Application Management
Application resources define the connection between PingOne and the actual application (also known as a client connection). The application type you choose to create includes default settings that you’re free to change. For example, you can configure the settings for a Single-Page application to match the settings for a Web application. This is by design for maximum flexibility.
Learn more in Applications in the PingOne admin guide.
When you make a request to create a new application, you must specify the type property that specifies one of the following application types:
-
Web application
A browser-based application with a server-side component, such as ASP, CGI, JSP/Java, Node.js, or Ruby on Rails applications.
-
Native application
An application that is installed and run directly on the local operating system, like Java, Objective-C, Swift, or React applications. Native applications are typically intended for mobile devices. These native applications are optionally configured using the
mobileproperty. -
Single-Page application
A browser-based application that runs on the front-end with no server-side component, such as Sencha Touch, AngularJS, and React applications. A single page application runs on the client side after it loads, so it cannot keep a client secret.
-
Non-interactive
A web application that does not require user interaction through the web browser, like a command line interface, a service, or a daemon.
-
Worker
An administrator application that can interact with platform APIs. Access to platform APIs is determined by the user’s or application’s role assignments. The role assignment for a Worker app is set by the
assignActorRolesproperty. -
Device authorization
Creating an application of this type initiates an action that returns an activation code to the end user. This enables you to obtain authorization from the end user through (what is typically) a mobile device.
-
Platform applications
PingOne creates platform applications (PingOne Admin Console, PingOne Application Portal, PingOne Self-Service - MyAccount, and PingFederate-SSO) when the environment is created. The PingFederate-SSO platform application is created only if the PingOne environment includes PingFederate, and unlike the other platform applications, PingFederate-SSO application information is not returned through a GET request.
These are the default grantTypes, response_type, and tokenEndpointAuthMethod attributes for the application types:
| Application type | Grant type | Response type | Token endpoint authentication method |
|---|---|---|---|
Device Authorization |
DEVICE_CODE, REFRESH_TOKEN |
N/A |
NONE |
Native |
AUTHORIZATION_CODE, IMPLICIT |
TOKEN, ID_TOKEN, CODE |
NONE |
Single-page |
IMPLICIT |
TOKEN, ID_TOKEN |
NONE |
Web |
AUTHORIZATION_CODE |
CODE |
CLIENT_SECRET_BASIC |
Worker/Non-interactive |
CLIENT_CREDENTIALS |
TOKEN |
CLIENT_SECRET_BASIC |
|
For any application type (except Worker/Non-interactive), you can specify either |
Managing applications
The base endpoint, /environment/{{envID}}/applications, provides endpoint operations to create, read, update, and delete OIDC and SAML application connections. There are POST request examples to show the required properties to create each type of application connection. For more information, refer to Application Operations.
The secret endpoint, /environments/{{envID}}/applications/{{appID}}/secret, provides endpoint operations to read and update the application’s secret, if the requesting actor has a superset of the application’s role assignments. For more information, refer to Application Secret.
Applications support the following additional configuration properties:
-
Application resource grants
The application resource grants endpoint,
/environments/{{envID}}/applications/{{appID}}/grants, provides endpoint operations to create, read, update, and delete the resource grant associated with the application connection. For more information, refer to Application Resource Grants. -
Application sign-on policy assignments
The application sign-on policy assignments endpoint,
/environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments, provides endpoint operations to create, read, update, and delete the sign-on policies associated with the application connection. For more information, refer to Application Sign-On Policy Assignments. -
Application role assignments
The application role assignments endpoint,
/environments/{{envID}}/applications/{{appID}}/roleAssignments, provides endpoint operations to create, read, update, and delete the role assignments associated with the application connection. For more information, refer to Application Role Assignments. -
Application attribute mapping
The application attribute mapping endpoint,
/environments/{{envID}}/applications/{{appID}}/roleAssignments, lets you customize the content of an ID token or a SAML assertion by adding custom attributes and their values. For more information, refer to Application Attribute Mapping. -
Application MFA push credentials
Push credentials are required for sending push notifications to a native application. The endpoint,
/environments/{{envID}}/applications/{{appID}}/pushCredentials, provides endpoint operations to create, read, update, and delete the push credentials associated with the application connection. This section provides examples for bothAPNSandFCMpush credential types. For more information, refer to Application MFA Push Credentials.