Connect PingOne to Atomicwork to automate user provisioning, streamline account recovery, and manage group memberships as part of your IT workflows.
Usecases
By connecting PingOne, your teams can:
Automate user lifecycle management: Create, update, activate, and deactivate user accounts as part of onboarding and offboarding workflows.
Self-service account recovery: Unlock locked accounts and send password recovery codes to employees without waiting for an admin.
Manage group memberships: Add or remove users from PingOne groups to control application access and permissions.
Sync population data: Read population information to segment users and apply policies based on organizational structure.
Permissions
To connect PingOne to Atomicwork, you need:
Org admin access in Atomicwork
Admin access to your PingOne environment with permission to create and configure OAuth 2.0 applications
The integration requires an OAuth 2.0 application in your PingOne Admin Console with Authorization Code and Refresh Token grant types enabled, and the following permissions:
Permission | Purpose |
Users: Read/Write | Required for all user operations — creating, retrieving, listing, and updating users, as well as activating, deactivating, and unlocking user accounts. |
Populations: Read | Read population data to list available populations during user creation and assignment. |
Groups: Read/Write | List available groups and manage group membership — adding and removing users from groups. |
Environments: Read | List accessible environments. Required for the integration to operate within your PingOne tenant. |
Password Management | Send password recovery codes to users for self-service account recovery. |
Setup
Before connecting, gather the following from your PingOne Admin Console:
OAuth 2.0 Client ID — from your PingOne application settings
OAuth 2.0 Client Secret — from your PingOne application settings
Auth URL — matches your PingOne region (for example,
https://auth.pingone.comfor North America orhttps://auth.pingone.eufor Europe)Environment ID — from your PingOne environment settings
To connect:
Navigate to Settings > App Store > PingOne in Atomicwork.
Enter your Client ID, Client Secret, Auth URL, and Environment ID.
Click Connect to authorize the integration.
Supported workflow actions
Once connected, you can automate the following PingOne actions within your Atomicwork workflows:
Action | Description |
Create user | Create a new user in PingOne with email, username, population, name, phone, title, and other attributes. |
Get user | Retrieve detailed user information including account status, MFA enrollment, lifecycle state, and last sign-on. |
Update user | Update user attributes such as email, username, name, title, phone, and language. |
List users | List users in your PingOne environment with optional filtering and pagination. |
Deactivate user | Disable a user account to revoke access while preserving the profile. |
Activate user | Re-enable a previously deactivated user account to restore access. |
Unlock user | Unlock a user account that has been locked due to failed login attempts. |
Generate password recovery code | Send a password recovery code to the user's email for self-service password reset. |
Add user to group | Add a user to a PingOne group to grant associated permissions and access. |
Remove user from group | Remove a user from a PingOne group to revoke associated permissions. |
Call API | Make a generic API call to any PingOne endpoint for custom operations. |
Troubleshoot common issues
Error | Cause | Resolution |
Connection failure | Auth URL doesn't match your PingOne region. The API URL is derived from the auth URL (for example, | Verify your Auth URL matches your PingOne region and re-enter the correct URL. |
Authentication error | Client credentials are incorrect or the authorization code has expired. | Verify your Client ID and Client Secret, then re-authenticate the integration from Settings > App Store > PingOne. |
Token refresh failure | The refresh token has expired or been revoked. | Re-authenticate the integration to generate new tokens. |
Invalid API URL | The auth URL or environment ID is malformed, causing the API URL construction to fail. | Verify that both the auth URL and environment ID are correctly entered in the integration settings. |
Action failure — permissions | The PingOne OAuth application is missing required permissions for the action being performed. | Check that all required permissions (Users, Groups, Populations, Environments, Password Management) are assigned to the application in the PingOne Admin Console. |
Action failure — target not found | The target user or group doesn't exist, or a duplicate username/email was provided. | Verify the user or group exists and is active in your PingOne environment. For creation errors, check for duplicate usernames or emails. |
Unlock user failure | The unlock operation uses a specific content type ( | Confirm your PingOne environment and plan support user unlock operations. |