PingOne

Administrator security

Security settings for administrators accessing the PingOne admin console are configured on the Administrator Security page.

This topic is applicable if either:

  • Your organization was created after July 20, 2024.

  • You enable enhanced security early for environments in an organization created before July 20, 2024.

Ping Identity will require MFA for all PingOne administrators in 2025. Learn more in the PingOne administrators MFA requirement - FAQ.

You can use PingOne, an external identity provider (IdP), or a combination of an external IdP and PingOne to provide secure access to the admin console.

The PingOne options are not available if the environment includes PingID. In environments that include PingID, your options are PingID, an external IdP, or a combination of external IdP and PingID. Some configuration must be done in the PingID console. Learn more in Configuring administrator security - PingID.

If you are using PingOne for administrator security, the first time an administrator signs on to the PingOne admin console, they’re prompted to configure one of these multi-factor authentication (MFA) methods:

  • Email

  • Authenticator app (TOTP)

  • FIDO2

All environments support email and TOTP. To use FIDO2, the environment used to store your administrator identities must include a PingOne MFA license. The license for the Administrators environment includes PingOne MFA.

If you are using an external IdP for administrator security, the authentication methods are determined by the IdP settings. Ensure that your IdP follows current best practices for secure access to the console.

To use either external IdP option, you must have at least one external IdP configured in Integrations → External IDPs. Both PingOne options require administrators to register a second authentication factor to sign on to the console.