PingOne

Environments

In PingOne, tenants are called environments. Environments define separate working domains within an organization and contain assets such as your PingOne services and Ping Identity products, application connections, and user identities.

Environment usage

There are many ways to use environments within an organization. If your company is made up of several different business units, you can use environments to define those units and ensure each one has access only to the assets that pertain to their business. For example, if you use PingOne for both customer and employee (workforce) use cases, you could have a Customer environment and an Employee environment. Those environments would include services, applications, and policies applicable only to those use cases.

You can also create sandbox environments to deploy and test new features or configuration changes before releasing them to your production environments.

After reviewing this section, learn more about creating environments in Adding an environment.

To access the Environments page, click the Ping Identity logo on the sidebar or the Home icon at the top of the console.

Identities and source environments

In PingOne, every identity resides in a single source environment, which is the environment where the identity exists. For example, if you create an identity in the Administrators environment, then the Administrators environment is that identity’s source environment.

In most cases, you should create all administrator identities in the Administrators environment to make it easier to manage them and to help prevent privilege escalation.

Identities don’t have to reside in the same environments to which they have access.

End users and customers should reside in a separate environment from your administrator identities.

In some scenarios, you might not have administrator access to the source environment for your identity (where your identity resides). In this case, your source environment is different from the environment you can work in, but you authenticate to your source environment.

Users with the Identity Data Admin role, for example, are the only users who can have access to their identity’s source environment to manage other administrators and their roles. Administrators with other built-in roles assigned do not have access to their source environment.

Different administrators can be assigned different roles that determine what they have access to and in where. You can find more details in Administrator roles and permissions.

Administrators environment

An Administrators environment is created automatically when an organization is created in PingOne. You should create all administrators for the organization in the Administrators environment to keep them separate from your end users and to improve security.

By default, the Administrators environment includes the PingOne SSO and PingOne MFA services.

Do not add other services or products to the Administrators environment.

In PingOne, administrators don’t need to belong to an environment to administer that environment. When you assign roles to your administrators, you can decide for which environments they have those roles. You can also limit certain roles to particular populations or applications within an environment. Learn more in Managing administrator roles.

Organizations created before July 1, 2020 might not include an administrator license or a dedicated administrators environment. However, you should still create and manage your PingOne administrator accounts in a single environment.

If your Administrators environment was renamed, but is still assigned the ADMIN license, use that environment for storing administrator identities.

If you do not have an administrator license, contact your Ping representative. Certain PingOne functionality is available only with an administrator license.

Throughout this documentation, the Administrators environment refers to the environment in your organization that is assigned the ADMIN license.

If your Administrators environment was created automatically when your organization was created, it has several restrictions to ensure that:

  • You cannot change the license assigned to the Administrators environment.

  • You cannot demote the Administrators environment from production to sandbox.

  • You cannot delete the Administrators environment.

Environment contents

Environments encompass:

PingOne services and other Ping product integrations

PingOne services provide distinct, advanced capabilities in PingOne. Services are deployed at the environment level, and the services available to you depend on your PingOne license. PingOne services provide the following capabilities:

  • Single sign-on with PingOne SSO: Allows users to use single sign-on (SSO) to access all their applications and services with one set of credentials. Learn more in PingOne SSO.

  • Multi-factor authentication with PingOne MFA: Provides multi-factor authentication (MFA) for the organization’s network, applications, and data resources. Learn more in PingOne MFA.

  • Threat protection with PingOne Protect: Prevents identity fraud by incorporating advanced features and real-time detection and enables customers to combat bad actors and address both password and MFA fatigue. Learn more in Threat Protection using PingOne Protect.

  • Identity verification with PingOne Verify: Enables secure user verification based on a government-issued document and live face capture (a selfie). Learn more in Identity Verification using PingOne Verify.

  • Digital credentials with PingOne Credentials: Allows an issuer to create verifiable credentials that they can send to a compatible wallet app. Learn more in Digital Credentials using PingOne Credentials.

  • Authorization with PingOne Authorize: Controls what end users can see and do inside of applications and APIs. Learn more in Authorization using PingOne Authorize.

Your environments can also be used to configure SSO to other Ping products you use, such as PingFederate and PingOne Advanced Identity Cloud.

Populations

A population defines a set of users, similar to an organizational unit (OU). In a given environment, you can use populations to simplify the management of users. For example, you can create a population for similar types of users and apply a password policy to that population. You must create at least one population before you can create users. Learn more in Populations.

An individual user can’t belong to more than one population at the same time, but you can move a user to a different population.

Groups

Groups are used to organize a collection of user identities and make it easier to manage access to applications. Groups offer more fine-grained access control than populations. A user can belong to multiple groups, but only one population. For example, you could use a population to contain all your employees and use a group to define subsets, such as Marketing, HR, Contractors, or US Employees. Learn more in Groups.

Users

A user is a unique identity that interacts with the applications and services in the environment to which the user is assigned. An identity is the full representation of a user profile, including relationships, roles, and attributes. Users are associated with populations instead of being defined within a population. Learn more in Users.

Applications

Application resources define the connection between PingOne and the actual application, also known as a client connection. Connections to external resources use open standards protocols. Client connections define the configuration for OpenID Connect (OIDC) and OAuth clients.

Application grants describe which scopes the application can request. Scopes define the permissions for the application. Learn more in Applications and Editing an application.

Environment dashboard

The environment dashboard is accessed by clicking Overview in the sidebar. This dashboard provides:

  • A list of the products and services included in the environment

  • A graph showing the activity that has occurred within the environment (if the environment contains PingOne services)

  • Links to documentation, APIs, and code examples for each product and service in the environment

A screenshot of the environment dashboard showing sign-on activity and included services.
Activities

Activities, or events, are collections of user-activity information, such as sign-on attempts, password reset attempts, and total active user counts. This audit data can be exported, reported on, or streamed out to customer SIEM (Security Information and Event Management) solutions. Learn more about auditing events and running audit reports in Audit.

Branding and images

User interface branding elements are defined in the branding resource. This resource contains configuration properties for customizable elements of the PingOne user interface. All end user interfaces are branded according to the theme defined in the branding resource. Learn more in Branding and themes.

Password policies

Password policies define the strength and complexity requirements for a password for users within an environment. Learn more in Password policies.

Authentication policies

Authentication policies dictate how the user’s identity will be verified. For example, a single-factor authentication policy requires a single piece of evidence to verify a user’s identity, such as a password. A multi-factor policy could require evidence to verify a user’s identity, such as a TOTP authenticator app, FIDO2 biometrics, a push notification sent to the user’s mobile device, or a one-time passcode (OTP) sent over SMS, voice, or email. Learn more in Authentication policies.

Notification templates

Notification templates are used to create messages that inform end users about certain events, such as device pairing and password resets. You can create templates for SMS, email, or voice messages. Learn more in Notification templates.

External identity providers

External identity providers (IdPs) allow linked users to authenticate using the credentials provided by the external identity provider (IdP). An external IdP includes mapping PingOne user attributes to attributes from the IdP.

You can also use an external IdP to secure the PingOne admin console.

Learn more in External IdPs.

Certificates and key pairs

When you create a new environment, PingOne creates two default key pairs: one for signing and one for encryption. You can create additional certificate and key pairs as necessary for your environment. Learn more in Certificates and key pairs.