Product features and configurations
Although most functionality available in the on-premise products is also available in PingOne Advanced Services, some features and configurations are not.
Items to keep in mind:
PingFederate
-
PingFederate integration kits that load third-party libraries are not supported.
-
Integration kits that add an application (war file) are not supported, however, JavaScript or other scripts are allowed.
-
PingFederate provisioning is only available from the primary region with no fail-over.
-
The PingFederate Agentless Integration Kit cannot use dots in header names (only dashes).
-
The OAuth Playground is not supported in Production environments.
-
The persistent session data store for PingFederate can only be PingDirectory.
-
The X509/mTLS uses the alternate Hostname format, (not the alternate port format).
-
There is no self-service report or way to view administrator-level permissions (roles) for admin users.
-
An administrator audit log file is not available.
-
When configuring CRL checking, the Treat Unretrievable CRLs as Revoked option cannot be used with PingOne Advanced Services. As soon this option is selected in PingFederate and the configuration is replicated to the engines, the outage starts. After PingFederate is restarted with the option selected, a support ticket is required, as PingFederate will no longer start.
PingDirectory
-
The number of customer-specific directory backends is limited to five.
-
HSMs that require extra libraries are not supported.
-
Automatic certificate management in a truststore is not supported.
-
Certain privileges are not available to PingOne Advanced Services, including config-read, and bypass-acl.
-
There is no access to backends other than customer backends and no privileges or configuration changes that would impact those backends, (e.g., no access to the default password policy or virtual attributes that impact non-customer backends).
-
No changes can be made to root users or root privileges.
-
PingDataSync only supports LDAP-to-LDAP sync pipes.
-
PingDataSync is unable to make outbound connections to Kafka.
PingAccess
-
This product cannot be used as a proxy for PingFederate.
-
There is no self-service report or way to view administrator-level permissions (roles) for admin users.
-
An administrator audit log file is not available.
-
Customers can only use port 443 for PingAccess-protected application URLs (virtual hosts).
General platform features
-
Customer-managed PingFederate and PingAccess admin accounts are not supported.
-
If you have many internal certificate authorities (CAs), more than 20 virtual hosts must be created in PingOne Advanced Services. Application code will also need to be updated to reflect the virtual hosts for agentless drop-off and pick-up.