# PingOne ### Overview The Veza integration for Ping Identity enables the discovery of PingOne Users, Groups, Roles, Populations, Applications, and external Identity Providers. Once configured, you can use the integration to: * Extract and search for user attributes, including custom attributes. * Display users and their assigned applications based on group membership. * Review all users, identity providers, and applications in a PingOne environment. * Add custom mappings to define relationships with other integrated systems. See [notes and supported entities](#notes-and-supported-entities) for more information. ### Setting up the PingOne Integration #### Create a new application to access all environments You will need to create a **Worker** application in PingOne to enable API access. Worker applications are service-level applications that use OAuth 2.0 client credentials flow to authenticate with PingOne APIs. The application's access to PingOne resources is determined by the role(s) assigned to it. Complete the following steps in Ping to create a new application and retrieve client credentials: 1. In one of your environments, navigate to **Connections** > **Applications**. 2. Click on **+** to add a new application. 3. Provide a name and select the application type as **Worker**. Confirm by clicking **Save**. 4. In the **Roles** tab, click **Grant roles**. 5. Grant the following roles to enable full integration functionality: * **Configuration Read Only** (under **Organization**): Provides read-only access to environment configuration data * **Identity Data Read Only**: Provides read-only access to user and identity information. Assign this role to all environments you want to extract data from 6. Confirm by clicking **Save**. 7. Navigate to the **Configuration** tab and securely store the client ID, client secret, and environment ID. ![Get ID, secret, and environment](/files/r8hixvG1y7uZM1EN41tE) {% hint style="info" %} Follow the principle of least privilege by only granting the minimum permissions required. The read-only roles ensure Veza can access necessary data without the ability to modify your PingOne configuration or user data. {% endhint %} Proceed to the Veza platform to complete the integration using the client secret, client ID, and environment ID obtained from step 7. #### Add the integration in Veza 1. Within Veza, navigate to **Integrations**. 2. Click **Add New** and choose **Ping One** as the integration type. 3. Provide the necessary details and click **Save**. | Field | Notes | | -------------- | ------------------------------------------------------------------------------ | | Environment ID | Unique identifier for a specific environment within the PingIdentity platform. | | Client ID | Unique identifier for the client application. | | Client Secret | Confidential key used by the integration. | | Region | The region of your Ping One organization, for example, `Europe`. | Before saving the configuration, you can add [Mapping Configurations](/4yItIzMvkpAvMVFAamTf/integrations/configuration/custom-identity-mappings.md) for any data sources that Ping Users might access. ### Cross-Service Identity Mapping PingOne supports cross-service identity mapping, allowing you to correlate PingOne users and groups with identities in other integrated systems. This capability enables access reviews and identity governance across your environment. #### Supported Cross-Service Scenarios **PingOne as Identity Source:** * Map PingOne users to local accounts in downstream applications (databases, cloud services, custom applications) * Connect PingOne groups to groups in target systems for access inheritance **PingOne as Destination System:** * Map users from other Identity Providers (Azure AD, Okta, Active Directory) to PingOne users * Enable cross-service access reviews between PingOne and other integrated systems * Correlate Azure AD groups with PingOne groups for unified access governance #### Common Use Cases 1. **Azure AD to PingOne Mapping:** * Source: Azure AD User `john.smith@company.com` * Destination: PingOne User `john.smith@company.com` * Configuration: User Principal Name to Email mapping with cross-service access reviews 2. **PingOne to Application Mapping:** * Source: PingOne User `jane.doe@company.com` * Destination: Database login `jdoe` * Configuration: Email to username transformation 3. **Group-Level Mapping:** * Source: Azure AD Group `Finance-Team` * Destination: PingOne Group `Finance Users` * Configuration: Name-based mapping with special character normalization #### Enabling Cross-Service Mapping To configure cross-service identity mapping with PingOne: 1. Ensure both PingOne and your target systems are successfully integrated with Veza 2. Navigate to your source Identity Provider integration (e.g., Azure AD, Okta) 3. Add a **Mapping Configuration** with PingOne as the **Destination Data Source Type** 4. Configure property matchers based on your identity correlation requirements 5. Test the mapping to ensure proper identity correlation For detailed configuration steps, see [Custom Identity Mappings](/4yItIzMvkpAvMVFAamTf/integrations/configuration/custom-identity-mappings.md). You can also define any **Custom Properties** for PingOne users that Veza should import. PingOne supports two types of [custom attributes](https://docs.pingidentity.com/pingone/pingone_tutorials/p1_add_custom_attributes_to_a_user.html): * **Declared** (string attributes, possibly multivalued) * **JSON** (structured). Veza supports only **Declared** attributes (strings and lists of strings). JSON attributes are not currently recognized. ### Troubleshooting #### Common Setup Issues | Issue | Troubleshooting Steps | | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Missing permissions error during data extraction** |

- Verify both Configuration Read Only and Identity Data Read Only roles are assigned
- Ensure Identity Data Read Only is scoped to all environments you want to extract data from
- Check that the worker application has been granted admin consent for the assigned roles

| | **Authentication failures** |

- Confirm the Client ID and Client Secret are copied correctly from the Configuration tab
- Verify the Environment ID matches the environment where the worker application was created
- Ensure the correct Region is selected in the Veza integration configuration

| | **Missing user or application data** |

- Worker applications only have access to data within environments where they have the appropriate role assignments
- If data appears incomplete, verify the Identity Data Read Only role is assigned to all relevant environments

| ### Notes and Supported Entities After enabling the integration, Veza will discover the following entity types and attributes: #### Ping One Organization An Organization is the primary entity within Ping Identity, encompassing one or more Environments. Each environment is configured individually. Attributes supported by Veza: * OrganizationType * Description #### Ping One Environment Each PingOne Environment houses distinct sets of Users, Groups, Applications, and Identity Providers. Attributes supported by Veza: * OrganizationID * Region * Description * EnvironmentType #### Ping One User A User entity represents an account or digital identity utilized for single sign-on with applications integrated with PingIdentity IAM solutions. Attributes supported by Veza: * EMail * CreatedAt * UpdatedAt * UserLastLogin * UserIsActive * UserIsLocked * MFAActive * FirstName * LastName * NickName * IDPUniqueID * CountryCode * Region * EmailVerified * ExternalID * LifecycleStatus * VerifyStatus * Title * Username * RoleAssignments #### Ping One Application Users can access different applications based on their configurations within Ping: Veza supports application attributes: * CreatedAt * UpdatedAt * UserIsActive * HiddenFromUI * LoginPageURL * Protocol * Type * ACLAdminUserOnly * ACLGroupsAll * ACLGroupsAny * ServiceProviderEntityID * AcsUrls Within Ping, application access can be limited 1) only to admins and 2) based on group membership. There are different options for group membership requirements: * No group limitation * Users must belong to any of the selected groups * Users must belong to all selected groups #### Ping One Group A group consists of users who might be granted access to Applications and can be associated with Populations. Attributes supported by Veza: * IDPUniqueID * UserFilter * Description * Population * ExternalID #### Ping One Population In addition to groups, Ping Identity introduced Populations that can be associated with Users and Groups. Attributes supported by Veza: * Default * Description * Population #### Ping One Role Roles are collections of permissions assignable to an application, connection, or user. Examples include roles like `Organization Admin` or `Client Application Developer`. Attributes supported by Veza: * Permissions * Description * Scope --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/ping-identity.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.