---
title: Alternative console authentication
description: As an alternative to using PingFederate's own internal datastore for authentication to the administrative console, you can configure PingFederate to use your network's LDAP user-datastore, the RADIUS protocol, client certificates, or OIDC-based authentication.
component: pingfederate
version: 13.0
page_id: pingfederate:administrators_reference_guide:pf_alt_console_auth
canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_alt_console_auth.html
revdate: July 5, 2022
---

# Alternative console authentication

As an alternative to using PingFederate's own internal datastore for authentication to the administrative console, you can configure PingFederate to use your network's LDAP user-datastore, the RADIUS protocol, client certificates, or OIDC-based authentication.

You can configure any of these alternative console authentication methods at any time. Most user-management functions are handled outside the scope of the PingFederate administrative console when alternative authentication is enabled.

Unlike native authentication, for which you configure local accounts and their privileges in **System > Server > Administrative Accounts** , you must define roles in configuration files when using an alternative authentication scheme. Similar to native authentication, PingFederate provides two account types and three administrative roles for role-based access control, as shown in the following table.

**PingFederate User Access Control**

| Account type | Administrative role | Access privileges                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| ------------ | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Admin        | User Admin          | Create users, deactivate users, change or reset passwords, and install replacement license keys.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| Admin        | Admin               | Configure partner connections and most system settings, except the management of local accounts and the handling of local keys and certificates.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| Admin        | Expression Admin    | Map user attributes by using the expression language, Object-Graph Navigation Language (OGNL).&#xA;&#xA;Only Administrative users who have both the Admin role and the Expression Admin role:&#xA;&#xA;Can be granted the User Admin role. This restriction prevents non-Expression Admin users from granting themselves the Expression Admin Role.&#xA;&#xA;Can be granted write access to the file system or directory where PingFederate is installed. This restriction prevents a non-Expression Admin user from placing a data.zip file containing expressions into the \<pf\_install>/pingfederate/server/default/deploy directory, which would introduce expressions into PingFederate. |
| Admin        | Crypto Admin        | Manage local keys and certificates.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| Auditor      | Not applicable      | View-only permissions for all administrative functions. When the **Auditor** role is assigned, no other administrative roles can be set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | All four administrative roles are required to access and make changes through the following services:- The `/bulk`, `/configArchive`, and `/configStore` administrative API endpoints

- The **Configuration Archive** window, accessed from **System > Server**, in the administrative console

- The **Connection Management** configuration item on the **Service Authentication** window, accessed from **Security > System Integration** |