Service accounts
PingOne Advanced Identity Cloud provides service accounts to let you request access tokens for most REST API endpoints;
for example, you may need an access token to use the REST API endpoint
/openidm/managed/alpha_user
to get a list of identities.
You create a new service account in the Advanced Identity Cloud admin UI, which provides you with credentials
(a service account ID and a private key). You use the credentials to obtain an access token from a
built-in OAuth 2.0 public client using the JWT profile for OAuth 2.0 authorization grant flow. You
can then use the access token as a bearer token in the Authorization
HTTP header for each API request.
Manage service accounts
A tenant administrator can manage service accounts in these ways:
-
To use the Advanced Identity Cloud admin UI, learn more in Manage service accounts using the UI.
-
To use the Advanced Identity Cloud REST API with a tenant administrator access token, learn more in the article A scripted approach for creating and using service accounts in PingOne Advanced Identity Cloud.
Only a tenant administrator account has the privileges to create, modify, or delete service accounts.
You create service accounts in each environment; they are not promotable.
Service account scopes
When you create a service account, you choose which scopes it can grant to the access tokens it creates. You should always choose the minimum number of scopes needed.
Scopes for AM and IDM APIs in Advanced Identity Cloud
Scope | Purpose | Reference |
---|---|---|
|
Access to |
|
|
Access to |
Service account access tokens granted the fr:idm:* scope also have access to API
endpoints under the fr:idc:esv:* scope.
|
Scopes for Advanced Identity Cloud environment APIs
Scope | Purpose | Reference |
---|---|---|
|
Access to certificate API endpoints |
|
|
Read-only access to certificate API endpoints. Use this scope if you only need to list certificates. |
|
|
Access to Content Security Policy API endpoints |
Content Security Policy API endpoint |
|
Access to custom domain endpoints |
Custom domains API endpoint |
|
Access to ESV API endpoints |
|
|
Read-only access to ESV API endpoints. Use this scope if you only need to list ESVs. |
|
|
Create, update, and delete access to ESV API endpoints |
|
|
Access to ESV API endpoint to restart Advanced Identity Cloud services |
|
|
Access to promotions API endpoints |
|
|
Access to release management API endpoints |
Release management API endpoint |
|
Access to SSO cookie API endpoints |
SSO cookie API endpoint |
Scopes for Advanced Identity Cloud APIs under development
The following scopes grant access to API endpoints that are under development and will imminently be released to the rapid channel.
Scope | Purpose | Reference |
---|---|---|
|
Access to web application firewall (WAF) API endpoints |
|
|
Read-only access to WAF API endpoints. Use this scope if you only need to list WAFs. |
|
|
Create, update, and delete access to WAF API endpoints |
|
|
Access to analytics API endpoints |
|
|
Access to cookie domain endpoints |
Scopes for add-on capability APIs
The following scopes grant access to API endpoints in Add-on capabilities.
Scope | Purpose | Reference |
---|---|---|
|
Access to IGA API endpoints |
Restricted scopes
The following scopes are restricted, so the API endpoints under them are not accessible using a service account access token. Learn how to access API endpoints using a tenant administrator access token in the article A scripted approach for creating and using service accounts in PingOne Advanced Identity Cloud.
Scope | Purpose | Reference |
---|---|---|
|
Access to federation API endpoints |
Federation API endpoint |
Get an access token using a service account
To get an access token using a service account, learn more in Authenticate to Advanced Identity Cloud REST API with access token.
You can also create a script to get a service account access token within your journeys. This approach lets you use the access token in API calls in a Scripted Decision node in Advanced Identity Cloud. Learn more in Get an access token in a journey for an example. |
Manage service accounts using the UI
View service accounts
-
In the Advanced Identity Cloud admin UI, open the TENANT menu (upper right).
-
Click Tenant settings.
-
Click Global Settings.
-
Click Service Accounts. The page displays existing service accounts for your tenant.
Create a new service account
-
In the Advanced Identity Cloud admin UI, open the TENANT menu (upper right).
-
Click Tenant settings.
-
Click Global Settings.
-
Click Service Accounts.
-
Click New Service Account.
-
Enter a Name and optional Description for the service account.
-
In the Scopes section, select the scopes that the service application can grant to an access token. Learn more in Service account scopes.
-
Click Save.
-
When the 'Service account successfully created!' message shows:
-
Make a note of the service account ID, found in the ID field.
-
Click Download Key to download the service account private key.
You must download the private key at this point as it will not be available again.
-
-
Click Done.
To get an access token using a service account, learn more in Authenticate to Advanced Identity Cloud REST API with access token. |
Modify a service account
-
In the Advanced Identity Cloud admin UI, open the TENANT menu (upper right).
-
Click Tenant settings.
-
Click Global Settings.
-
Click Service Accounts.
-
Click the ellipsis on the right of a service account and select Edit.
-
You can change the Name or optional Description.
-
In the Scopes section, you can change the scopes that the service application can grant to an access token. Learn more in Service account scopes.
Before removing scopes that the service application can grant to an access token, make sure you identify which of your integrations are dependent upon those scopes; otherwise those integrations will fail the next time they request an access token. -
Click Save.
Regenerate a key for a service account
Before regenerating a key, make sure you identify which of your integrations are dependent upon it to sign JWTs, as all those integrations need to be updated with the new key. |
-
In the Advanced Identity Cloud admin UI, open the TENANT menu (upper right).
-
Click Tenant settings.
-
Click Global Settings.
-
Click Service Accounts.
-
Click the ellipsis on the right of a service account and select Regenerate Key.
-
On the Regenerate Key dialog box, click Regenerate Key.
-
When the 'Key successfully created!' message is shown:
-
Click Download Key to download the new service account private key.
You must download the private key at this point as it will not be available again.
-
-
Click Done.
Delete a service account
Before deleting a service account, make sure none of your integrations are dependent upon its key to sign JWTs; otherwise those integrations will fail the next time they request an access token. |
-
In the Advanced Identity Cloud admin UI, open the TENANT menu (upper right).
-
Click Tenant settings.
-
Click Global Settings.
-
Click Service Accounts.
-
Click the ellipsis on the right of a service account and select Delete.
-
On the Delete Service Account page, click Delete Service Account.