PingOne Advanced Services

Authentication

Authentication is the process of determining whether someone, or something, is who or what they say they are. The ways in which users prove their identities often depend on the sensitivity of the data and digital resources involved. Learn more about how it works in Authentication in Identity Fundamentals.

Both the PingOne Cloud Platform and PingOne Advanced Services support a variety of authentication standards, adapters, and policies, which makes it possible to provide a wide variety of authentication experiences to your customers and workforce.

See the following:

Customer authentication

With both platforms, you can use OIDC and SAML 2.0 to design SSO authentication experiences for your customers. PingOne Advanced Services also supports SAML 1.X. These experiences can include any of these features:

  • Email verification

  • Passive profiling

  • Changing and resetting passwords

  • Unlocking accounts

  • Account linking

  • Self-service account management

With PingOne Advanced Services, you can also provide a way for your customers to recover their usernames, and use CAPTCHA for challenge-response authentication.

Workforce authentication

Both platforms also support SSO experiences for your employees, partners, and vendors, and can include:

  • Browser-based SSO

  • Single logout (SLO)

  • IdP discovery

  • Attribute mapping

With PingOne SaaS products, attribute manipulation can be performed using the Spring Expression Language (SpEL).With PingOne Advanced Services, attribute manipulation is done using Object-Graph Navigation Language (OGNL), which is an open-source expression language for Java.

PingOne Advanced Services also supports WS-Trust, an OASIS standard that directs web service clients and providers to interact with the Security Token Service (STS) to issue, renew, and validate security tokens so that a trusted connection can be established. If the receiving entity successfully validates the security token from the requesting entity, the connection is established. If it’s unsuccessful, the request is denied.

Authentication adapters

The PingOne Cloud Platform and PingOne Advanced Services support a wide variety of adapters to connect your authentication applications and services to the platform:

  • Identifier-first login: Authenticates users in two separate steps, which is useful if you need to display a separate, branded sign-on page based on an email address or user domain. It can also be used to trigger additional security mechanisms based on user IDs or email addresses.

  • Social login: Authenticates users by using existing sign-on information from a social network provider like Facebook, Twitter, or Google to sign on to a third-party website instead of creating a new account specifically for that website.

  • External IdPs: Authenticates users using SAML or OIDC and your external databases, applications, and services.

  • Active Directory (AD) or another identity repository authenticates users in those databases using LDAP or RADIUS gateways.

  • Kerberos: Authenticates users and client-server applications using time-limited secret-key cryptography, multiple secret keys, and a third-party service.

  • PingOne MFA or PingID: Authenticates users after they present at least two pieces of evidence that they are who they claim to be.

PingOne Advanced Services also supports the OpenToken adapter, the Agentless Integration Kit, and Microsoft Entra certificate-based authentication (CBA), which enables users to authenticate directly with client certificates (X.509) against Microsoft Entra ID.

Authentication policies

Authentication policies determine the order and conditions in which various authentication mechanisms are used to successfully authenticate a user:

  • With the PingOne Cloud Platform, you can configure sign-on policies, PingOne policies, and authentication API policies.

  • With PingOne Advanced Services, not only can you configure sign-on, include::partial$common_product_keydefs.adoc[tags=singularkey], and API policies, but you can also use authentication selectors, reusable policy fragments, and policy builders to design unique authentication experiences for your users.