Getting Started - PingOne DaVinci ¶
Requirements ¶
- Terraform CLI 1.1+
- A licensed or trial PingOne cloud subscription - Try Ping here
- Administrator access to the PingOne Administration Console
- The PingOne DaVinci service enabled in the subscription. Check PingOne DaVinci is enabled.
The PingOne DaVinci Service License ¶
The PingOne DaVinci service is not enabled by default in the PingOne Cloud Platform trial, or with licenses that do not explicitly include the DaVinci service. When configuring environments using the PingOne provider, the DaVinci service will not be available unless the service has been enabled.
Enable the DaVinci service
- If you have an existing Ping Identity license and would like to try PingOne DaVinci, please contact your Ping Identity account manager.
- If you have registered for a trial account and would like to try PingOne DaVinci, or have questions about Ping Identity solutions, please contact sales.
More information about PingOne solutions can be found here.
You can check whether DaVinci is enabled through the PingOne Administration Console:
- First, log in to the PingOne Administration Console using your unique admin sign-on link.
- Once signed in, click Add Environment.
Expand Screenshot
- Click Build your own solution.
- Check that PingOne DaVinci is in the list of available services.
Expand Screenshot
Configure PingOne for Terraform access ¶
The following steps describe how to connect Terraform to your PingOne instance:
- Log in to your PingOne Administration Console. On registration for a trial, a link will be sent to your provided email address.
- Create a new environment for DaVinci administration users by clicking the Add Environment button.
Expand Screenshot
- Ensure Build your own solution is selected, and then select PingOne SSO and PingOne DaVinci services and click Next.
Expand Screenshot
- Proceed through to the new environment form. Enter a name, an optional description, an environment type, region and license as shown.
Expand Screenshot
- Open the newly created environment and follow the Manage Environment button link.
- Navigate to the Users link in the left menu, by expanding the Directory section.
Expand Screenshot
- Add a new User with the + icon.
Expand Screenshot
- Set a name, a username, email, population and a temporary password. The email mailbox for the provided email should be accessible, as the email will need to be verified with a one time code. The screenshot shows an optional "+terraform" notation in the email address, as supported by some email vendors. This is not required for Terraform use.
Expand Screenshot
- Enable the user with the toggle switch.
Expand Screenshot
- Navigate to the Groups link in the left menu, by expanding the Directory section.
Expand Screenshot
- Add a new Group with the + icon.
Expand Screenshot
- Create a group that will define role permissions for DaVinci Terraform administration. Set a name, an optional description and an optional population assignment.
Expand Screenshot
- After the group has been created, select the Roles tab to manage the associated administrator roles.
Expand Screenshot
- Click the Grant Roles button link, and proceed to assign the DaVinci Admin role to the group. For most customer tenants, it is best practice to scope the admin role to individual environments. In this case, select the current environment that the group is being created in (in the screenshot example, this is the DaVinci Administrators environment). For organization tenants that do not carry production data (such as demo/trial environments), the DaVinci role may be scoped to the organization for simplicity. See the Role Permissions for New Environments section for more details.
Expand Screenshot
- Save the role assignment.
- The user created in step 8 must be added to the group, to inherit the admin role permissions. On the Users tab, open the user list by clicking the Add Individually button.
Expand Screenshot
- Select the admin user created in step 8 and save. The admin user that Terraform will use to manage configuration in PingOne DaVinci is now assigned to the group and has the appropriate permissions.
Expand Screenshot
- Navigate to the Authentication Policies page.
Expand Screenshot
- Ensure that the Single_Factor policy is set as the environment default. This policy should have Login as the only policy action.
Expand Screenshot
- Navigate to the Environment Properties page.
Expand Screenshot
- Save the Environment ID value. The environment ID will be used to authenticate the DaVinci Terraform provider.
Expand Screenshot
- Open the Self-Service URL link in a private browser window.
Expand Screenshot
- Enter the username and temporary password for the newly created user from step 8 and proceed to sign on.
Expand Screenshot
- When prompted, proceed to change the password to a strong password of choice. This new password will be used to authenticate the DaVinci Terraform provider.
- After successfully authenticating, retrieve the verification code sent to the created user's email inbox, and enter the verification code in the prompt.
Expand Screenshot
- On successful email verification, the account will be ready to use. Close the Self-Service private browser window.
- Steps to configure the DaVinci Terraform provider using the created user's username and password values, along with the environment ID from step 14, can be found on the Terraform Registry provider documentation.
Role Permissions for New Environments ¶
When creating new environments, either through the PingOne Administration Console or through the PingOne Terraform provider, role permissions must be set on the DaVinci administrator group created above.
The DaVinci administration user must have the following role:
- DaVinci Admin, scoped to the organization (to capture all new created environments), or scoped to each new environment that the DaVinci Terraform provider should manage.
Role Combination Change
As of 15th August 2023, the existing role combination of Environment Admin and Identity Data Admin to manage DaVinci configuration was replaced with the DaVinci Admin role. See Frequently Asked Questions - DaVinci for more information.
See PingOne Role Permission Assignment for an example of assigning roles using the PingOne Terraform provider.