PingOne User Auth App Configuration

Create a dedicated PingOne OIDC web application for FlightIQ user login. This app must be created in the PingOne environment's Administrators environment. It authenticates FlightIQ users and redirects them back to FlightIQ after sign-in.

This app is separate from the worker app. The worker app handles backend API access; the user auth app handles interactive browser login.

Before You Start

You need:

  • PingOne administrator access to create applications.
  • The public FlightIQ URL users will open.
  • The FlightIQ callback path: /auth/callback.
  • A decision on which PingOne or DaVinci sign-on policy should protect FlightIQ.

Confirm you are working in the PingOne environment's Administrators environment before creating the app. Do not create the FlightIQ user auth app inside one of the managed source or destination environments unless that environment is also the administrator environment for the tenant.

Example callback URLs:

https://flightiq.example.com/auth/callback
http://localhost:5173/auth/callback

Use the production HTTPS URL for deployed environments. Use localhost only for local development.

Create the OIDC Web App

In the PingOne admin console:

  1. Open the PingOne environment's Administrators environment.
  2. Go to Applications > Applications.
  3. Add a new application.
  4. Choose OIDC Web App.
  5. Enter an application name, such as FlightIQ User Login.
  6. Save the application.
  7. Enable the application after configuration is complete.

Use an OIDC web app because FlightIQ has a server-side backend and can keep a client secret server-side.

Configure Redirect URI

Open the app's configuration and add the redirect URI:

https://your-flightiq-host.example.com/auth/callback

The redirect URI must exactly match the value saved in FlightIQ.

Check:

  • Scheme: https vs http.
  • Hostname.
  • Port.
  • Path: /auth/callback.
  • No fragment such as #section.

PingOne supports redirect URI patterns, but an exact redirect URI is preferred for FlightIQ production deployments.

Configure Client Authentication

Recommended values:

  • Grant Type: Authorization Code.
  • Token Endpoint Authentication Method: Client Secret Basic or Client Secret Post.
  • Scopes: openid at minimum.
  • Application Status: Enabled.

Add profile or email only if your FlightIQ deployment needs those claims.

Assign Access and Policies

Configure who can sign in to FlightIQ.

In PingOne:

  1. Open the app's Access or policy-related tab.
  2. Assign the groups or users that should be allowed to launch FlightIQ.
  3. Assign the required PingOne or DaVinci authentication policy.
  4. Save the configuration.

If you use DaVinci policies, confirm the policy completes successfully and returns control to PingOne for the OIDC response.

Capture Values for FlightIQ

From the PingOne app, record:

  • Auth Base URL, usually https://auth.pingone.com.
  • Client ID.
  • Client secret.
  • Redirect URI.
  • Scopes, usually openid.

Configure FlightIQ

In FlightIQ:

  1. Open Settings > Access & Authentication.
  2. In User Authentication Settings (Login App), enter:
  • Auth Base URL.
  • Client ID.
  • Redirect URI.
  • Client secret.
  • Scopes.
  1. Click Save.
  2. Click Test Authentication Settings.

A successful test confirms FlightIQ can resolve the PingOne issuer, authorization endpoint, token endpoint, and JWKS URI.

Validation Checklist

  1. OIDC web app is enabled.
  2. Redirect URI exactly matches FlightIQ.
  3. Authorization Code grant is configured.
  4. Client secret is available and saved in FlightIQ.
  5. openid scope is allowed.
  6. User or group access is assigned.
  7. Authentication policy is assigned.
  8. FlightIQ authentication test succeeds.
  9. A test user can sign in and return to FlightIQ.

Troubleshooting

Redirect URI Mismatch

Compare the PingOne redirect URI and FlightIQ redirect URI character by character. The scheme, host, port, and path must match.

Login App Test Fails

Check:

  • Auth Base URL matches your PingOne region.
  • Client ID and secret belong to the OIDC web app.
  • Client secret is current.
  • openid is allowed.
  • The app is enabled.

User Can Sign In But Cannot Use a Domain

User authentication only proves who the user is. Domain access still depends on PingOne roles, FlightIQ security mode, and worker app permissions.

Check:

  • User has access to the selected environment.
  • User has the required identity or DaVinci role.
  • Worker app can access the same domain.

PingOne References

  • PingOne application types: https://docs.pingidentity.com/pingone/applications/p1_application_types.html
  • Editing an OIDC application: https://docs.pingidentity.com/pingone/applications/p1_edit_application_oidc.html
  • Redirect URIs: https://docs.pingidentity.com/pingone/applications/p1_wildcard_redirect_uri.html