PingFederate Server

Port requirements

The following table summarizes the ports and protocols that PingFederate uses to communicate with external components. This information provides guidance for firewall administrators to ensure the correct ports are available across network segments.

Direction refers to the direction of the initial requests relative to PingFederate. Inbound refers to requests PingFederate receives from external components. Outbound refers to requests PingFederate sends to external components.

PingFederate required ports and protocols
Service Protocol, direction, transport, default port Source Destination Description

Administrative console

HTTPS, inbound, TCP, 9999

Browsers accessing the administrative console, REST calls to the administrative application programming interface (API), and web service calls to the Connection Management Service.

Applicable to the console node in a clustered PingFederate environment.

Administrative node

Used for incoming requests to the administrative console. Configurable in the run.properties file.

Administrative console

HTTPS, outbound, TCP, 443

Administrator accessing online documentation.

Applicable to the console node in a clustered PingFederate environment.

docs.pingidentity.com

Used for accessing online documentation from the administrative console.

Runtime engine

HTTPS, inbound, TCP, 9031 (and 9032 if configured)

Browsers accessing the runtime server for single sign-on (SSO) or single logout (SLO). Web service calls to the SSO Directory Service. REST calls to the OAuth Client Management Service, the OAuth Access Grant Management Service, the Persistent Grant Management API, and the Session Revocation API.

Applicable to all runtime engine nodes in a clustered PingFederate environment.

Runtime engine nodes

Used for incoming requests to the runtime engine.

Configurable in the run.properties file.

Cluster traffic

JGroups, inbound, TCP, 7600

PingFederate peer servers in a clustered PingFederate environment.

Administrative node and runtime engine nodes

Used for communications between engine nodes in a cluster when the transport mode for cluster traffic is set to TCP (the default behavior).

Configurable in the run.properties file.

Cluster traffic

JGroups, inbound, TCP, 7700

PingFederate peer servers in a clustered PingFederate environment.

Administrative node and runtime engine nodes

Used by other nodes in the cluster as part of the cluster’s failure-detection mechanism when the transport mode for cluster traffic is set to TCP (the default behavior).

Configurable in the run.properties file.

PingOne connections (if configured)

HTTPS, outbound, TCP, 443

All nodes

pingone.com

The administrative node uses PingOne APIs to create connections to PingOne. Engine nodes use PingOne APIs to obtain access tokens and call PingOne services.

PingOne for Enterprise integration (if configured)

HTTPS and secure WebSocket, TCP, 443

PingFederate

Applicable to the console node in a clustered PingFederate environment.

pingone.com

Used for communications between PingFederate and PingOne for Enterprise for establishing and maintaining a managed SP connection to PingOne for Enterprise, monitoring of PingFederate from the PingOne admin portal, authenticating end users against the PingOne for Enterprise Directory.

Cluster traffic (if configured)

JGroups, outbound, TCP, 443

PingFederate peer servers in a clustered PingFederate environment.

Amazon Simple Storage Service (Amazon S3) or an OpenStack Swift server

Used by all nodes when the optional dynamic discovery mechanism is enabled.

Cluster traffic

JGroups, inbound,UDP, 7601

PingFederate peer servers in a clustered PingFederate environment.

Administrative node and runtime engine nodes

Used for communications between engine nodes in a cluster when the transport mode for cluster traffic is set to UDP. By default, the transport mode is TCP.

Configurable in therun.properties file.

Active Directory domains/ Kerberos realms (if configured)

Kerberos, outbound, TCP or UDP, 88

PingFederate

Windows domain controllers

Used for communications between PingFederate and Windows domain controllers for the purpose of Kerberos authentication.

reCAPTCHA (if configured)

HTTPS, outbound, TCP, 443

PingFederate

www.google.com/recaptcha/api/site verify

Used by the HTML Form Adapter when invisible reCAPTCHA from Google is enabled to prevent automated attacks.

Administration notification

SMTP, outbound, TCP, 25 (465 if SMTPS)

All nodes

SMTP server

Used to send notification messages for various events. For more information, see Runtime notifications.

For PingID integration, see PingID required domains, URLs, and ports.

Depending on the integration kits deployed and the connecting third-party systems, such as email server or SMS service provider, additional ports might be required.