Advanced Identity Software
These are software products that you install and operate:
-
Deployed on-premise or in your own cloud.
-
Licensing is enforced through license keys, configuration, or both in each product’s admin console.
Software uses a managed (stored) identity unit of measure.
A managed (stored) identity is a unique identifier for a user, device, or other object that is stored and managed by the product, regardless of activity, such as the number of records or entries in the directory or identity store governed by the license.
Self-managed products
PingAccess
Policy-based access management solution for web apps and APIs that enforces authentication and authorization decisions at the resource level using agents and gateways.
| Feature | Description |
|---|---|
Policy-based access control for web applications, enforcing authentication and authorization at the URL/resource level. |
|
Protects APIs and services through reverse proxy or gateway mode, applying centralized policies and token validation. |
|
Uses lightweight agents or gateway deployment to integrate with a wide range of web servers and application platforms. |
|
Defines access policies once (conditions, rules, roles) and applies them consistently across many applications and APIs. |
|
Integrates with PingFederate and other IdPs to consume SAML/OpenID Connect (OIDC)/OAuth tokens and enforce single sign-on (SSO)-based access rules. |
|
Supports clustering and load-balanced deployments to provide resilient, scalable access enforcement for mission-critical applications and APIs. |
PingAuthorize
Fine-grained, externalized authorization engine that evaluates rich, attribute- and context-based policies to control access to APIs and data down to field and record level.
| Feature | Description |
|---|---|
Central policy engine that moves authorization decisions out of apps/APIs into a centralized policy decision point (PDP) service. |
|
Uses identity, resource, and contextual attributes (time, device, risk, and so on) to make fine-grained allow/deny/filter decisions. |
|
Enforces row/record, field/column, and value-level controls so you can mask, filter, or transform sensitive data per policy. |
|
Protects APIs and services by evaluating policies at runtime through decision APIs or sidecar/gateway integrations. |
|
Policy modeling and testing |
Tools to design, simulate, and debug authorization policies before and after deployment to reduce risk and misconfigurations. |
PingCentral
Centralized configuration and promotion hub that lets teams template, manage, and deploy PingFederate and PingAccess application integrations through a simplified, self-service workflow.
| Feature | Description |
|---|---|
Central place to manage and promote PingFederate and PingAccess configurations across environments (dev, test, prod) using consistent identity and access management (IAM) workflows. |
|
Simplifies onboarding of new applications by giving app teams curated templates and guided flows instead of manual, expert-only configuration steps. |
|
Uses reusable templates for common SSO/API patterns so teams can quickly stand up standards-compliant integrations with minimal custom work. |
|
Supports promoting configurations between environments with guardrails, reducing drift and manual errors in SSO/API policy deployment. |
|
Provides a central view of applications, connections, and versions, improving operational visibility and governance over identity integration changes. |
PingDirectory
High-performance LDAP directory server for storing and serving identity and profile data at scale, with strong security, replication, and high availability for mission-critical IAM workloads.
| Feature | Description |
|---|---|
Low-latency, high-throughput LDAPv3 directory for storing and serving identity and profile data at scale. |
|
Multi-master replication and proxy options to support large, globally distributed deployments with high availability. |
|
Fine-grained ACLs, strong password policies, encryption in transit/at rest, and detailed security/audit logging. |
|
Custom objectClasses and attributes so you can model complex identity and application data requirements. |
|
Admin tools and APIs for backup/restore, tuning, monitoring, alerts, and troubleshooting. |
|
Optional REST/HTTP gateways to expose directory data to non-LDAP clients and modern applications. |
PingFederate
Enterprise federation server that provides standards-based SSO and security token services using SAML, OAuth 2.0, and OpenID Connect for web, mobile, and API access.
| Feature | Description |
|---|---|
SAML 2.0, OAuth 2.0, and OpenID Connect support for SSO and token services across web, mobile, and API applications. |
|
Browser-based SSO and single logout for identity provider (IdP)-initiated and service provider (SP)-initiated flows across many federation profiles. |
|
Acts as a hub between multiple identity providers and service providers, bridging many-to-many federation relationships. |
|
Full OAuth 2.0 authorization server and OpenID Connect provider with support for many grant types and client management. |
|
WS-Trust-based security token service for issuing, transforming, and validating tokens between different systems and protocols. |
|
Converts between SAML, JSON Web Token (JWT), WS-Fed/WS-Trust, and other token formats to integrate legacy and modern apps. |
|
Rich library of bundled adapters and integration kits to connect to directories, IdPs, SPs, apps, and authentication sources. |
|
Clustering, load balancing, and enterprise deployment features for high availability and scale in mission-critical environments. |
PingAM
Access management server providing authentication journeys, SSO and federation (SAML, OIDC, and OAuth 2.0), adaptive and strong authentication, and authorization and User-Managed Access (UMA) for web, mobile, and API workloads.
| Feature | Description |
|---|---|
Tree-based journeys that let you visually design authentication and step-up flows using nodes for risk, context, devices, and user interactions. |
|
Policy-based, fine-grained authorization using attributes and context to make allow/deny decisions for applications, APIs, and resources. |
|
Standards-based SSO and identity federation with SAML 2.0, OAuth 2.0, and OpenID Connect for web, mobile, and API use cases. |
|
Strong and adaptive authentication for customer identity and access management (CIAM), combining multi-factor authentication (MFA) factors, risk, and device/context signals in Intelligent Access journeys. |
|
UMA-based access control that lets resource owners manage sharing and consent policies for their own protected resources. |
PingDS (Directory Server and Proxy)
High-performance LDAP directory and proxy for storing and serving identity and profile data with strong security, replication, and high availability for large-scale deployments.
| Feature | Description |
|---|---|
High-performance LDAPv3 directory for storing and retrieving identity and configuration data. |
|
Multi-master replication and proxy options for high availability and geographic distribution. |
|
Fine-grained access control, password policies, and encryption for protecting directory data. |
PingGateway
Identity-aware gateway and micro-gateway that sits in front of web apps and APIs to enforce centralized authentication, authorization, token translation, and traffic controls at the edge.
| Feature | Description |
|---|---|
Gateway/edge security solution that fronts web apps and APIs with an identity-aware reverse proxy, enforcing centralized authentication, authorization, and traffic controls. |
PingGateway Edge Security - Open Finance
Security overlay for PingGateway that provides financial-grade API compliance.
| Feature | Description |
|---|---|
Logs FAPI interaction IDs and request metadata per transaction for regulatory compliance and audit. |
PingIDM
Identity management and synchronization platform that handles identity lifecycle (joiner, mover, and leaver), relationships, self-service, and workflow-driven provisioning across systems.
| Feature | Description |
|---|---|
Model identities, relationships, and entitlements across systems to support full identity lifecycle. |
|
Synchronize identity data between directories, databases, and applications using flexible mappings and policies. |
|
Self-service registration, profile management, and approval workflows for identity changes. |
PingOne Platform Agent IAM Core
Treats autonomous artificial intelligence (AI) agents as first-class, governed identities in PingOne, so they authenticate, get scoped tokens, and access APIs, data, and tools under the same least-privilege policies and audit controls as human users and applications.
| Feature | Description |
|---|---|
Integrates AI agents into your IAM so they authenticate, authorize, and audit like users and apps. |
|
Defines agents as autonomous systems that use LLMs, tools, memory, and workflows to complete tasks. |
|
Classifies agents (personal, assistants, digital workers) and distinguishes managed vs unmanaged based on control. |
|
Treats tools as external APIs/functions agents call to access data or perform actions under IAM control. |
|
Uses MCP for secure agent-tool calls and A2A for agent-agent coordination in multi-agent workflows. |
|
Applies IAM principles like delegation (not impersonation), least privilege, and monitoring to agents. |
Agent Gateway
A runtime enforcement layer that sits between AI agents and the services and tools they use. It standardizes how agents call those services, applies fine-grained authorization, and centralizes monitoring and audit of agent activity.
| Feature | Description |
|---|---|
Gateway in front of MCP servers and tools that brokers all agent-service traffic. |
|
Evaluates and enforces policy on every agent request in real time. |
|
Uses PingOne Authorize, PingOne Protect, or PingOne Advanced Identity Cloud for rich, policy-based decisions beyond basic OAuth. |
|
Blocks invalid or unauthorized MCP calls and rate-limits agents to protect backends. |
|
Adapts and transforms tokens so agents fit existing security and backend models. |
|
Logs all agent activity for unified visibility, compliance, and troubleshooting. |
|
Ensures agents get only the minimal access needed for each action. |
|
Pairs with Agent IAM Core: Core manages agent identity, while Gateway governs runtime actions. |
|
You can review your current licenses and entitlements in the Ping Identity Support Portal. After signing on, go to the Licensing section. From this page, you can also access your support keys and open a support case if anything about your entitlements appears incorrect. You can find more information in Ping Identity’s legal Product terms and conditions. |