PingOne

Authoritative identity providers

An authoritative identity provider (IdP) is the IdP that has authority over user records and credentials and defines where a user normally authenticates. By default, PingOne is a user’s authoritative IdP, meaning users authenticate with a PingOne username and password.

If a user authenticates from an external IdP that’s different from their authoritative IdP set in PingOne, and they do not have an existing account link for that IdP, the user must link their account by signing on through the authoritative IdP first (for example, by entering their PingOne username and password). This creates an account link between the external IdP and the PingOne user. Learn more in Adding an external identity provider sign-on step.

For a user to link their account with multiple external IdPs, their authoritative IdP must be set to PingOne. Account linking only applies when the user’s authoritative IdP is PingOne.

If a user’s authoritative IdP is PingOne, but they don’t have a PingOne password, the user can’t sign on through an external IdP and can’t link their account between the external IdP and PingOne. This can occur when users are created through an external integration that does not set an authoritative IdP or password, such as through the PingID or PingOne MFA adapters for PingFederate. This can also occur with any other custom integration that creates users without setting an authoritative IdP or password.

Setting the IdP

The authoritative IdP can be set either on the user or on a population in PingOne. Setting the authoritative IdP on a population means that all users in that population whose authoritative IdP is not set explicitly on the user record will use the authoritative IdP set on the population. If the user record does not include an authoritative IdP, and the user is not part a population that has an authoritative IdP applied, the authoritative IdP defaults to PingOne.

For example, if you’re using the PingID or PingOne MFA adapters, users can be created by the adapters without an authoritative IdP or password, and they cannot sign on to PingOne. In this scenario, setting the authoritative IdP as PingFederate for that population applies the authoritative IdP to the users created by the adapters. Learn more in Adding a user and Managing populations.

You can change a user’s authoritative IdP in the PingOne admin console or using the API. For example, if a user’s authoritative IdP is PingOne but you want them to authenticate through an external IdP without needing a PingOne password, set their authoritative IdP to that external IdP. Learn more about using the API in Update User Identity Provider.

Just-in-time provisioning

With just-in-time (JIT) provisioning, you can automate user registration and account creation. If a user authenticates through an external IdP that has registration enabled, and the user doesn’t already exist in PingOne, the user is automatically created through JIT provisioning without their authoritative IdP set to the external IdP.

Users that are JIT provisioned automatically have the authoritative IdP configured and linked with the user account at the IdP.

To enable JIT provisioning, you must select a population on the Registration tab for the external IdP. Learn more in Configuring an authoritative identity provider.

Identifier-first authentication

With identifier-first authentication, you can identify users before you authenticate them. If the user has an authoritative IdP, PingOne redirects the user to that IdP for authentication after they enter their email or username.

If a user account in PingOne is preregistered and the user authenticates through their authoritative IdP for the first time, PingOne links the user account without requiring the user to verify their account or password. If you use a login authentication step instead, users must choose their IdP from a list that you can configure. Learn more in Adding an identifier first authentication step and Adding a login authentication step.