--- title: Changing the Policy Editor authentication mode description: Change the Policy Editor's authentication mode after initial setup. component: pingauthorize version: 11.0 page_id: pingauthorize:installing_and_uninstalling_pingauthorize:paz_change_pe_authn_mode canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/installing_and_uninstalling_pingauthorize/paz_change_pe_authn_mode.html revdate: April 28, 2025 section_ids: changing-the-policy-editor-authentication-mode-for-manual-installs: Changing the Policy Editor authentication mode for manual installs about-this-task: About this task steps: Steps example: Example: example-2: Example: example-3: Example: changing-the-policy-editor-authentication-mode-for-docker-deployments: Changing the Policy Editor authentication mode for Docker deployments about-this-task-2: About this task steps-2: Steps example-4: Example: --- # Changing the Policy Editor authentication mode Change the Policy Editor's authentication mode after initial setup. ## Changing the Policy Editor authentication mode for manual installs ### About this task To change the authentication mode that a manually installed PingAuthorize Policy Editor uses, re-run the `setup` tool and choose a different authentication mode. This action overwrites the PingAuthorize Policy Editor's existing configuration. ### Steps 1. Stop the Policy Editor. #### Example: ```shell $ bin/stop-server ``` 2. Run the `setup` command and select a different authentication mode. The modes are: * **Demo mode** Configures the PingAuthorize Policy Editor to use form-based authentication with a fixed set of credentials. Unlike OIDC mode, this mode does not require an external authentication server. However, it is inherently insecure and is recommended only for demonstration purposes. * **OpenID Connect (OIDC) mode** Configures the PingAuthorize Policy Editor to delegate authentication and sign-on services to an OpenID Connect provider, such as PingFederate. #### Example: ```shell $ bin/setup ``` 3. Start the Policy Editor. #### Example: ```shell $ bin/start-server ``` ## Changing the Policy Editor authentication mode for Docker deployments ### About this task To switch to OIDC authentication for a Docker deployment of the PingAuthorize Policy Editor, re-run the `docker run` command using the OIDC environment variables. ### Steps 1. Stop the Policy Editor Docker container. 2. Run the Policy Editor Docker container in OIDC mode by using the `PING_OIDC_CONFIGURATION_ENDPOINT` and `PING_CLIENT_ID` environment variables in your `docker run` command, as shown in the following example. #### Example: | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For proper communication between containers, create a Docker network using a command like `docker network create --driver `, and then connect to that network with the `--network=` option. | ```shell docker run --network= -p 8443:1443 -d \ --env-file ~/.pingidentity/config \ --env PING_EXTERNAL_BASE_URL=localhost:8443 \ --env PING_CLIENT_ID=c2f081c0-6a2e-4249-b07d-d60234bb5b21 \ --env PING_OIDC_CONFIGURATION_ENDPOINT=https://auth.pingone.com/3e665735-23da-40a9-a2bb-7ccddc171aaa/as/.well-known/openid-configuration \ pingidentity/{PAP_CONTAINER_NAME}: ``` | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The Docker image *\* used in the example is only a placeholder. For actual tag values, see the [PingAuthorize PAP Docker Image](https://hub.docker.com/r/pingidentity/pingauthorizepap) on Docker Hub. |