About PingID
PingID (PingOne) is Ping Identity’s cloud identity platform. The Serval PingID integration connects to your PingOne environment using a worker application with OAuth 2.0 client credentials. Workflows can list and reset MFA devices, add SMS authenticators, and call PingOne Management and MFA APIs with typed request schemas. The integration is marked Beta in Serval’s connect UI. Authentication: OAuth 2.0 client credentials against your PingOne environment. Serval exchanges the Client ID and Client Secret for short-lived bearer tokens athttps://auth.{region}/{environmentId}/as/token and attaches them to API requests at https://api.{region}.
Data sync: On demand only. There is no background user or group sync.
What the PingID integration enables
| Capability | Description |
|---|---|
| MFA Management bundle | Prebuilt workflows: list a user’s MFA devices, add an SMS device, activate a pending device with an OTP, unpair one device, and reset all MFA devices for a user. |
| PingID API request | Typed MFA operations from the hand-authored PingOne MFA spec. |
| PingOne API discovery | Full PingOne Management and MFA endpoint catalogs are indexed for workflow authoring, even when request bodies are untyped in the broader specs. |
Get your credentials
You need your PingOne Environment ID, a worker application Client ID and Client Secret, and the region that hosts your environment.Copy the Environment ID
Go to Settings → Environment Properties and copy the Environment ID (a UUID).
Create or select a worker application
Under Connections → Applications, create a Worker application (or reuse an existing one). Assign roles that include Identity Data Admin and the MFA permissions your workflows need.
Copy the Client ID and Client Secret
From the worker application’s Overview tab, copy the Client ID and Client Secret.
Connect in Serval
When editing an existing connection, blank or obfuscated fields keep their stored values. Paste a new Client Secret to rotate credentials without re-entering the Environment ID.
Verifying the connection
Three health checks run after you connect:- Test PingID Connection — reads the environment record. Success:
Successfully authenticated with PingOne. Failure includes region- or credential-specific guidance from the integration. - List PingOne Users — fetches one user from
/environments/{environmentID}/users. Confirms Identity Data read access. - List PingOne Populations — reads populations in the environment. Confirms directory read access beyond authentication alone.
Gotchas and troubleshooting
Use a Worker application, not a native OIDC app
Use a Worker application, not a native OIDC app
Serval uses the client-credentials grant. Browser-based or authorization-code applications will not exchange tokens the way this integration expects.
Region and Environment ID must match
Region and Environment ID must match
A North America Client ID against an EU environment (or mismatched Environment ID) fails token exchange before any MFA workflow runs.
MFA reset workflows are destructive
MFA reset workflows are destructive
Reset All PingID MFA Devices removes every enrolled factor for the target user. They must re-enroll on next sign-in. Keep installer approval enabled unless your team explicitly wants open access.
User targeting is by email
User targeting is by email
MFA workflows resolve PingOne users by email. Verify the target user’s primary email in PingOne matches the address passed from Serval tickets or workflows.
Need help? Contact support@serval.com for assistance with your PingID integration.

