PingFederate Server

Configure access to the administrative API

Similar to the administrative console, access to the administrative API after initial setup might be protected by several authentication and authorization schemes.

Access to the administrative API after initial setup is protected by one of the following authentication and authorization schemes:

  • Native authentication, against local administrative accounts

  • LDAP authentication

  • RADIUS authentication

  • Mutual TLS client certificate-based authentication

  • OAuth 2.0 authorization

For new installations, native authentication is the default.

For upgrades, if the authentication or authorization method of the administrative API was not previously set, such as when upgrading from PingFederate 7.3 or an earlier version, the Upgrade Utility sets the value to that of the administrative console. Otherwise, it preserves the previously set value, such as when upgrading from PingFederate 8.0 to a future release.

The authentication or authorization method for the administrative API can change at a later time to any of the choices, regardless of which authentication or authorization method is chosen for the administrative console.

Besides authentication and authorization, PingFederate also provides role-based access control, as shown in the following table. The roles assigned to the accounts affect the results of the API calls.

PingFederate User Access Control
Account type Administrative role Access privileges

Admin

User Admin

Create users, deactivate users, change or reset passwords, and install replacement license keys.

Admin

Admin

Configure partner connections and most system settings, except the management of local accounts and the handling of local keys and certificates.

Admin

Expression Admin

Map user attributes by using the expression language, Object-Graph Navigation Language (OGNL).

Only Administrative users who have both the Admin role and the Expression Admin role:

  • Can be granted the User Admin role. This restriction prevents non-Expression Admin users from granting themselves the Expression Admin Role.

  • Can be granted write access to the file system or directory where PingFederate is installed. This restriction prevents a non-Expression Admin user from placing a data.zip file containing expressions into the <pf_install>/pingfederate/server/default/deploy directory, which would introduce expressions into PingFederate.

Admin

Crypto Admin

Manage local keys and certificates.

Auditor

Not applicable

View-only permissions for all administrative functions. When the Auditor role is assigned, no other administrative roles can be set.

All four administrative roles are required to access and make changes through the following services:

  • The /bulk, /configArchive, and /configStore administrative API endpoints

  • The Configuration Archive window, accessed from System → Server, in the administrative console

  • The Connection Management configuration item on the Service Authentication window, accessed from Security → System Integration