DocumentationRelease Notes
Log In
Documentation

PingOne DaVinci

Suggest Edits

BeyondTrust has partnered with Ping Identity to deliver a Password Safe (PS) connector leveraging the PingOne DaVinci no-code orchestration service. An orchestration platform integrates multiple applications and services to automate a process or provide real-time data synchronization and flow.

PingOne DaVinci is a cloud orchestration service for creating user journeys across various applications via a drag-and-drop interface. DaVinci is an open interface with integrations and connections across multiple applications and identity ecosystems.

Start by building and designing your own workflows or refine one of the workflow templates to customize your user journeys. Optimize your flows easily with A/B testing and deploy changes in quick succession.

Possible Use Cases

The Password Safe PingOne DaVinci connector gives an organization the ability to terminate and lock all PS sessions on a host (by hostname) and/or terminate and lock all PS sessions that a particular identity (by username) may have across the environment.

Additionally, an active request can be terminated and/or denied as part of this connector configuration.

The connector can be used for the following use cases:

  1. A security incident has occurred on a host(s) that requires any open PS sessions, from any user, on those hosts to be terminated, or locked for further investigation. The security incident may be discovered by any XDR or SOAR system, who also have a DaVinci connector that has the capability of supplying the PS connector with a hostname of the affected system.
  2. Regular IT tasks of user move/changes/deletes may require any open PS sessions in use by an identity across the infrastructure to be terminated. Any iDP’s DaVinci connector, which has the capability of supplying the PS connector with an identity (username) can be used as part of the workflow to terminate any open PS sessions, as well as deny or terminate any active requests.

The hostname and/or identity can also be provided to the connector though a static HTML form.

Additionally, the PS connector provides a result (error or success) which can be potentially sent to a ticketing system, as part of the DaVinci workflow, using any available 3rd party ITSM connector.

Requirements

The following are required to make use of the BeyondTrust Password Safe DaVinci connector:

  • PingOne SaaS Instance
  • PingOne DaVinci added as a service to the PingOne SaaS instance
  • Password Safe 22.x.x or later release

Set up the PingOne DaVinci service

Set up the PingOne DaVinci service in Ping Identity as follows:

  1. Sign in to your PingOne SaaS instance.
  2. From the Overview page, click Services.
  3. Select PingOne DaVinci from the list.
  4. After some time, the DaVinci instance is available and a link to it displays in your list of active services.
  5. Under Services, click PingOne DaVinci to go to the DaVinci environment.

Configure API registration in Password Safe

To use the PingOne DaVinci Password Safe connector you must configure an API Registration for the connector in BeyondInsight.

Create a new API registration

  1. From the left sidebar in BeyondInsight, click Configuration.
  2. Under General, click API Registrations.
  3. Click + Create API Registration.
  4. Select + API Key Policy.
  5. Enter a Name for the registration.
  6. Select the Authentication Rule Options you wish to enable.
  7. Click Add Authentication Rule +.
    The Create New Authentication Rule panel displays.
  8. In the Create New Authentication Rule panel:
    • Enter the IP address of your PingOne DaVinci instance in the IP Address field.
    • Click Create Rule. The Create New Authentication Rule panel closes.
  9. Click Create Registration to save your new API registration.

ℹ️

Note

Make note of the API key, as it's needed for the integration configuration in the Password Safe PingOne DaVinci connector.

ℹ️

Note

For more detailed information on API registrations, see Configure API Registration.

Assign API registration to group

The API registration you created above must be assigned to a group that contains a Password Safe user that is used for the API requests. Creating a new API group is optional; if one already exists it can be used.

Create a new group

  1. From the left sidebar in BeyondInsight, click Configuration.
  2. Under Role Based Access, click User Management.
  3. On the Groups tab, click + Create New Group.
  4. Select Create a New Group. The Create New Group panel displays.
  5. Enter a name and description for the group, and then click Create Group.
    The new group is created and its details page displays.

Assign permissions to the group

The below permissions must be assigned to the group from the group's Group Details panel.

Features permissions

  1. Click Features.
  2. From the Show dropdown above the Features grid, select All Features.
  3. In the list of features, scroll to Password Safe API Global Quarantine and click the vertical ellipsis at the end of the row.
  4. Select + Assign Permissions Full Control.

Smart Groups permissions

  1. Click Smart Groups.
  2. From the Show dropdown above the Smart Groups Permissions grid, select All Smart Groups.
  3. In the list of Smart Groups, scroll to All Managed Accounts and click the vertical ellipsis at the end of the row.
  4. Select + Assign Permissions Read Only.
  5. Click the vertical ellipsis again for the All Managed Accounts Smart Group.
  6. Select Edit Password Safe Roles.
    The Password Safe Roles panel displays.
  7. Check Approver.
  8. Click Save Roles.
    The Password Safe Roles panel closes. The Smart Group is enabled with the Approver role for the group.
  9. In the list of Smart Groups, scroll to All Assets in Password Safe and click the vertical ellipsis at the end of the row.
  10. Select + Assign Permissions Full Control.
  11. Click the vertical ellipsis again for the All Assets in Password Safe Smart Group.
  12. Select Edit Password Safe Roles.
    The Password Safe Roles panel displays.
  13. Check Auditor.
  14. Click Save Roles. The Password Safe Roles panel closes. The Smart Group is enabled with the Auditor role for the group.

Enable the API registration for the group

  1. From the Group Details panel, click API Registrations.
  2. Check the box for the API Registration you created for the PingOne DaVinci connector.

Assign an API user to the group

If API user already exists, follow these steps:

  1. From the Group Details panel, click Users.
  2. From the Show dropdown above the Users grid, select User not assigned.
  3. Select the user and click + Assign User above the grid.

If the API user does not exist, follow the steps in the next section to create a new user and assign the group to it.

Create a new user

  1. From the left sidebar in BeyondInsight, click Configuration.
  2. Under Role Based Access, click User Management.
  3. Select the Groups tab, click + Create New User.
  4. Select Create a New User. The Create New User panel displays.
  5. Enter the details for the user, and then click Create User.
    The new user is created and its details page displays with the Groups grid selected.
  6. From the Show dropdown above the Groups grid, select All Groups.
  7. In the list of groups, select the group that has the API Registration you created for the DaVinci connector assigned to it.
  8. Click + Assign Group.

Configure the Password Safe connector

  1. From the left sidebar in the PingOne DaVinci site, click Connectors.
  2. In the Connectors window, click + Add Connector.
  3. Type BeyondTrust in the search bar.
  4. Click + next to the BeyondTrust Password Safe Connector to add it.
  5. Provide a title for the connector, and then click Create.
  6. Locate the connector in the Connectors list.
  7. Click the ellipsis under Actions for the connector and select Edit.
  8. In the details screen for the connector:

ℹ️

Note

Before adding the Password Safe connector to a production Ping DaVinci workflow, we recommend that you to test the connector.

Test the Password Safe connector

Before adding the Password Safe connector to a production Ping DaVinci workflow, we recommend that you to test the connector using a Termination by Hostname workflow test.

Add a workflow

  1. In the PingOne DaVinci site, from the left sidebar, click Flows.
  2. In the Flows window, click + Add Flow.
  3. Select Blank Flow.
  4. Provide a name and description, and then click Create.

Add the BeyondTrust Password Safe connector to the flow

  1. In the blank Flows window, click the +.
  2. In the Add Connector box, on the Existing tab, type BeyondTrust in the search box.
  3. Select BeyondTrust Password Safe.
    The BeyondTrust Password Safe connector is placed in the Flows window.

Add a form to the flow to manually enter a hostname

  1. From the left sidebar, click the small square icon next to Forms.
  2. In the DaVinci Forms window, click + next to DaVinci Forms to add a form.
  3. In the Add Form box, enter a name and description for the form, and then click Add Form.
  4. Select Blank Form from the choices that display.
  5. In the Edit Form window, click Fields at the top of the left sidebar.
  6. Under Custom Fields, select Text Input, and then drag and drop it to the right panel to start building your form.
  7. On the next page, provide a hostname for the Key and Label fields.
  8. Click Save at the top right of the page.
  9. Click Save in the pop-up message.
  10. Click Close at the top right of the page.
  11. In the Flows window for the connector, click +.
  12. In the Add Connector box, select the New tab.
  13. Type PingOne Forms and select it from the list.
  14. Enter a meaningful name, such as BeyondTrust Hostname Form and click Create.
    The hostname form connector displays in the Flows window.
  15. Click the small connection point on the right of the form connector while keeping your mouse button pressed, and then drag the connection line from the hostname form connector to the BeyondTrust Password Safe connector.
  16. The connection line between the hostname form connector and the PS connector displays True to indicate they are connected.

Add Terminate Session by Hostname capability to the flow

  1. In the Flows window double-click the hostname form connector you created.
  2. In the dialog that displays, select Show Form from the list of capabilities.
  3. Under Show Form > General > Form, click Select.
  4. Select the hostname form you created from the list.
  5. Click Apply and then click Close.
  6. Double-click the BeyondTrust Password Safe connector in the Flows window.
  7. In the dialog that displays for the PS connector, select Terminate Session by Hostname from the list of capabilities.
  8. Under Terminate Session by Hostname > General, click the {} in the Hostname field and select the hostname form you created.
  9. From the list that displays, select the output value you created for the hostname.
  10. Click Apply and then click Close.

Add an HTTP form to the flow to show the output of a terminated session

  1. In the Flows window, click +.
  2. In the Add Connector box, select the New tab.
  3. In the search box type HTTP.
  4. Select HTTP from the list.
  5. Enter a meaningful connector name, such as Termination Output and click Create.
  6. The HTTP form connector displays in the Flows window.
  7. Click the small connection point on the right of the BeyondTrust Password Safe connector while keeping your mouse button pressed, and then drag the connection line from the PS connector to the Termination Output HTTP form connector you created.
  8. The connection line between the PS connector and the Termination Output HTTP form displays True to indicate they are connected.

Add Custom HTML Message capability to the flow

  1. In the Flows window double-click the HTTP form connector you created.
  2. In the dialog that displays, select Custom HTML Message from the list of capabilities.
  3. In the Message field, click the {} and select the BeyondTrust Password Safe connector.
  4. From the menu that appears, click + to the right of output (object) to select it and all of its child options.
  5. Click Apply and then click Close.

Deploy and test the flow

  1. At the top of the DaVinci Flows window, click Deploy and wait for the Successfully Deployed flow message to display.
  2. In your Password Safe web console, request access to a managed system and initiate a session to it.
  3. At the top of the DaVinci Flows window, click Try Flow.
    A Ping web page displays.
  4. Enter the hostname of the session you initiated in Password Safe, and then click Submit.
  5. If the session terminated successfully, a Ping Information page displays with a result message of "statusCode": 204.

Updated 6 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.