Ping Migration Guide
This guide is designed to help customers migrate from PingOne to Descope.
Descope’s migration tool streamlines the process of moving users, tenants, and roles between identity providers (IdPs), ensuring a smooth and consistent transition.
Because PingOne uses separate APIs for each environment, performing a full migration is the most efficient and reliable approach. The provided migration script leverages the Descope SDK to transfer users, tenants, roles, and permissions from PingOne into Descope, ensuring that users are correctly associated with their respective tenants and roles in the new system.
Full Migration
Prerequisites
Ensure you have the following before starting:
- Access to your Ping Admin Console
- Access to your Descope Console
1. Importing from Ping
Creating a Ping Worker Application
Follow these steps to set up a Ping Worker App, which you will need to complete the migration:
- You will need to create a Worker app inside of your PingOne admin console. To do so, navigate to Applications --> Applications.
- Click the + icon to create a new application, and select Worker as the application type.
- In the Roles tab of your new application, select Grant Roles, and assign the Organization Admin and Environment Admin roles both at the Organization level.
The Roles tab of your application should now look like this:
For the next section, refer to the Overview tab of your application:
Configure Local Environment
You will need the following to set up your environment for migration:
-
Client ID assigned to your Worker app, found under the Overview tab of that application.
-
Client Secret assigned to your Worker app, found under the Overview tab of that application.
-
Environment ID of the Ping environment that contains the admin Worker application you created previously, found under the Overview tab of that application.
-
PingOne API authentication path for your particular geographical region. As an example, the PingOne top-level domain for the United States is
https://auth.pingone.com/v1
.
Note
For information on top-level domains for other regions, visit this doc
-
Descope Project ID, which can be found here.
-
Descope Management Key, you can create one here if needed.
Required Custom User Attributes
Before running the migration, you must manually create the following custom user attributes in the Descope Console under Users → Custom Attributes. These attributes are essential for supporting the migration process and ensuring smooth post-migration handling.
Attribute Name | Type | Description |
---|---|---|
freshlyMigrated | Boolean | Set to true during migration to indicate the user was migrated. You can use this flag in Descope Flows to apply conditional logic post-migration. |
mfaEnabled | Boolean | Set to true if the user had MFA enabled in Ping; otherwise, false . |
userId | Text | Stores the original userId assigned to the user in Ping. |
populationId | Text | Stores the ID of the Ping population the user belonged to, if applicable. |
environmentId | Text | Stores the ID of the Ping environment the user belonged to, if applicable. |
Note
The attribute machine names must match exactly as listed above for the migration tool to function correctly.
Setting Up the Migration Script
- Clone the Repo:
- Create a Virtual Environment
- Install the Necessary Python libraries
- Setup Your Environment Variables
You can change the name of the .env.example
file to .env
to use as a template. Then populate with the items generated
within the prerequisites section of this guide.
Note
The migration tool source code can be found on GitHub
Running the Migration Script
You can use the -v
or --verbose
flags to enable more detailed output. This works for both live and dry runs, providing you with additional information.
Dry Run
You can dry run the migration script which will allow you to see the number of users, tenants, roles, etc which will be migrated from Ping to Descope.
The output would appear similar to the following:
Live Run
To live migrate your Ping users, follow the below example.
The output will include the responses of the created users, organizations, roles, and permissions as well as the mapping between the various objects within Descope. A log file will also be generated in the format of migration_log_ping_%d_%m_%Y_%H:%M:%S.log
. Any items which failed to be migrated will also be listed with the error that occurred during the migration.
2. Password Migration
PingOne does not support exporting of hashed passwords. As a result, you have two options when migrating to Descope, both of which can be handled through Descope Flows.
-
Require Password Reset on First Login You can configure a Flow to prompt users to reset their password the first time they sign in through Descope. After resetting, users will authenticate using their newly set password for future logins. Learn more on our Flows page.
-
Move to Passwordless Authentication Alternatively, you can adopt a fully passwordless approach. Descope supports a variety of passwordless authentication methods. Explore them on our Authentication Methods page.
Note
This option should only be used if you have a verified email address for all users. Otherwise, we recommend enforcing a one time password reset for your users.
3. Merging Identities Across Environments
If a user has multiple identities across distinct Ping environments, you can use Descope’s multi-tenancy capabilities to consolidate these identities into a single user identity.
During migration, the script will:
- Assign all associated loginId values to the consolidated Descope user.
- Map the unified user to multiple tenants, preserving the roles and permissions the user holds within each tenant.
As a note, if a user has roles assigned in a Ping environment but does not exist in that environment’s user directory, those role relationships will not be migrated to Descope, as they cannot be mapped to an existing user.
Post Migration Verification
Once the migration tool has ran successfully, you can review the migrated items from Ping in the Descope Console:
Be sure to verify the created records against the migration tool’s output.
Next, you can define your users’ login experience. By leveraging the freshlyMigrated custom user attribute, you can create conditional paths within your Descope Flows.
From this conditional, you can guide users through different experiences — for example, verifying their email or phone number, setting a password (or requiring a password update if passwords were migrated), or enabling passkeys.
Once you’ve finalized the user experience, remember to update the user’s profile by setting the freshlyMigrated attribute to false.