Postman's automation tools simplify exploratory testing at Ping Identity

Postmanaut working with Ping A P I. Illustration..


User authentication is the gateway to the most engaging digital experiences. But there's a flip side to this story: when users log into their favorite website or application, their digital identities can become vulnerable to cyberattacks, data theft, and other nefarious activities. Ping Identity provides a suite of identity security solutions that help enterprises safeguard customer and employee data at scale. One of the company's offerings, PingOne for Customers, is a cloud-based Identity as a Service (IDaaS) that can be easily integrated into customer-facing applications or internal systems using a developer-friendly RESTful API.

For the PingOne team, Postman is their hub for all things API, enabling efficient collaboration throughout the API lifecycle from development to QA testing to customer onboarding and documentation.


Ease of use and reduction of manual overhead

Improved speed and productivity across the board

Simplified workflows through automation tools and capabilities

The Challenge

Disparate, unconnected tools hindered productivity

Prior to Postman, individuals on the PingOne team were using a variety of different tools from different vendors to interact with and manage API information. This made it difficult to standardize processes and improve team efficiency. A few on the team had some experience with Postman, but the shift really came when Ping Identity hired QA engineer Gideon McKee, who advocated for using Postman across the PingOne organization.

Postman enables quick access to our APIs for exploratory testing. The platform's ease of use helps everyone get what they need quickly and reduces much of the manual overhead.

Gideon McKee, Software Quality Engineer, Ping Identity

With Postman, the PingOne team's developers could easily access and run various parts of the API without having to write the requests themselves, while the QA engineers could conduct testing by hitting the API endpoints without having to create and run custom commands. Postman not only unified API operations for PingOne, but it also offered a user-friendly tool that helped everyone get more done.

From Gideon's perspective, Postman was rapidly becoming a leading API platform on the market, and as such, it was a sure bet for establishing robust API operations over the long term. He had even been advised by recruiters that familiarity with Postman was a must-have skill for API QA job seekers today.

If a QA job candidate mentions Postman, that means that they're paying attention to their tools and using the latest and greatest.

Gideon McKee, Software Quality Engineer, Ping Identity

At the heart of the PingOne hub: Postman Collections

PingOne's API powers the platform's wide range of microservices, which include registration, account recovery, and multi-factor authentication. The PingOne team stores API information in Postman as Postman Collections; each collection is a group of requests that represent a workflow for a particular microservice. The team can create a logical file structure and attach extensive detail to each collection (including markdown) for convenient user reference and education. This helps streamline developer onboarding to the PingOne APIs, giving both customer and internal teams one source of truth to access and explore essential information related to each API.

Postman enables us to build robust collections that make it easier for any of our API users—developers, QA engineers, and customers—to understand and use our API.

Gideon McKee, Software Quality Engineer, Ping Identity

PingOne maintains individual collections for internal use; however, customers can access a master collection that includes all the microservice calls they need to integrate the API into their applications. This master collection is maintained by the documentation team, which uses Postman's automated API documentation feature to generate customer-facing docs. A Run in Postman button in the PingOne docs enables customers to easily import the collection to their Postman workspace in one click.

The Solution

Setting up for automated testing on Postman

Prior to delivering the API to end users, the PingOne team runs extensive testing using Postman's automation features. Postman environments enable the team to run requests and collections against various data sets associated with different runtime environments, such as development, staging, and production.

In addition, the team set up variables in Postman that allowed them to store and reuse values, so that commonly used data can be automatically passed between requests, collections, and environments. Variables were notably helpful for two values in particular:

  1. UUIDs: UUIDs are unique identifiers that are returned when creating or updating API resources. UUIDs are very long text strings, which can be tedious to copy and paste into each request.
  2. OAuth tokens: OAuth tokens are similarly lengthy shared strings that need to be pasted into the auth header of each request.

Storing values such as UUIDs and OAuth tokens as variables means that when Ping Identity QA engineers switch environments or build new collections, they don't have to worry about repeating time-consuming manual steps. They can simply reference the variable, and Postman automatically inserts values where needed. If the engineers want to update the value, they only have to change it in one place. Variables have helped the Ping Identity team to work more efficiently and minimize the likelihood of error.

Using variables in Postman helps us better manage complex testing flows without having to think about the mechanics of making each request.

Gideon McKee, Software Quality Engineer, Ping Identity

Adding dynamic behavior to requests and collections

Test scripts put Postman variables into action. With environments and variables in place, the PingOne team wrote test scripts in JavaScript that programmatically perform API calls and dynamically pass values during the testing flow. Some tests perform a basic sanity check or validation of response data, and others automate common manual testing tasks.

For example, one script automatically grabs the UUID from a response, saves it as a variable, and inserts that UUID into the URL of the next request. Another script uses an OAuth variable to automatically set a token when running the “Create User” collection and saves the user ID returned as another variable. The user ID can then be automatically referenced in other calls associated with that user, such as to delete the account or update user information.

A more complex script uses PKCE, a security extension to OAuth 2.0, to run a cryptographic function that applies a transformation against a random string generated during a particular authentication request and then includes it in a following request.

By automating complex logic (as well as simple manual tasks) with scripts in Postman, the Ping Identity team is more productive and efficient.

Postman allows for more complex edge cases that would just be harder to work with if you had to go through every step at a lower level.

Gideon McKee, Software Quality Engineer, Ping Identity

The Outcome

Simpler workflows give everyone time back in their day

After centralizing API operations on Postman, the PingOne team has been able to improve overall speed and productivity across the board, from development to testing to documentation. Postman has helped simplify workflows through user-friendly automation tools and capabilities, allowing the team to get more done while worrying less about the details. Going forward, the team plans to automate more repeatable tasks and free up time to focus on higher-level concerns.

Contact Enterprise sales

Join these companies and more than 25 million developers who are already building, running, and distributing APIs with Postman.

Contact Sales

Case studies

See a wide selection of detailed use cases from nearly every industry on the Postman case studies page.