--- title: Enabling native authentication for the administrative API description: When the administrative API is protected by native authentication, access to the administrative API is restricted to the users defined in the Account Management window. component: pingfederate version: 13.1 page_id: pingfederate:developers_reference_guide:pf_enable_native_auth_for_admin_api canonical_url: https://docs.pingidentity.com/pingfederate/13.1/developers_reference_guide/pf_enable_native_auth_for_admin_api.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: November 24, 2022 section_ids: about-this-task: About this task steps: Steps --- # Enabling native authentication for the administrative API When the administrative API is protected by native authentication, access to the administrative API is restricted to the users defined in the **Account Management** window. ## About this task The API calls must be authenticated by valid credentials over HTTP Basic authentication; otherwise, the administrative API returns an error message. The roles assigned to the users affect the results of the API calls. ## Steps 1. In the `/pingfederate/bin/run.properties` file, set the value of the `pf.admin.api.authentication` property to `native`. Then restart PingFederate. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can configure PingFederate to support both `native` authentication and OAuth 2.0 authorization by specifying two values separated with a comma. For example, specify `pf.admin.api.authentication=OAuth2,native`. Supporting two authentication methods is helpful when you want to change applications from one method to another. For more information about supporting two authentication methods, see the description of `pf.admin.api.authentication` in [Configuring PingFederate properties](../administrators_reference_guide/pf_config_pf_propert.html). | | | | | - | ------------------------------------------------------------------------------------------------------ | | | In a clustered PingFederate environment, you only need to modify `run.properties` on the console node. | 2. Sign on to the administrative console with an account that has the User Admin role. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When the administrative console is protected by an alternative console authentication, such as certificate-based, LDAP, or RADIUS authentication, most user-management functions are handled outside the scope of the PingFederate administrative console. Therefore, the administrative console disables the functionality of the **System > Server > Administrative Accounts** window unless the logged-on administrator has been granted User Admin permissions.To create or manage users in this scenario, add at least one external account to the role setting `userAdmin` in the configuration file for the respective authentication method. When the administrator logs on to the administrative console, the **Administrative Accounts** window becomes available to create or manage users for the purposes of accessing the administrative API.For more information about the alternative console authentication and the respective configuration, see [Alternative console authentication](../administrators_reference_guide/pf_alt_console_auth.html). | 3. On the **Administrative Accounts** window, create or manage users as needed, and assign various PingFederate administrative roles as indicated by the PingFederate User Access Control table. For more information, see [Configure access to the administrative API](pf_config_access_to_admin_api.html). | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When assigning roles, remember that all users defined in the **Administrative Accounts** window can access the administrative API and the administrative console. |