Skip to main content
By integrating Ping Advanced Identity Cloud with OwnID, you can implement the full set of OwnID features to simplify and streamline your user login experience.

How it Works

OwnID supports integration with Ping Advanced Identity Cloud through our pre-built Ping Advanced Identity Cloud Connector. Configuration on the Ping Advanced Identity Cloud side happens through your AIC Dashboard. Ensure you have an account with admin access in Ping Advanced Identity Cloud. Complete these five basic steps to integrate OwnID with Ping Advanced Identity Cloud: Step 1 - Create a service account Step 2 - Create the OwnID App Step 3 - Define a custom user attribute Step 4 - Configure an OIDC provider Step 5 - Configure screen flows Step 6 - Frontend Integration

Step 1 - Create a service account

Create a new service account with the fr:idm:* scope. You should get service account id and a private JWK file. These two values, along with the tenant FQDN and realm are the values required for the integration configuration in OwnID. Reference: https://docs.pingidentity.com/pingoneaic/latest/tenants/service-accounts.html#create-a-new-service-account

Step 2 - Create the OwnID App

We’ll create a new OwnID app using the Ping Advanced Identity Cloud Connector. An OwnID App is what connects the existing identity provider used by your website with the OwnID widget you insert on the front end. OwnID Widget OwnID widget Each of your OwnID Apps acts as the central point of configuration for each of your integrations. These no-code Apps are created, hosted, and maintained entirely within the OwnID Console environment. When you create an App, it’s assigned a unique appId automatically. Use that appId in OwnID SDK interaction from your website’s front end.

To Create an OwnID App

Please contact the OwnID team to create a new OwnID app with Ping Advanced Identity Cloud Connector.

Step 3 - Define a custom user attribute

  1. Go to AIC dashboard
  2. Go to Native Consoles > Identity Management.
  3. Click Configure > Managed Objects and click Alpha_user.
  4. On the Alpha_user page, click Add a property.
  5. Create property custom_ownIdConnections of type string.
  6. Edit it and fill in:
  7. Title: ownIdConnections
  8. Description: OwnID Authentication Connections
  9. Enable only the Viewable toggle
Securing User’s Personal DataOwnID does not store or process any user data. Users’ public keys and device information are stored on your platform.Private keys are kept exclusively on the user’s device and are never transmitted elsewhere.

Step 4 - Configure an OIDC provider

  1. Go to AIC dashboard
  2. Go to Native Consoles > Access Management
  3. On the left navbar, click Scripts > New Script and create a new script with the name OwnID Profile Normalization and type Social Identity Provider Profile Transformation.
  4. Copy and paste the following code into the script editor and click Save:
import static org.forgerock.json.JsonValue.field
import static org.forgerock.json.JsonValue.json
import static org.forgerock.json.JsonValue.object
def derivedEmail = rawProfile.sub.toString().replace("Email:", "")
return json(object(
        field("id", rawProfile.sub),
        field("displayName", ""),
        field("givenName", ""),
        field("familyName", ""),
        field("photoUrl", ""),
        field("email", derivedEmail),
        field("username", derivedEmail),
        field("locale", "en")
))
  1. On the left navbar, click Services > Social Identity Provider Service.
  2. Choose Secondary Configurations, click Add a Secondary Configuration, and select the Client configuration for providers that implement the OpenID Connect specification option.
  3. Complete the following configuration and click Create
    1. Name: OwnID
    2. Auth ID Key: sub
    3. Client ID: Enter the client identifier from ownID app OIDC client id listing
    4. Authentication Endpoint URL: http://{appUrl}/oidc/auth
    5. Access Token Endpoint URL: http://{appUrl}/oidc/token
    6. Token Introspection Endpoint URL: http://{appUrl}/oidc/token_info
    7. User Profile Service URL: http://{appUrl}/oidc/user_info
    8. JWKS URI Endpoint: http://{appUrl}/oidc/jwks
    9. Redirect URL: https://<tenant-env-fqdn>/login
    10. Scope Delimiter: a space " "
    11. OAuth Scopes: Enter one by one - openid profile email
    12. Issuer: {appUrl}
    13. Transform Script: OwnID Profile Normalization
  4. Now add Client Secret value to the new config (it can only be added after saving).

Step 5 - Configure screen flows

Login screen

  1. Go to AIC dashboard
  2. Go to Journeys > Custom Nodes and create a new custom node with the name OwnID Receiver and type Basic Authentication. Leave the Properties tab empty. In the Settings tab, add the next outcome. For Script, set the following content:
nodeState.putTransient("oneTimePassword", nodeState.get("ownidCode"));
action.goTo("next");
  1. Go to Journeys > Journeys and create a new journey with following nodes:
  • Add a Page Node
    • In this node, add a Username Collector
    • Also in this node, add an Attribute Collector widget. To Attributes to Collect add the value custom_ownIdConnections. Mark all attributes as required. Identity Attribute should rename userName.
  • Add an HTTP Client node and connect the Page Node to it. Set the following in node configuration:
    • Body Content Encoding: JSON
    • Rest URL: https://<appUrl>/api/session/code (replace with your OwnID app URL)
    • Method: GET
    • In Headers, add: Key=Authorization Value=Bearer ${objectAttributes.$.custom_ownIdConnections} (leave the expression as is) Make sure to click Done before clicking Save in the modal.
    • In JSON Response Handler, add: Key=ownidCode JSON Path=$.code (leave the expression as is) Make sure to click Done before clicking Save in the modal.
    • Leave other fields with default values.
  1. Add an HOTP Generator node and connect the HTTP Client node to it.
  2. Add the custom OwnID Receiver node created above and connect the HOTP Generator node to it.
  3. Add an OTP Collector Decision node and connect the OwnID Receiver node to it.
  4. Finish the flow by connecting the OTP Collector Decision node to your journey completion logic.
Auth journey example Auth journey example

Register screen

  1. Go to AIC dashboard
  2. Go to Journeys and click to edit your Registration journey
  3. In the Page Node, select the Attribute Collector widget. Add to Attributes to Collect the value custom_ownIdConnections

Step 6 - Frontend integration

For the login flow, implement the onLogin callback to expect a payload with following structure, which you can use to establish a session: 
{
    "tokenId": "<Ping AIC issued token id>",
    "successUrl": "<configured success url>",
    "realm": "<configured realm>"
}
For the register flow, if OwnID was used to create a passwordless account, you’d need to fill in the custom_ownIdConnections attribute when making the registration callback. The value for this property can be retrieved at form submission time using the following logic, which will return an optional string: 
const hiddenInput = document.querySelector("input#custom_ownIdConnections")
const custom_ownIdConnections = hiddenInput?.value || ""
Congratulations! Enjoy your Ping Advanced Identity Cloud-integrated passwordless authentication!

Next Steps

Ready to deploy?

YES!

Take me to the Deployment Checklist