Embed all the identity services you need into your app with a single platform.
PingOne for Customers allows you to embed user-friendly authentication into your applications. With a comprehensive set of REST APIs, you can configure authentication workflows, create access tokens and assign different authentication policies to each app. PingOne for Customers supports SAML, OAuth 2 and OpenID Connect services to authorize clients to access data, verify if users are signed on and more. You can see our authentication APIs in action with our sample apps.
learn more
The authorization server in PingOne for Customers allows you to protect applications, APIs and other resources. You can configure custom scopes that allow access to specific resources that you define, and you can grant applications or users access to those scopes.
learn more
PingOne for Customers can orchestrate authentication policies to help you determine the steps required to authenticate users. Policies can be evaluated, and specific sign-on actions can even be called, such as stepping users up to multi-factor authentication (MFA). Like all other PingOne for Customers capabilities, authentication policies can be completely managed via REST API calls.
learn more
The curl request below uses a client_credentials grant to return an access token.
curl --request POST \
--url "https://auth.pingone.com/{environmentID}/as/token" \
--header "Content-Type: application/x-www-form-urlencoded" \
--data "grant_type=client_credentials&client_id={applicationID}
&client_secret={secret}"
//JSON response
{
"Access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InRlc3QifQ.eyJz
Y29wZSI6IiIsImNsaWVudF9pZCI6I...",
"token_type": "Bearer",
"expires_in" : 3600
}
PingOne for Customers allows you to use stronger authentication factors, such as push notifications, SMS or email as primary sign-on methods in place of passwords. Doing this allows you to achieve passwordless authentication for users who have set up a trusted phone number, email or device. Using push notifications is particularly convenient for this purpose as it allows your users to sign on using your custom iOS or Android mobile app with a secure and simple face scan or fingerprint.
With SAML, OAuth 2 and OpenID Connect support, you can facilitate single sign-on (SSO) use cases across all of your applications. Even if you have apps that aren’t based on standards, you can significantly extend the SSO capabilities of PingOne for Customers by integrating with PingFederate, our market-leading SSO software solution for on-premises and hybrid IT environments. Get the Integration Kit.
PingOne for Customers can act as a SAML 2.0 identity provider (IdP) or service provider. Any internal or partner application can reroute authentication requests to your application through PingOne for Customers when it’s acting as an IdP. Once authenticated, your application can redirect users and send SAML assertions to any SAML-enabled application. When acting as a SAML 2.0 service provider, PingOne for Customers lets you allow users to authenticate with third-party SAML IdPs. Those applications can then pass a SAML assertion to PingOne for Customers, allowing users to access any applications it protects. In this way, PingOne for Customers can help create an application or central identity service that acts as an identity hub to provide consistent sign-on experiences to any number of internal or external applications.
learn more
With support for OAuth 2 and OpenID Connect, your applications can determine a user’s authentication state and can also access user data. Applications can obtain access tokens from PingOne for Customers with scopes that grant them access to only specific sets of data and resources they require.
learn more
The code sample below creates a userinfo authorization request:
curl -X POST "https://auth.pingone.com/{environmentId}/as/userinfo" \
-H “Authorization: Bearer token”
PingOne for Customers has out-of-the-box configuration options to allow your users to register or sign on using Facebook. This streamlines those processes for your customers and gives them an easy way to gain access to your applications. Customers can also unlink social accounts even after they’ve registered.
Many apps that your enterprise hosts on premises or in virtual private clouds may not be based on standards. PingOne for Customers can integrate with your software products to help facilitate agentless SSO to any application, even if some of those applications aren’t based on identity standards like SAML or OpenID Connect. These hybrid IT capabilities allow you to coexist with any and all on-prem applications within your enterprise. This not only helps your architects and IT teams provide you with an easy-to-use customer identity tool that meets their flexibility and security standards, but it also helps facilitate your company’s cloud-first initiatives.
learn moreMFA is becoming your best defense against compromised customer credentials, account takeover attempts and fraud. PingOne for Customers’ APIs make it easy to configure MFA into your authentication flows. You can even use REST APIs to offer your customers self-service features and let them choose their preferred MFA method, giving
learn more
The code sample below enables MFA for an end-user:
curl -X GET "https://api.pingone.com/v1/environments/
{environmentId}/users/{userId}/mfaEnabled" \
-H “Content-type: application/json” \
-H “Authorization: Bearer jwtToken”
If you choose to require SMS or email authentication in certain apps or scenarios, PingOne for Customers will send a one-time passcode (OTP) to a user’s registered email or phone number and require the user to enter the OTP they received. If the OTP is validated, the user will be able to continue their authentication. Once you define where you want to require MFA in your flows and link a trusted device with a user, MFA can be enabled for users with a simple REST API call.
PingOne for Customers has a mobile SDK that allows you to send push notifications from your company’s custom iOS or Android mobile application. Since this method uses unique device secrets associated with only one device and allows users to sign on with a simple fingerprint or face scan, it’s more secure and more convenient than MFA via SMS or email. PingOne for Customers also has APIs and out-of-the-box UIs that allow customers to manage the trusted devices associated with their account.
PingOne for Customers offers robust user-management capabilities. You can query and inspect users based on their associated environment or population. User data and activity can also be retrieved via REST API calls for third-party analytics tools.
You can allow administrators to enable or disable built-in attributes, or add new structured or unstructured attributes to user schemas. Managing your schema is easy with the administrative console or using REST API calls. In either case, you’ll never have to worry about risky and time-consuming schema migrations to get the attributes you need in your user table.
learn more
Create, read, update, delete (CRUD) and search queries can be performed against the PingOne for Customers cloud data store. You can also inspect the password policies, disable user accounts, verify if a user has a trusted MFA device, enable MFA and much more, all through simple REST API calls.
learn more
Here’s what the REST API call looks like to get user data:
curl -X GET "https://api.pingone.com/v1/environments/
{environmentId}/users/{userId}" \
-H "Content-type: application/json" \
-H "Authorization: Bearer jwtToken"
PingOne for Customers has the ability to migrate users from an on-premises PingDirectory, or to bidirectionally synchronize those users between the PingOne for Customers user store and PingDirectory. This can help you facilitate your migration to the cloud and ensure that you have a unified profile across your enterprise’s hybrid IT environment.
Using REST APIs, PingOne for Customers allows you to set and update user passwords, check if user passwords are expired, validate user passwords against policies and more. You’ll never have to worry about how to store or encrypt passwords.
learn more
To get information about a user’s password, simply substitute your environmentID and userID variables into the REST API call below:
curl -X GET "https://api.pingone.com/v1/environments/]
{environmentId}/users/{userId}/password" \
-H "Content-type: application/json" \
-H "Authorization: Bearer jwtToken"
With a built-in user activity API, you can granularly analyze user data. For any user populations you have the right to access, you can track sign-on successes and failures, password reset attempts and total active user accounts for specified date ranges. You can get this data and more from the admin UI or through REST API calls with easy-to-read JavaScript Object Notation (JSON) responses. Third-party analytics tools can also query the user activity API to run reporting analytics on PingOne for Customers user data.
learn moreBy embedding APIs into your application, you can enable self-service to allow users to view and manage their own data. REST APIs can send data to PingOne for Customers from your registration form to create users, and you can read and write data from profile management forms to allow users to view and update their data. You can also make account recovery easy with password reset flows. These critical self-service capabilities aren’t just easy to securely embed into your application—they’re easy for customers to use.
learn more
Here’s a sample REST API call for executing a password reset:
curl -X PUT "https://api.pingone.com/v1/environments/
{environmentId}/users/{userId}/password" \
-H “Content-type: application/vnd.pingidentity.password.reset+json” \
-H “Authorization: Bearer jwtToken” \
-d $'{
"currentPassword": "changeme",
"newPassword": "difPassword123!"
}'
In addition to APIs for user self-service, there are also customizable, out-of-the-box UIs for user registration, sign-on, profile management, account recovery and more. These UIs can be used to get an app up and running and test it out even faster, or you can use customized versions of the UIs in production if you choose.
With a tenant-in-tenant architecture, you can have multiple environments in a single PingOne for Customers account. Additionally, each environment can have separate user populations that are completely unaware of each other, allowing you to keep different user types from separate applications isolated in their own environments. This is not only a good security practice, but can be used to meet data residency requirements.
PingOne for Customers allows you to establish development, staging and test environments for your application. Each environment can have its own user populations, associated devices, user schemas and other details that you may need to keep isolated within a single environment.
Within each PingOne for Customers environment, you can choose the level of administrative access to grant your administrators. You can even delegate administrative access across environments, ensuring that application owners only have access to view users, configurations and other details that pertain to applications they manage. For example, you can grant your QA team members access to multiple applications, but restrict them from production environments. When PingOne for Customers is used for multiple applications and user types, your IT team can centrally manage who has access to which environments.
learn more
PingOne for Customers allows you to choose the data center and region in which you’d like to deploy your environment. This not only makes it easy for you to get the fastest response times as your customers interact with your application, but it also ensures that you’re adhering to data residency requirements.
Return to PingOne for Customers
Developer Tools
Check out our developer tools to help you work with SAML, JWTs, PKCE, OAuth, OIDC, and more!
Try it outDeveloper Community
Visit our community portal to find answers to your Ping Identity questions from other developer members in our community.
Join the discussion