Identity Cloud

PingOne node

The PingOne node establishes trust between PingOne and Identity Cloud by leveraging a federated connection.

This node performs an OIDC request to PingOne to delegate the user flow from Identity Cloud to PingOne using a standard OIDC redirect.

Use this node only if you need to configure PingOne as an external identity provider for Identity Cloud or to execute a PingOne DaVinci flow containing UI screens. In all other cases, use the PingOne DaVinci API node instead.
pingone node diagram

Set up

Before using the PingOne node, you must set up:

Configure a PingOne OIDC application to connect to Identity Cloud

Use the Applications page in the PingOne interface to add an application to connect to Identity Cloud.

  1. Go to Applications > Applications.

  2. Click +.

  3. Create an application profile with these parameters:

    1. Application name: Identity Cloud Federation.

    2. Description (optional): Enables Identity Cloud federation with PingOne.

    3. Select OIDC Web App as the Application Type.

  4. Click Save.

  5. After the application profile is created, go to the Configuration tab and click the pencil icon to edit the application.

    1. In the PKCE Enforcement the drop-down, select S256_REQUIRED.

    2. In the Token Endpoint Authentication Method drop-down, select Client Secret Basic.

    3. Select Require Pushed Authorization Request.

    4. Enter the Redirect URIs of your Identity Cloud AM instance.

  6. Click Save, and then select Enable.


Product Compatible?

ForgeRock Identity Cloud


ForgeRock Access Management (self-managed)


ForgeRock Identity Platform (self-managed)



Any data in the node state that needs to be sent to PingOne.


To use this node, you must configure the PingOne service.


Property Usage

PingOne Service

The PingOne service used with this node.

ACR Values(optional)

For triggering a specific PingOne application policy.


The attribute that contains the name of the user for the object.

State Inputs

A multi-value field to select specific attributes from node state to include in the federation request to PingOne. By default, the wildcard (*) value includes the entire journey node state in the federation request to PingOne.


Any claims returned by PingOne during federation will be stored in the node state.


Account exists

If the account returned by PingOne during federation matches an existing account, and it is linked to the account in Identity Cloud.

Account exists, no link

If the account returned by PingOne during federation exists in Identity Cloud, but it is not yet linked to the existing account in Identity Cloud.

No account exists

If the account returned by PingOne during federation does not exist in Identity Cloud.


An error occurred causing the request to fail. Check the response code, response body, or logs to see more details of the error.


If this node logs an error, review the log messages to find the reason for the error and address the issue appropriately.


This example journey highlights the use of the PingOne node:

ping one journey
Copyright © 2010-2024 ForgeRock, all rights reserved.