Use the Applications page to edit existing worker applications.
- Go to .
- Browse or search for the application that you want to edit.
- Click the application entry to open the details panel. Click the tab that you want to edit, and then click the pencil icon.
For Overview, enter or edit the following:
- Application Name: A unique identifier for the application.
- Description (optional): A brief characterization of the application.
- Icon (optional). A pictorial representation of the application. Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.
- Home page URL: The default home page for the application.
- Signon URL: The URL to which the application requests that the end user be redirected to sign on.
For Configuration, enter or edit the following:
The unique identifier for the application.
The shared secret for the application. Ensure that you protect the client secret and store it in a secure location. To update the client secret, click Generate New Secret. For more information, see Rotating the client secret for an application.
The identifier for the environment that contains the application.
Select code, token, or ID token for the response type. See Response types.
Select authorization code, implicit, refresh token, or client credentials for the grant type. See Grant types.
Select a value for PKCE code challenge enforcement. This value determines how the application creates the code challenge from the code verifier. See PKCE enforcement.Note:
PKCE enforcement is available for Authorization Code grant type applications only.
The address to which PingOne forwards the OIDC response after authentication. The Redirect URI cannot contain a fragment component, such as
#somedata. For more information, see Redirection endpoint in the IETF documentation.Note:
You can use wildcards for flexibility in managing redirect URIs. See Redirect URIs.
The URL to which the application requests that the browser be redirected using the post_logout_redirect_uri parameter after a logout has been performed.
Token Endpoint Authentication Method
Select none, client secret basic, or client secret post for the token endpoint authentication method.
For Resources, select the OAuth scopes for the application
by selecting the check box for the appropriate scopes. Click the Selected
scopes tab to see the scopes that are currently selected for the
The OAuth scopes determine the resources that the application can access. If you add OIDC scopes here, the application inherits the attributes associated with that scope.
For Policies, select the authentication policies for the
If you have a DaVinci license, you can select PingOne policies or DaVinci Flow policies, but not both. If you don’t have a DaVinci license, you’ll see PingOne policies only.
To use a PingOne policy, Click + Add policies and then select the policies that you want to apply to the application. Click Add. The policies are applied in the order in which they appear in the list. PingOne evaluates the first policy in the list first. If the requirements of the policy are not met, PingOne moves to the next policy in the list. For more information, see Authentication policies for applications.
To use a DaVinci Flow policy, you must clear all PingOne policies. Click the Deselect all PingOne policies button. In the confirmation message, click Continue. Click the DaVinci Policies tab, and then select the policies that you want to apply to the application. PingOne applies the first policy in the list.
For OAuth-based applications, you can specify another policy in the acr_values parameter in the authorization request. The acr_values parameter specifies the sign-on policies that PingOne should use for authentication. You can include any policies assigned to the application. Specify either a single DaVinci policy by flow policy ID or one or more PingOne policies by name, separated by spaces or the encoded space character
%20. For example,
For Attribute mappings, select a PingOne user attribute and map
it to an attribute in the application you are adding. For more information, see
- Enter an application attribute and then select the corresponding PingOne attribute from the list.
- Click the gears icon to use the expression builder to build an attribute mapping. See Using the expression builder.
For Access, enter or edit the following:
- Admin only access: Specifies that a user with an administrator role is required to access the application. The user must have one of the following roles: Organization Admin, Environment Admin, Identity Data Admin, or Client Application Developer.
- Group membership policy:. Select the group membership policy for the application. For more information, see Groups.
For Roles, select the roles for the worker
Worker apps have no roles by default. After the application is created, you can add or remove roles as needed, up to the level of your roles as a user. That is, you cannot assign roles that you do not have. For more information, see Configuring roles for a worker application.
- Click Save.