Note:

Direction refers to the direction of the initial requests relative to PingFederate. Inbound refers to requests PingFederate receives from external components. Outbound refers to requests PingFederate sends to external components.

PingFederate required ports and protocols
Service Protocol, direction, transport, default port Source Destination Description
Administrative console HTTPS, inbound, TCP, 9999 Browsers accessing the administrative console, REST calls to the administrative API, web service calls to the Connection Management Service.

Applicable to the console node in a clustered PingFederate environment.

Administrative node Used for incoming requests to the administrative console. Configurable in the run.properties file.
Administrative console HTTPS, outbound, TCP, 443 Administrator accessing online documentation.

Applicable to the console node in a clustered PingFederate environment.

docs.pingidentity.com Used for accessing online documentation from the administrative console.
Runtime engine HTTPS, inbound, TCP, 9031 (and 9032 if configured) Browsers accessing the runtime server for SSO or SLO; web service calls to the SSO Directory Service; REST calls to the OAuth Client Management Service, the OAuth Access Grant Management Service, the Persistent Grant Management API, and the Session Revocation API.

Applicable to all runtime engine nodes in a clustered PingFederate environment.

Runtime engine nodes Used for incoming requests to the runtime engine.

Configurable in the run.properties file.

Cluster traffic JGroups, inbound, TCP, 7600 PingFederate peer servers in a clustered PingFederate environment. Administrative node and runtime engine nodes Used for communications between engine nodes in a cluster when the transport mode for cluster traffic is set to TCP (the default behavior).

Configurable in the run.properties file.

Cluster traffic JGroups, inbound, TCP, 7700 PingFederate peer servers in a clustered PingFederate environment. Administrative node and runtime engine nodes Used by other nodes in the cluster as part of the cluster's failure-detection mechanism when the transport mode for cluster traffic is set to TCP (the default behavior).

Configurable in the run.properties file.

Cluster traffic (if configured) JGroups, outbound, TCP, 443 PingFederate peer servers in a clustered PingFederate environment. Amazon Simple Storage Service (Amazon S3) or an OpenStack Swift server Used by all nodes when the optional dynamic discovery mechanism is enabled.
Cluster traffic JGroups, inbound,UDP, 7601 PingFederate peer servers in a clustered PingFederate environment. Administrative node and runtime engine nodes Used for communications between engine nodes in a cluster when the transport mode for cluster traffic is set to UDP. By default, the transport mode is TCP.

Configurable in the run.properties file.

PingOne connections (if configured) HTTPS, outbound, TCP, 443 All nodes pingone.com The administrative node uses PingOne APIs to create connections to PingOne. Engine nodes use PingOne APIs to obtain access tokens and call PingOne services.
PingOne for Enterprise integration (if configured) HTTPS and secure WebSocket, TCP, 443 PingFederate

Applicable to the console node in a clustered PingFederate environment.

pingone.com Used for communications between PingFederate and PingOne for Enterprise for establishing and maintaining a managed SP connection to PingOne for Enterprise, monitoring ofPingFederate from the PingOne admin portal, authenticating end users against the PingOne for Enterprise Directory.
Active Directory domains/ Kerberos realms (if configured) Kerberos, outbound, TCP or UDP, 88 PingFederate Windows domain controllers Used for communications between PingFederate and Windows domain controllers for the purpose of Kerberos authentication.
reCAPTCHA (if configured) HTTPS, outbound, TCP, 443 PingFederate www.google.com/recaptcha/api/site verify Used by the HTML Form Adapter when invisible reCAPTCHA from Google is enabled to prevent automated attacks.
Administration notification SMTP, outbound, TCP, 25 (465 if SMTPS) All nodes SMTP server Used to send notification messages for various events. For more information, see Runtime notifications.
Note:

For PingID integration, see PingID required domains, URLs, and ports

Depending on the integration kits deployed and the connecting third-party systems, such as email server or SMS service provider, additional ports may be required.