PingFederate Server

PingFederate administrative API

PingFederate includes a REST-based application programming interface (API) for administrative functions. The administrative API provides a programmatic way to make configuration changes to PingFederate as an alternative to using the administrative console.

The configuration changes that you can make through the administrative API include, but are not limited to:

  • Adapters and connections

  • Authentication policy contracts

  • Cluster management

  • Data stores and password credential validators

  • Keys and certificates

  • License management

  • Local administrative account management

  • OAuth settings

  • Server settings

Initial setup using the administrative API

After installing PingFederate you can make four unauthenticated administrative API requests to perform the following tasks:

  1. A GET request to /license/agreement to retrieve a URL to the license agreement.

  2. A PUT request to /license/agreement to accept the license agreement.

  3. A PUT request to /license to import a license file.

  4. A POST request to /administrativeAccounts to create the first local administrative account, for native authentication.

You must assign the User Admin administrative role, USER_ADMINISTRATOR, to the first local administrative account. Other administrative roles are optional at this point. For more information, see the interactive documentation for the administrative API Accessing the API interactive documentation.

After the first local administrative account is created, you can make other authenticated administrative API requests to configure various components in PingFederate.

Authentication and authorization

Similar to the administrative console, access to the administrative API is protected after initial setup. The administrative API supports various authentication and authorization options. For more information, see Configure access to the administrative API.

Concurrent access

The administrative API supports concurrent access. When concurrent API calls are made to modify the same API resource, such as the identity provider (IdP) adapter instance or the service provider (SP) connection, PingFederate processes the last request made.

Logging

PingFederate records actions performed through the administrative API in the admin-api.log file. Information includes the time of the event, the action performed, the authentication method, and other fields. For more information, see Administrative API audit log.