How to perform common Administrative tasks using the PingID API with Windows Powershell

Published: 06/28/2016

Many of the user management features of PingID are made available through the PingID API. While you may not need to utilize the API to build out a custom application, there are some cases where it may be useful to take advantage of the API using Windows Powershell. Tasks 1 and 2 should be taken as preparatory steps, so your system will be prepared for use when you need it.


Task 1 - Obtain Settings

  1. Login to https://admin.pingone.com
  2. Navigate to Setup and click the PingID Configuration tab
  3. Click Client Integration.
  4. Ensure Third-Party Clients is enabled, and click Download to download the Settings File. You will need this file to configure the PowerShell script.

Task 2 - Download and configure the Powershell Scripts.

  1. Go to https://github.com/pingidentity/pingid-powershell-scripts and download the .zip file of the Powershell Scripts to a Server that has PowerShell installed on it. In these examples, the scripts were extracted to C:\Scripts\pingid-powershell-scripts-master\scripts
  2. Modify the pingid-api-helper.ps1 file with your PingID service configuration. You'll need to populate the values for $org_alias, $use_base64_key, and $token, which can all be found in the pingid.properties file you downloaded from PingOne.

Task 3 - Run Powershell Scripts

There are a number of scripts included in the zip file that you can run to perform various tasks. The syntax is documented in each script, but I'll highlight a few commands here that can be useful for a Ping Administrator in the event that normal administration methods are not possible.

Note: Depending on your  System Configuration, you may need to adjust your Execution Policy. Please refer to this article for more information about the Powershell ExecutionPolicy https://technet.microsoft.com/en-us/library/bb648601(v=vs.85).aspx

To Obtain user details:

PS C:\Scripts\pingid-powershell-scripts-master\scripts>./Get-User-Details -UserName Randy

To put a user in temporary bypass mode: 

These commands will put a user in bypass mode for the duration specified. This means they will be able to perform SSO without PingID. This is useful if a user forgot their mobile device. If it's a lost, stolen, or broken mobile device, you would want to remove the user from PingID so they could pair with their new device.

This will put the user in bypass mode for 8 hours:
PS C:\Scripts\pingid-powershell-scripts-master\scripts>./Toggle-User-Bypass -UserName Randy -Hours 8

This will put the user in bypass mode for 3 days:
PS C:\Scripts\pingid-powershell-scripts-master\scripts>./Toggle-User-Bypass -UserName Randy -Days 3

This will put the user in bypass mode for 30 minutes:
PS C:\Scripts\pingid-powershell-scripts-master\scripts>./Toggle-User-Bypass -UserName Randy -Minutes 30

To take the user out of temporary bypass mode:

PS C:\Scripts\pingid-powershell-scripts-master\scripts>./Toggle-User-Bypass -UserName Randy

To Remove a user from PingID:

This will remove the user from PingID. On the next SSO Attempt, they will be prompted to register for PingID so they can enroll a different device.

PS C:\Scripts\pingid-powershell-scripts-master\scripts>./Delete-User -UserName Randy

 

Category:
PingID , 
KB or other URL: