Description
The Ping Identity connector uses the PingOne Management API to discover user accounts, groups, and group memberships within a PingOne environment. It authenticates using OAuth 2.0 client credentials via a Worker Application registered in PingOne. Pagination follows PingOne's cursor-based _links.next.href pattern.
System Type Classification
| Field | Value |
|---|
| System Type | Directory Service |
| Default Scan Priority | 10 (scanned first) |
Version Support
| OrbisID Edition | Supported |
|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|
| PingOne Management REST API (HTTPS + OAuth 2.0) | 443 TCP | Client credentials flow |
What OrbisID Discovers
| Data | Source |
|---|
| User accounts | GET /v1/environments/{envId}/users |
| User status (enabled/disabled) | enabled property |
| Population assignment | population.id — stored as attribute |
| Groups | GET /v1/environments/{envId}/groups |
| Group memberships | GET /v1/environments/{envId}/groups/{groupId}/members |
Connection Requirements
PingOne Worker Application
OrbisID authenticates as a Worker Application using the OAuth 2.0 client credentials grant. Worker Applications have direct API access without user interaction.
Steps to create the Worker Application:
- In the PingOne Admin Console, navigate to Applications → Applications
- Click Add Application → Worker
- Give it a name (e.g.,
OrbisID Scanner) and click Save
- Under the application, go to Configuration and note the Client ID and Client Secret
- Navigate to Roles and assign the following roles on the target environment:
| Role | Purpose |
|---|
| Identity Data Read Only | Read user accounts, groups, and populations |
Credential Mapping
| OrbisID Field | PingOne Value |
|---|
credential.username | Worker Application client ID |
credential.password | Worker Application client secret |
System Attributes
| Attribute | Required | Default | Description |
|---|
pingEnvironmentId | Yes | — | PingOne environment ID (UUID, found in Environment → Properties) |
pingRegion | No | NA | PingOne region: NA, EU, APAC, or CA |
Network Requirements
The OrbisID server (or On-Premise Agent) must have outbound HTTPS access to the PingOne API endpoints for your region:
| Region | API Base URL |
|---|
| NA | https://api.pingone.com |
| EU | https://api.pingone.eu |
| APAC | https://api.pingone.asia |
| CA | https://api.pingone.ca |
Configuration Steps
- Create the Worker Application in PingOne and assign the Identity Data Read Only role
- Note the Client ID and Client Secret from the application configuration
- Create a Credential in OrbisID:
- Username: Client ID
- Password: Client Secret
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|
| Name | Descriptive name (e.g., PingOne – company.com) |
| Hostname | api.pingone.com (or region-specific URL, for reference) |
| OS Type | Ping Identity |
| System Type | Directory Service |
| Credential | The Worker Application credential |
- Add the required
pingEnvironmentId system attribute (and pingRegion if not using the NA region)
- Click Test Connection
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|
PingOne authentication failed | Invalid client ID or secret | Verify the client ID and secret from the PingOne Worker Application |
PingOne access denied (403) | Missing Identity Data Read Only role | Assign the role on the environment in the Worker Application's Roles tab |
pingEnvironmentId not set | Attribute missing | Add pingEnvironmentId in system attributes with the environment UUID |
| No users returned | Wrong environment ID or region | Verify the pingEnvironmentId matches the correct environment; check pingRegion |
| API call timeout | Wrong region | Verify pingRegion matches your PingOne account region |