Platform SSO APIs

PingOne uses an organization-based model to define tenant accounts and their related entities. The organization is the top-level identifier. It defines your entire enterprise within the PingOne platform.

An organization contains one or more environments. Environments define separate working domains within an organization. Environments model regions within a large global enterprise and are the defining entity to segregate enterprise operations by functionality, staging environments, or configurations.

Users are unique entities that interact with the applications and services within the environment to which the they are assigned. User resources in PingOne are the full representation of a user profile, including the user’s relationships, roles, devices, and attributes. Users are associated with populations rather than defined within a population. The user’s association with a population is established as a property on the user resource.

The identity provider endpoints manage external identity provider configurations to enable social login and inbound SAML login features in PingOne. An external identity provider configuration allows linked users to authenticate and gain access to PingOne resources using the login flow and credentials provided by the external identity provider.

Applications in PingOne define the connection between the PingOne platform and the actual application (also thought of as the client configuration).

Resources represent the connections to external services, enabling secure access to PingOne resources and other defined external resources.

Roles, permissions, and entitlements are defined at the root of the platform, and these entitlements apply to all PingOne SSO APIs, regardless of domain. Roles are assigned to users, and these user roles include a scope property to grant the user permissions corresponding to the role. For example, a role of Identity Admin contains permissions allowing the subject to read and edit user data. When this role is assigned to a user, it can be assigned with the scope property that identifies a population or an environment to which the permissions apply.