PingFederate Server

Enabling native authentication for the administrative API

When the administrative API is protected by native authentication, access to the administrative API is restricted to the users defined in the Account Management window.

About this task

The API calls must be authenticated by valid credentials over HTTP Basic authentication; otherwise, the administrative API returns an error message. The roles assigned to the users affect the results of the API calls.

Steps

  1. In the <pf_install>/pingfederate/bin/run.properties file, set the value of the pf.admin.api.authentication property to native. Then restart PingFederate.

    You can configure PingFederate to support both native authentication and OAuth 2.0 authorization by specifying two values separated with a comma. For example, specify pf.admin.api.authentication=OAuth2,native. Supporting two authentication methods is helpful when you want to change applications from one method to another. For more information about supporting two authentication methods, see the description of pf.admin.api.authentication in Configuring PingFederate properties.

    In a clustered PingFederate environment, you only need to modify run.properties on the console node.

  2. Sign on to the administrative console with an account that has the User Admin role.

    When the administrative console is protected by an alternative console authentication, such as certificate-based, LDAP, or RADIUS authentication, most user-management functions are handled outside the scope of the PingFederate administrative console. Therefore, the administrative console disables the functionality of the System → Server → Administrative Accounts window unless the logged-on administrator has been granted User Admin permissions.

    To create or manage users in this scenario, add at least one external account to the role setting userAdmin in the configuration file for the respective authentication method. When the administrator logs on to the administrative console, the Administrative Accounts window becomes available to create or manage users for the purposes of accessing the administrative API.

    For more information about the alternative console authentication and the respective configuration, see Alternative console authentication.

  3. On the Administrative Accounts window, create or manage users as needed, and assign various PingFederate administrative roles as indicated by the PingFederate User Access Control table. For more information, see Configure access to the administrative API.

    When assigning roles, remember that all users defined in the Administrative Accounts window can access the administrative API and the administrative console.