PingOne node

The PingOne node establishes trust between PingOne and Identity Cloud by leveraging a federated connection.

This node performs an OIDC request to PingOne to delegate the user flow from Identity Cloud to PingOne using a standard OIDC redirect.

Use this node only if you need to configure PingOne as an external identity provider for Identity Cloud or to execute a PingOne DaVinci flow containing UI screens. In all other cases, use the PingOne DaVinci API node instead.

Set up

Before using the PingOne node, you must set up:

Configure a PingOne OIDC application to connect to Identity Cloud
PingOne Service
(Optional) If you plan to trigger a DaVinci flow from PingOne node, configure the PingOne application to the DaVinci Flow policy.

Configure a PingOne OIDC application to connect to Identity Cloud

Use the Applications page in the PingOne interface to add an application to connect to Identity Cloud.

Go to Applications > Applications.
Click +.
Create an application profile with these parameters:
1. Application name: Identity Cloud Federation.
2. Description (optional): Enables Identity Cloud federation with PingOne.
3. Select OIDC Web App as the Application Type.
Click Save.
After the application profile is created, go to the Configuration tab and click the pencil icon to edit the application.
1. In the PKCE Enforcement the drop-down, select S256_REQUIRED.
2. In the Token Endpoint Authentication Method drop-down, select Client Secret Basic.
3. Select Require Pushed Authorization Request.
4. Enter the Redirect URIs of your Identity Cloud AM instance.
Click Save, and then select Enable.

Compatibility

Product	Compatible?
ForgeRock Identity Cloud	Yes
ForgeRock Access Management (self-managed)	Yes
ForgeRock Identity Platform (self-managed)	Yes

Product

Compatible?

ForgeRock Identity Cloud

Yes

ForgeRock Access Management (self-managed)

Yes

ForgeRock Identity Platform (self-managed)

Yes

Inputs

Any data in the node state that needs to be sent to PingOne.

Dependencies

To use this node, you must configure the PingOne service.

Configuration

Property	Usage
PingOne Service	The PingOne service used with this node.
ACR Values(optional)	For triggering a specific PingOne application policy.
Username	The attribute that contains the name of the user for the object.
State Inputs	A multi-value field to select specific attributes from node state to include in the federation request to PingOne. By default, the wildcard (*) value includes the entire journey node state in the federation request to PingOne.

Property

Usage

PingOne Service

The PingOne service used with this node.

ACR Values(optional)

For triggering a specific PingOne application policy.

Username

The attribute that contains the name of the user for the object.

State Inputs

A multi-value field to select specific attributes from node state to include in the federation request to PingOne. By default, the wildcard (*) value includes the entire journey node state in the federation request to PingOne.

Outputs

Any claims returned by PingOne during federation will be stored in the node state.

Outcomes

Account exists: If the account returned by PingOne during federation matches an existing account, and it is linked to the account in Identity Cloud.
Account exists, no link: If the account returned by PingOne during federation exists in Identity Cloud, but it is not yet linked to the existing account in Identity Cloud.
No account exists: If the account returned by PingOne during federation does not exist in Identity Cloud.

Error: An error occurred causing the request to fail. Check the response code, response body, or logs to see more details of the error.

Troubleshooting

If this node logs an error, review the log messages to find the reason for the error and address the issue appropriately.

Examples

This example journey highlights the use of the PingOne node: