SPN reference

The following table shows the service principal name (SPN) values for the various PingOne regions.

Region	SPN 1	SPN 2
North America	HTTP/d3vol3lyj0eg62.cloudfront.net	HTTP/kerberos.pingone.com
Australia	HTTP/d17e9v8kuwbj1g.cloudfront.net	HTTP/kerberos.pingone.com.au
Asia Pacific	HTTP/d17e9v8kuwbj1g.cloudfront.net	HTTP/kerberos.pingone.asia
Canada	HTTP/d2zesjvkk5mc9z.cloudfront.net	HTTP/kerberos.pingone.ca
Europe	HTTP/d2g9q8z5merlnu.cloudfront.net	HTTP/kerberos.pingone.eu

Region

SPN 1

SPN 2

North America

HTTP/d3vol3lyj0eg62.cloudfront.net

HTTP/kerberos.pingone.com

Australia

HTTP/d17e9v8kuwbj1g.cloudfront.net

HTTP/kerberos.pingone.com.au

Asia Pacific

HTTP/d17e9v8kuwbj1g.cloudfront.net

HTTP/kerberos.pingone.asia

Canada

HTTP/d2zesjvkk5mc9z.cloudfront.net

HTTP/kerberos.pingone.ca

Europe

HTTP/d2g9q8z5merlnu.cloudfront.net

HTTP/kerberos.pingone.eu

Custom domains

If the environment is configured with a custom domain, only one SPN is required. The address varies depending on the DNS result. See the examples below for more information.

Example 1: DNS result from nslookup

c:\>nslookup -type=A sso.example.com
Step 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
        primary name server = 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
        responsible mail addr = (root)
        serial  = 0
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)
Server:  UnKnown
Address:  ::1Non-authoritative answer:
Name:    d3laihe2ro8a3z.cloudfront.net
Addresses:  65.8.10.10
          65.8.10.20
          65.8.10.30
          65.8.10.40
Aliases:  sso.example.com
          45ffcbe6-ec42-48d2-999e-89a7eae22ea9.edge1.pingone.com

Based on this DNS result from nslookup, the SPN address is HTTP/d3laihe2ro8a3z.cloudfront.net. This remains true regardless of the PingOne region.

Example 2: DNS result from dig

~$ dig sso.example.com A

; <<>> DiG 9.10.6 <<>> sso.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1344
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sso.example.com.        IN    A

;; ANSWER SECTION:
sso.example.com.    3526    IN    CNAME    45ffcbe6-ec42-48d2-999e-89a7eae22ea9.edge1.pingone.com.
45ffcbe6-ec42-48d2-999e-89a7eae22ea9.edge1.pingone.com.    86326 IN CNAME d3laihe2ro8a3z.cloudfront.net.
d3laihe2ro8a3z.cloudfront.net. 54 IN    A    65.8.10.10
d3laihe2ro8a3z.cloudfront.net. 54 IN    A    65.8.10.20
d3laihe2ro8a3z.cloudfront.net. 54 IN    A    65.8.10.30
d3laihe2ro8a3z.cloudfront.net. 54 IN    A    65.8.10.40

;; Query time: 30 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Fri Nov 25 14:02:32 PST 2022
;; MSG SIZE  rcvd: 221

Based on this DNS result from dig, the SPN address is HTTP/d3laihe2ro8a3z.cloudfront.net. This remains true regardless of the PingOne region.