Configuring administrator security - PingID
Use the Administrator Security page to view or change the authentication settings for the PingOne admin console.
About this task
This topic only applies to environments that include PingID. If your environment does not include PingID, go to Configuring administrator security. |
This topic is applicable if either:
-
Your organization was created after September 16, 2024.
-
You enable enhanced security early for environments in an organization created before September 16, 2024.
Ping Identity will require MFA for all PingOne administrators in 2025. Learn more in the PingOne administrators MFA requirement - FAQ.
You must have the Organization Admin or Environment Admin role to configure Administrator Security.
Steps
-
Go to Settings → Administrator Security.
If the environment was created after September 16, 2024, Administrator Security opens.
If the environment was created before September 16, 2024, you must enable enhanced security to access the Administrator Security page. Click Enable Enhanced Security on the New Security Requirement message, select I understand and want to continue, and then click Continue.
-
Click the Pencil icon to change the settings.
-
Under Authentication Source, select one of the following.
Choose from:
-
PingID (default): PingID is used as the authentication source. You configure the authentication policy and set the allowed multi-factor authentication (MFA) methods in the PingID console. Learn more in the Authentication Policy section of the PingID documentation.
You can click Configure Now to open the PingID console in a separate window and configure the authentication policy.
-
External IdP: This option is enabled only if you have configured at least one external identity provider (IdP) in your environment. The selected IdP is used as the authentication source for the admin console. If you select this option, ensure that your external IdP is configured to follow best practice security recommendations.
You should also test the connection to ensure that it is configured correctly. Administrators will be unable to sign on if this connection is configured incorrectly.
You can’t make changes to the IdP configuration from this page. Go to Integrations → External IdPs if you need to edit the connection. Learn more in Editing an identity provider.
-
External IdP & PingID: This option is enabled only if you have configured at least one external IdP in your environment. The selected IdP is used as the initial authentication source for the admin console. After the user authenticates through the IdP, PingID sends a secondary authentication request.
Test the connection to the IdP to ensure that it is configured correctly. If the connection to the IdP fails, as long as the administrator has a recovery account in PingOne, the administrator can sign on to PingOne directly. PingID will then prompt them for secondary authentication.
-
-
Configure the applicable settings:
Setting Description Account Recovery
PingID and External IdP & PingID only.
If selected, PingOne admins who forget their password can recover their accounts with a one-time password (OTP) sent to their email.
This setting applies only to the PingOne account, and not to the external IdP. Account recovery for the external IdP is managed by the provider.
Identity Provider
External IdP and External IdP & PingID only.
Select the IdP to use for authentication.
This IdP will be labeled with an Administrator IDP badge in Integrations → External IdPs. The IdP cannot be disabled or deleted while assigned in Administrator Security.
If you change the selected IdP, the settings for the new IdP are used for authentication. You should always test the connection configuration when you change this setting to ensure that administrators are able to sign on to PingOne. Learn more in Troubleshooting test connection failure.
-
Click Save.