Managing the PingID properties file
The various integrations with PingID require information that is stored in the PingID properties file, which can be downloaded from the admin console.
Download the PingID properties file relevant for your platform:
-
PingFederate
-
Windows and Mac login
-
SSH
-
Revoking or rotating property files
PingFederate
You can download the PingID for PingFederate properties file for use when integrating PingID with PingFederate.
About this task
The Integrate with PingFederate Bridge properties file provides full permission to perform enrollment, device management, and authentication actions. You can rotate or revoke generated properties files with minimal downtime.
For Window login, Mac login, and SSH integrations, you should download the version of the properties file that restricts user permissions to authentication only. For more information, see the relevant tabs on this page. |
The PingID properties file contains sensitive information including the secret encryption key. It should only be handled by administrators and should not be distributed more than is necessary.
To ensure minimal downtime when rotating a PingID properties file (key rotation), first generate the PingID properties file and link it to the relevant client, and then revoke the old properties file. |
Steps
-
In the PingOne admin portal, go to Setup → PingID → Client Integration.
Result:
The Integrate with PingFederate and Other Clients section is displayed, listing any PingID properties files that are already defined.
-
To generate a new PingID properties file, click Generate, and then click Save.
You can have a maximum of five active PingID properties files. If you have five active files and want to generate a new one, you must first revoke one of your existing files.
Result:
A new entry is added to the properties file list, showing the new PingID properties file.
-
In the relevant row, click Download, and then save the file to the desired location with a meaningful name.
-
To revoke an old PingID properties file:
-
Download and open the PingID properties file you want to revoke, and ensure the token matches the token listed in the web portal.
-
In the relevant row of the properties file list, click Revoke, and then click Save.
Result:
The selected file is removed from the PingID server and can no longer be used for authentication.
-
Windows and Mac login
The Windows and Mac login PingID properties file provides a limited subset of permissions that enable users to perform Windows or Mac login authentication while preventing them from performing management actions, such as enrollment and device management.
About this task
The PingID Windows and Mac login properties file contains sensitive information, including the secret encryption key. It should only be handled by administrators and should not be distributed more than is necessary.
The outcome of a login attempt by this user can differ if Windows or Mac login was installed with full permissions as opposed to restricted permissions. Under full permissions, if valid user To avoid ad hoc registrations, the admin should always install the login using the restricted permissions properties file. |
To download the PingID properties file to integrate with Windows login or Mac login:
Steps
-
In the PingOne admin portal, go to Setup → PingID → Client Integration.
Result:
The Integrate With Windows and Mac Login section is displayed.
-
To generate a new Windows or Mac login PingID properties file, click Generate, and then click Save.
You can have a maximum of five active PingID properties files. If you have five active files and want to generate a new one, you must first revoke one of your existing files.
Result:
A new entry is added to the Properties file list showing the new PingID properties file.
-
Select the Enable Device Management option if you want to allow users to manage their devices from their Devices page and allow users to register their device the first time they try to access a resource that requires authentication ("on-the-fly registration"). When this option is selected, these features will be available to any user that uses that copy of the PingID properties file when installing the integration with Windows login.
To carry out on-the-fly registration of FIDO2 security keys, users must have installed version 2.11 or higher of the integration with Windows login. -
In the relevant row, click Download, and then save the file to the desired location using a meaningful name.
SSH
About this task
The SSH Properties file provides a limited subset of permissions that enable users to perform authentication while preventing them from performing management actions (such as enrollment and device management).
The PingID SSH Properties file contains sensitive information including the secret encryption key. It should only be handled by administrators, and should not be distributed more than is necessary.
The outcome of a login attempt by this user can differ if SSH was installed with full permissions as against restricted permissions. Under full permissions, if valid user To avoid ad hoc enrollments, the admin should always install SSH using the restricted permissions properties file. |
To download the PingID properties file to integrate with SSH:
Steps
-
In the PingOne admin portal, select Setup → PingID → CLIENT INTEGRATION.
Result:
The INTEGRATE WITH SSH area is displayed.
-
To generate a new SSH PingID properties file, click Generate and then click Save.
You can have a maximum of five active PingID properties files. If you have five active files and want to generate a new one, you must first revoke one of your existing files.
Result:
A new entry is added to the Properties file list showing the new PingID Properties file.
-
In the relevant row, click Download, and then save the file to the desired location using a meaningful name.
Rotating and revoking a PingID properties file
You can rotate or revoke a PingID properties file.
About this task
Revoking a properties file removes it from PingID, invalidating any devices that used it.
Revoking a properties file should be done with extreme caution. Users signed on to machines with authentication based on a revoked properties file can continue to work normally. However, at their next sign on, they won’t be able to authenticate and will be locked out of their machines. |
Rotating a properties file involves replacing a properties file with a new one. To minimize downtime to users:
Steps
-
In the PingOne admin portal, go to Setup → PingID → Client Integration.
The Client Integration page shows all PingID properties files associated with each type of properties file, such as PingFederate and unrestricted, Windows and Mac login, or SSH login properties files.
-
To ensure minimal downtime when rotating a PingID properties file (key rotation):
-
To generate a new PingID properties file, click Generate.
-
The Download button next to the name of the generated file is displayed as disabled. Click Save at the bottom of the page to enable the Download button.
-
Click Download.
-
Link it to the relevant client.
The documentation for each client explains how it is linked, such as by running the GUI or CLI installer.
-
-
In the properties file list, select the file to be revoked (the old properties file from step 2, if relevant) and click Revoke.
Result:
A confirmation window is displayed.
-
Click Revoke, and then click Save.
Result:
The selected file is removed from the PingID server and can no longer be used for authentication.