PingOne Worker App Configuration

Create a dedicated PingOne worker application for FlightIQ backend API access. This app must be created in the PingOne environment's Administrators environment. It lets the FlightIQ backend mint client-credentials tokens and call PingOne and DaVinci APIs.

This app is not used for interactive user login.

Before You Start

You need PingOne administrator access that can:

  • Create applications.
  • Create or view OIDC client secrets.
  • Assign administrator roles to worker applications.
  • Grant access to the environments FlightIQ will manage.

Confirm you are working in the PingOne environment's Administrators environment before creating the app. Do not create the FlightIQ worker app inside one of the managed source or destination environments unless that environment is also the administrator environment for the tenant.

Create the Worker Application

In the PingOne admin console:

  1. Open the PingOne environment's Administrators environment.
  2. Go to Applications > Applications.
  3. Add a new application.
  4. Choose Worker as the application type.
  5. Enter an application name, such as FlightIQ Backend Worker.
  6. Save the application.
  7. Enable the application.

PingOne worker applications are userless service applications. PingOne configures worker applications with the client credentials grant type by default, but verify the configuration before using it with FlightIQ.

Configure OIDC Settings

Open the worker app and review the configuration.

Recommended values:

  • Grant Type: Client Credentials.
  • Token Endpoint Authentication Method: Client Secret Basic or Client Secret Post.
  • Application Status: Enabled.

If your PingOne tenant or deployment standard requires one token endpoint authentication method, use that standard consistently in PingOne and FlightIQ.

Capture Client Credentials

From the worker app details, record:

  • Client ID.
  • Client secret.
  • PingOne environment ID for the tenant context.

Store the client secret securely. FlightIQ stores it server-side after you save it in Settings > Access & Authentication.

Assign Worker App Roles

Worker applications have no roles by default when created in the PingOne admin console. Add only the roles FlightIQ needs.

In PingOne:

  1. Open Applications > Applications.
  2. Select the FlightIQ worker app.
  3. Open the Roles tab.
  4. Add the required administrator roles.
  5. Save the role assignment.

Role needs depend on what FlightIQ should manage.

Typical access areas:

  • DaVinci read access for viewing flows, variables, connectors, and applications.
  • DaVinci write access for copying, updating, deleting, deploying, or migrating flows.
  • Identity read access for viewing forms, notification templates, attributes, and certificates.
  • Identity write access for copying or editing identity artifacts.

Use the minimum role set that supports your intended FlightIQ workflows.

Configure FlightIQ

In FlightIQ:

  1. Open Settings > Access & Authentication.
  2. In Tenant Configuration, enter:
  • Tenant name.
  • Environment ID.
  • Backend API client ID.
  • Backend API client secret.
  1. Save the tenant configuration.
  2. Click Test Backend API Credentials.

A successful test confirms FlightIQ can mint an API token for the worker app.

Validation Checklist

Before using the worker app for migration or write operations:

  1. The worker app is enabled.
  2. Client Credentials is enabled.
  3. Client ID and secret are copied correctly.
  4. Worker roles are assigned.
  5. FlightIQ credential test succeeds.
  6. A read-only workspace loads data.
  7. Write operations are tested in a non-production environment first.

Troubleshooting

FlightIQ Cannot Mint a Token

Check:

  • Worker app is enabled.
  • Client ID and secret are correct.
  • Token endpoint authentication method is supported.
  • Client Credentials grant is enabled.
  • Environment ID is correct.

Token Works But Data Does Not Load

Check:

  • Worker app roles include the selected environment.
  • Worker app roles include the selected domain.
  • The selected Org Root in FlightIQ matches the credentials you configured.

Write Operations Fail

Check:

  • Worker app has write-level roles for the domain.
  • Destination environment is correct.
  • PingOne policy or dependency constraints are not blocking the operation.

PingOne References

  • PingOne application types: https://docs.pingidentity.com/pingone/applications/p1_application_types.html
  • Configuring roles for a worker application: https://docs.pingidentity.com/pingone/applications/p1_configurerolesforworkerapplication.html
  • Getting an access token: https://docs.pingidentity.com/pingone/applications/p1_getaccesstoken.html