Overview

PingOne is a cloud-based Identity-as-a-Service (IDaaS) platform that provides secure single sign-on (SSO) and multi-factor authentication (MFA) for cloud applications. Torii syncs users and licenses from PingOne to help you manage identity access and compliance.

Requirements

Required

• PingOne account with administrator access

Required values

• Environment ID — Your PingOne environment identifier
• Client ID — OAuth2 application client ID
• Client Secret — OAuth2 application client secret

Optional values

• Token URL — Custom OAuth2 token endpoint. Only needed if your credentials are issued by a different (admin) PingOne environment than the one you're syncing. Leave blank to use the default https://auth.pingone.com/<Environment ID>/as/token.

How to Generate the Required Values

Step 1: Create a Worker Application

1. In the PingOne admin console, navigate to Applications > Applications
2. Click the + button to add a new application
3. Enter an application name (e.g., "Torii Integration")
4. Under Choose Application Type, select Worker
5. Click Save
6. Enable the application by toggling the switch in the top-right corner to On

Step 2: Assign Required Roles

1. Select the new app, and go to the Roles tab
2. Click Grant Roles
3. Assign the following roles:
   • Identity Data Read Only – required to read basic user information from PingOne, including user identities and status.
   • Application Owner – required to read application data and understand which applications exist in the environment and which users are assigned to or using them.
4. Ensure access is granted to all populations
5. Click Save

Step 3: Retrieve Application Credentials

1. In the application's Overview tab, note:
   • Environment ID
   • Client ID — Unique identifier for your application
   • Client Secret — Secret key for authentication (copy immediately, it may not be shown again)
2. Store these credentials securely — you'll need them to connect PingOne to Torii

Note: The Worker application must be enabled and have the Identity Data Read Only role assigned to read user data from your PingOne environment.

Multi-environment setups (optional): If the Worker application above was created in a separate admin PingOne environment that issues credentials used to sync data from other environments (e.g. an ADM environment issuing credentials used against Prod or QA), also note the admin Environment ID and build the Token URL as https://auth.pingone.com/<admin-environment-id>/as/token. You'll paste this into the optional Token URL field when connecting in Torii. If your credentials were issued in the same environment whose data you want to sync, skip this and leave the Token URL blank.

How to Connect the Integration

1. In Torii, navigate to Integrations
2. Search for "PingOne" and click Connect
3. In the connection form, enter:
   • Environment ID: Your PingOne Environment ID
   • Client ID: The Client ID from your Worker application
   • Client Secret: The Client Secret from your Worker application
   • Token URL (optional): Leave blank for standard setups. Fill in only if your credentials were issued by a different (admin) PingOne environment — see the multi-environment note above.
4. Click Connect
5. Torii will test the connection and begin syncing users

Q&A

Q: Are deleted users synced from PingOne?
A: No. Deleted users are not returned by the PingOne API, so they will not appear in Torii after deletion.

Q: I'm getting an "unknown client id" or "invalid_client" error on connect. What should I do?
A: This usually means the credentials were issued by a different PingOne environment than the one Torii is trying to authenticate against. Set the optional Token URL field on the connect form to the token endpoint of the environment that issued the credentials, in the form https://auth.pingone.com/<admin-environment-id>/as/token.

For more information about Torii's integration capabilities, see our Integration Capabilities page.

For any further questions, please contact Torii Support.