Port requirements
The following table summarizes the ports and protocols that PingFederate uses to communicate with external components. This information provides guidance for firewall administrators to ensure the correct ports are available across network segments.
Direction refers to the direction of the initial requests relative to PingFederate. Inbound refers to requests PingFederate receives from external components. Outbound refers to requests PingFederate sends to external components. |
Service | Protocol, direction, transport, default port | Source | Destination | Description |
---|---|---|---|---|
Administrative console |
HTTPS, inbound, TCP, 9999 |
Browsers accessing the administrative console, REST calls to the administrative application programming interface (API), web service calls to the Connection Management Service. Applicable to the console node in a clustered PingFederate environment. |
Administrative node |
Used for incoming requests to the administrative console. Configurable in the |
Administrative console |
HTTPS, outbound, TCP, 443 |
Administrator accessing online documentation. Applicable to the console node in a clustered PingFederate environment. |
docs.pingidentity.com |
Used for accessing online documentation from the administrative console. |
Runtime engine |
HTTPS, inbound, TCP, 9031 (and 9032 if configured) |
Browsers accessing the runtime server for single sign-on (SSO) or single logout (SLO); web service calls to the SSO Directory Service; REST calls to the OAuth Client Management Service, the OAuth Access Grant Management Service, the Persistent Grant Management API, and the Session Revocation API. Applicable to all runtime engine nodes in a clustered PingFederate environment. |
Runtime engine nodes |
Used for incoming requests to the runtime engine. Configurable in the |
Cluster traffic |
JGroups, inbound, TCP, 7600 |
PingFederate peer servers in a clustered PingFederate environment. |
Administrative node and runtime engine nodes |
Used for communications between engine nodes in a cluster when the transport mode for cluster traffic is set to TCP (the default behavior). Configurable in the |
Cluster traffic |
JGroups, inbound, TCP, 7700 |
PingFederate peer servers in a clustered PingFederate environment. |
Administrative node and runtime engine nodes |
Used by other nodes in the cluster as part of the cluster’s failure-detection mechanism when the transport mode for cluster traffic is set to TCP (the default behavior). Configurable in the |
PingOne connections (if configured) |
HTTPS, outbound, TCP, 443 |
All nodes |
pingone.com |
The administrative node uses PingOne APIs to create connections to PingOne. Engine nodes use PingOne APIs to obtain access tokens and call PingOne services. |
PingOne for Enterprise integration (if configured) |
HTTPS and secure WebSocket, TCP, 443 |
PingFederate Applicable to the console node in a clustered PingFederate environment. |
pingone.com |
Used for communications between PingFederate and PingOne for Enterprise for establishing and maintaining a managed SP connection to PingOne for Enterprise, monitoring of PingFederate from the PingOne admin portal, authenticating end users against the PingOne for Enterprise Directory. |
Cluster traffic (if configured) |
JGroups, outbound, TCP, 443 |
PingFederate peer servers in a clustered PingFederate environment. |
Amazon Simple Storage Service (Amazon S3) or an OpenStack Swift server |
Used by all nodes when the optional dynamic discovery mechanism is enabled. |
Cluster traffic |
JGroups, inbound,UDP, 7601 |
PingFederate peer servers in a clustered PingFederate environment. |
Administrative node and runtime engine nodes |
Used for communications between engine nodes in a cluster when the transport mode for cluster traffic is set to UDP. By default, the transport mode is TCP. Configurable in the |
Active Directory domains/ Kerberos realms (if configured) |
Kerberos, outbound, TCP or UDP, 88 |
PingFederate |
Windows domain controllers |
Used for communications between PingFederate and Windows domain controllers for the purpose of Kerberos authentication. |
reCAPTCHA (if configured) |
HTTPS, outbound, TCP, 443 |
PingFederate |
www.google.com/recaptcha/api/site verify |
Used by the HTML Form Adapter when invisible reCAPTCHA from Google is enabled to prevent automated attacks. |
Administration notification |
SMTP, outbound, TCP, 25 (465 if SMTPS) |
All nodes |
SMTP server |
Used to send notification messages for various events. For more information, see Runtime notifications. |
For PingID integration, see PingID required domains, URLs, and ports. Depending on the integration kits deployed and the connecting third-party systems, such as email server or SMS service provider, additional ports might be required. |