PingOne Platform APIs

Applications

Application resources define the connection between PingOne and the actual application (also known as a client connection). PingOne supports several application types. When you make a request to define a new application, you must specify the type property that specifies one of the following application types:

  • Web application

    A browser-based application with a server-side component, such as ASP, CGI, JSP/Java, Node.js, or Ruby on Rails applications.

  • Native application

    An application that is installed and run directly on the local operating system, like Java, Objective-C, Swift, or React applications. Native applications are typically intended for native devices.

  • Single-page application

    A browser-based application that runs on the front-end with no server-side component, such as Sencha Touch, AngularJS, and React applications. A single-page application runs on the client side after it loads, so it cannot keep a client secret.

  • Non-interactive

    A web application that does not require user interaction through the web browser, like a command line interface, a service, or a daemon.

  • Worker

    An administrator application that can interact with platform APIs. Access to platform APIs is determined by the user’s or application’s role assignments.

  • Platform applications

    PingOne creates platform applications (PingOne Admin Console, PingOne Application Portal, PingOne Self-Service - MyAccount, and PingFederate-SSO) when the environment is created. The PingFederate-SSO platform application is created only if the PingOne environment includes PingFederate, and unlike the other platform applications, PingFederate-SSO application information is not returned through a GET request.

For any application type (except Worker/Non-interactive), you can specify either NONE, CLIENT_SECRET_BASIC, or CLIENT_SECRET_POST as the tokenEndpointAuthMethod attribute value. Non-interactive applications use the CLIENT_CREDENTIALS grant type, which does not support a tokenEndpointAuthMethod value of NONE.

Managing applications

The base endpoint, /environment/{{envID}}/applications, provides endpoint operations to create, read, update, and delete OIDC and SAML application connections. There are POST request examples to show the required properties to create each type of application connection. For more information, refer to Application Operations in the PingOne Platform API Reference.

The secret endpoint, /environments/{{envID}}/applications/{{appID}}/secret, provides endpoint operations to read and update the application’s secret, if the requesting actor has a superset of the application’s role assignments. For more information, refer to Application Secret in the PingOne Platform API Reference.

Applications support the following additional configuration properties:

  • Application resource grants

    The application resource grants endpoint, /environments/{{envID}}/applications/{{appID}}/grants, provides endpoint operations to create, read, update, and delete the resource grant associated with the application connection. For more information, refer to Application Resource Grants in the PingOne Platform API Reference.

  • Application sign-on policy assignments

    The application sign-on policy assignments endpoint, /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments, provides endpoint operations to create, read, update, and delete the sign-on policies associated with the application connection. For more information, refer to Application Sign-On Policy Assignments in the PingOne Platform API Reference.

  • Application role assignments

    The application role assignments endpoint, /environments/{{envID}}/applications/{{appID}}/roleAssignments, provides endpoint operations to create, read, update, and delete the role assignments associated with the application connection. For more information, refer to Application Role Assignments in the PingOne Platform API Reference.

  • Application attribute mapping

    The application attribute mapping endpoint, /environments/{{envID}}/applications/{{appID}}/roleAssignments, lets you customize the content of an ID token or a SAML assertion by adding custom attributes and their values. For more information, refer to Application Attribute Mapping in the PingOne Platform API Reference.

  • Application MFA push credentials

    Push credentials are required for sending push notifications to a native application. The endpoint, /environments/{{envID}}/applications/{{appID}}/pushCredentials, provides endpoint operations to create, read, update, and delete the push credentials associated with the application connection. This section provides examples for both APNS and FCM push credential types. For more information, refer to Application MFA Push Credentials in the PingOne Platform API Reference.

Workflows

Related topics