PingOne

Configuring administrator security

Use the Administrator Security page to view or change the authentication settings for the PingOne admin console.

About this task

This topic only applies to environments that do not include PingID. If your environment includes PingID, go to Configuring administrator security - PingID.

This topic is applicable if either:

  • Your organization was created after July 20, 2024.

  • You enable enhanced security early for environments in an organization created before July 20, 2024.

Ping Identity will require MFA for all PingOne administrators in 2025. Learn more in the PingOne administrators MFA requirement - FAQ.

You must have the Organization Admin or Environment Admin role to configure Administrator Security.

Steps

  1. Go to Settings → Administrator Security.

    If the environment was created after July 20, 2024, Administrator Security opens.

    Screen capture of the Administrator Security page showing PingOne as the authentication source.

    If the environment was created before July 20, 2024, you must enable enhanced security to access the Administrator Security page. Click Enable Enhanced Security on the New Security Requirement message, select I understand and want to continue, and then click Continue.

  2. Click the Pencil icon to change the settings.

    Screen shot of the Administrator Security page in edit mode. External IdP & PingOne is shown as the selected authentication source, and the PingOne DaVinci Idp is selected under Identity Provider.

  3. Under Authentication Source, select one of the following.

    Choose from:

    • PingOne (default): PingOne is used as the authentication source. A system-delivered authentication policy requiring multi-factor authentication (MFA) is enabled. You cannot use a different authentication policy, but you can select which supported methods to use for MFA. Supported MFA methods include email, authenticator app (TOTP), and FIDO2.

      If you have not updated the MFA policies for your environment to use FIDO2 instead of FIDO, you won’t see the FIDO2 option on Administrator Settings. Learn more in Updating an existing MFA policy to use FIDO2.

      FIDO is not supported for new device registration during just-in-time registration of administrators. If existing administrators have a registered FIDO device for MFA, that method is valid as long as your MFA policy is not updated to FIDO2.

    • External IdP: This option is enabled only if you have configured at least one external identity provider (IdP) in your environment. The selected IdP is used as the authentication source for the admin console. If you select this option, ensure that your external IdP is configured to follow best practice security recommendations.

      You should also test the connection to ensure that it is configured correctly. Administrators will be unable to sign on if this connection is configured incorrectly.

      You can’t make changes to the IdP configuration from this page. Go to Integrations → External IdPs if you need to edit the connection. Learn more in Editing an identity provider.

    • External IdP & PingOne: This option is enabled only if you have configured at least one external IdP in your environment. The selected IdP is used as the initial authentication source for the admin console. After the user authenticates through the IdP, PingOne sends a secondary authentication request.

      Test the connection to the IdP to ensure that it is configured correctly. If the connection to the IdP fails, the administrator can sign on to PingOne directly, as long as they have valid credentials in PingOne.

  4. Configure the applicable settings:

    Setting Description

    Allowed Authentication Methods

    PingOne and External IdP & PingOne only.

    Select at least one MFA method for verification.

    • Authenticator App (TOTP)

    • FIDO2

    • Email

    Account Recovery

    PingOne and External IdP & PingOne only.

    If selected, PingOne admins who forget their password can recover their accounts with a one-time password (OTP) sent to their email.

    This setting applies only to the PingOne account, and not to the external IdP. Account recovery for the external IdP is managed by the provider.

    Identity Provider

    External IdP and External IdP & PingOne only.

    Select the IdP to use for authentication.

    This IdP will be labeled with an Administrator IDP badge in Integrations → External IdPs. The IdP cannot be disabled or deleted while assigned in Administrator Security.

    If you change the selected IdP, the settings for the new IdP are used for authentication. You should always test the connection configuration when you change this setting to ensure that administrators are able to sign on to PingOne. Learn more in Troubleshooting test connection failure.

  5. Click Save.