mobile authentication for the app:
Configure the app for Android by providing the package name for Google Play
Services and/or the package name and app ID for Huawei Mobile Services.
Configure the app for iOS by providing the bundle ID (as registered in the app
After you have enabled mobile authentication, you can configure any of the following:
- Allow push notifications by providing the following information:
- For Android apps that use Google Play Services: server key (as provided by FCM)
- For Android apps that use Huawei Mobile Services: OAuth 2.0 client ID and client secret
- For iOS: the team ID, authentication token signing key, and key ID (as provided by Apple to your organization)
After you save the push credentials, you can use the Send Test button to test them. You have to supply the push token issued by Google/Huawei/Apple.
- Turn on device integrity checking to prevent the use of compromised
devices for pairing or authentication. You can enable device integrity
checking separately for Android and iOS. For Android, you must choose
between Google Verification and
Internal Verification. Using internal
verification will not count against your Google API call quota. You must
provide the following additional information, depending on the type of
verification you selected:
Note: If an application appears in multiple environments, make sure to provide the same verification credentials and specify the same cache duration for the application in each of the environments. If these settings do not match, unexpected behavior may result. In such cases, you will also see an error message in the audit log. You will see a similar message if you provided incorrect credentials.
- Google verification - select the JSON file that represents your Service Account Credentials
- Internal verification - enter the Decryption Key and Verification Key from your Google Play Services account
- If your organization is using the PingOne MFA SDK to allow authentication with a QR code in certain flows, provide the relevant universal / app link or URI scheme that the application should use for this purpose, depending on which deep-linking mechanism the app developers used.
- Use the Passcode Refresh Duration field to specify the amount of time a passcode should be displayed before being replaced with a new passcode.
- The package name / app ID / bundle ID and push notification settings cannot be modified after they have been saved for the application.
- If you do not have the necessary license for making changes on the Mobile tab, a lock icon is displayed below the tab name. If you click the lock, you will see a message that explains how to obtain the required license. If you previously had a valid license, and defined mobile authentication settings for the app, they will still be visible on the tab but you will not be able to modify the settings or add to them.
- Allow push notifications by providing the following information:
- Click Save.