Editing an application - Native - PingOne - PingOne Cloud Platform

The OAuth scopes determine the resources that the application can access. If you add OIDC scopes here, the application inherits the attributes associated with that scope.

If you have a DaVinci license, you can select PingOne policies or DaVinci Flow policies, but not both. If you don’t have a DaVinci license, you’ll see PingOne policies only.

To use a PingOne policy, Click + Add policies and then select the policies that you want to apply to the application. Click Add. The policies are applied in the order in which they appear in the list. PingOne evaluates the first policy in the list first. If the requirements of the policy are not met, PingOne moves to the next policy in the list. For more information, see Authentication policies for applications.

To use a DaVinci Flow policy, you must clear all PingOne policies. Click the Deselect all PingOne policies button. In the confirmation message, click Continue. Click the DaVinci Policies tab, and then select the policies that you want to apply to the application. PingOne applies the first policy in the list. For OAuth-based applications, you can specify another policy in the acr_values parameter in the authorization request.

• Application portal display. Determines whether an application icon appears in the application portal even if the user is allowed to access the application in the application portal based on the group membership policy. For more information, see Application access control.
• Admin only access. Specifies that a user with an administrator role is required to access the application. The user must have one of the following roles: Organization Admin, Environment Admin, Identity Data Admin, or Client Application Developer.
• Group membership policy. Select the group membership policy for the application. For more information, see Groups.

After you have enabled mobile authentication, you can configure any of the following:

• Allow push notifications by providing the following information:
  • For Android apps that use Google Play Services: server key (as provided by FCM)
  • For Android apps that use Huawei Mobile Services: OAuth 2.0 client ID and client secret
  • For iOS: the team ID, authentication token signing key, and key ID (as provided by Apple to your organization)

  After you save the push credentials, you can use the Send Test button to test them. You have to supply the push token issued by Google/Huawei/Apple.

• Turn on device integrity checking to prevent the use of compromised devices for pairing or authentication. You can enable device integrity checking separately for Android and iOS. For Android, you must choose between Google Verification and Internal Verification. Using internal verification will not count against your Google API call quota. You must provide the following additional information, depending on the type of verification you selected:
  • Google verification - select the JSON file that represents your Service Account Credentials
  • Internal verification - enter the Decryption Key and Verification Key from your Google Play Services account
  Note: If an application appears in multiple environments, make sure to provide the same verification credentials and specify the same cache duration for the application in each of the environments. If these settings do not match, unexpected behavior may result. In such cases, you will also see an error message in the audit log. You will see a similar message if you provided incorrect credentials.
• If your organization is using the PingOne MFA SDK to allow authentication with a QR code in certain flows, provide the relevant universal / app link or URI scheme that the application should use for this purpose, depending on which deep-linking mechanism the app developers used.
• Use the Passcode Refresh Duration field to specify the amount of time a passcode should be displayed before being replaced with a new passcode.