Configuration Automation - Ping CLI

Getting started with Ping CLI and PingOne

Connecting Ping CLI to PingOne for interactive sign-on means the CLI runs with the same role permissions as the signed-in user, the same permissions the user has in the PingOne admin console. Environment administrators control who can sign on and can require MFA, so access governance applies equally to the CLI. All actions are audited under the user’s identity.

PingOne also supports the device code flow for headless environments, and client credentials for CI/CD pipelines. This guide covers interactive user sign-on using the authorization code flow with PKCE.

Connect Ping CLI to PingOne in three steps: create an application in the PingOne admin console, configure Ping CLI with its credentials, and authenticate.

Before you begin

Step 1: Create a PingOne worker application

Before configuring Ping CLI, create an application in the PingOne admin console. The application type depends on which authentication flow you intend to use.

  1. Sign on to your PingOne admin console.

  2. Open an environment that contains admin users, typically the Administrators environment. Note that any environment can be used, but using the Administrators environment is recommended for management operations.

  3. Navigate to the Applications link.

  4. Add a new Application with the icon.

  5. For Application Name and Description, enter a unique identifier for the application and a brief characterization of the application.

    Expand Screenshot
    PingOne admin console

  6. Select Worker as the application type and click Save.

    Result: The worker application is created, and the Roles tab displays.

  7. No roles should be granted to the application when CLI users log in interactively. When the user signs on to the Ping CLI using the created worker app, the CLI inherits the user’s assigned roles instead of roles assigned to the application.

  8. On the Configuration tab, click the edit icon to change the application’s settings.

  9. To allow users to sign on using the authorization code method:

    1. Set Response Type to Code.

    2. Set Grant Type to Authorization Code and Refresh Token (deselecting all others)

    3. For PKCE Enforcement, select S256_REQUIRED

    4. Refresh Token Duration, Refresh Token Rolling Duration and Refresh Token Rolling Grace Period can be left with default values, but can be changed as required.

    5. Add http://127.0.0.1:7464/callback to Redirect URIs

    6. Set Token Endpoint Authentication Method to None

      Expand Screenshot
      PingOne admin console

  10. Click the toggle to enable the application.

    Expand Screenshot
    PingOne admin console

  11. On the Overview tab, take note of the Client ID because it’s needed when configuring Ping CLI.

Step 2: Configure Ping CLI

The following steps configure Ping CLI to use the configured worker application in a new profile.

Create a new CLI profile

Run the following command to create a new configuration profile within the CLI. For the profile name and profile description, enter a unique identifier for the profile and a brief characterization of the profile.

pingcli config profiles add
New profile name: getting-started
New profile description: : A profile to use while getting started with Ping CLI
Set new profile as active: : y

Guided initialization

Ping CLI includes a guided experience for connecting the PingOne platform.

  1. Initialize the CLI for PingOne with the guided experience.

    pingcli pingone init

  2. Use the arrow keys to select the Authorization Code option.

    PingOne Authentication Setup
============================
This will guide you through setting up authentication for PingOne.
Select the OAuth grant type
Use the arrow keys to navigate: ↓ ↑ → ←
? Authentication Method:
    Client Credentials (recommended for automation)
  ▸ Authorization Code (browser-based)
    Device Code (device flow)

  3. When prompted, use arrow keys to select the root domain of the PingOne tenant (for example, pingone.com).

  4. When prompted, copy and paste the environment ID for the worker application that was created earlier.

  5. When prompted, copy and paste the client ID for the worker application that was created earlier.

  6. Complete the guided initialization process.

    ✔ PingOne authentication configured successfully!
Run 'pingcli pingone auth login' to authenticate.

Sign on

After initialization completes, sign on to the PingOne tenant.

pingcli pingone auth login

A browser window opens, allowing you to sign on to the PingOne tenant as an administrator, as usual.

After signing on, the browser window and Ping CLI confirm the successful sign on.

Expand Screenshot
Ping CLI successful sign on callback page. The page confirms successful authorization and prompts the user to close the browser window. 
✔ Successfully authenticated with authorization code

Ping CLI is now configured with the PingOne service. Try a command to view tenant configuration:

pingcli pingone environments list
✔ Fetched 29 items
ID                                    NAME                                     DISPLAY NAME                             DESCRIPTION
9457b794-836e-493c-ade4-3a50c6cf877f  Administrators                           Administrators (PRODUCTION)              This is the administrator environmen...
...

Next steps

Configure the CLI

Set up multiple profiles, environment variables, and advanced configuration options.
Manage resources

Learn about the options available to manage resources within the PingOne tenant.
Command reference

Browse every PingOne command, subcommand, and flag available in Ping CLI.

Learn more