Functionality differences when moving from self-managed
If you currently use PingAM and PingIDM on-premises or in a private cloud, you’ll notice some differences in functionality when moving to PingOne Advanced Identity Cloud.
Key areas of difference
| Key difference | Description |
|---|---|
Advanced Identity Cloud is the platform |
With Advanced Identity Cloud, you get the combined functionality of PingAM and PingIDM without the need for manual integration. For example, there’s no requirement to deploy a datastore or the admin console, as these are included in the Advanced Identity Cloud deployment. |
File system access |
File system access isn’t available in Advanced Identity Cloud. All functionality is accessed through the UI and REST APIs. |
Direct access to the datastore |
Direct access to the datastore is not supported in Advanced Identity Cloud. Instead, Ping Identity manages the datastore for you and provides access through the UI and REST APIs. Configuration of PingDS isn’t required. |
Custom code and extensibility |
Advanced Identity Cloud supports extending the platform using JavaScript. Groovy and Java binaries aren’t supported. |
Extending the data model schema |
Advanced Identity Cloud supports creating managed objects through the UI. The storage of these objects is managed by Advanced Identity Cloud and cannot be explicitly configured. Learn more in Can I extend the data model schema? |
Unsupported features
The following features are not currently supported in Advanced Identity Cloud:
-
Identity of Things (IoT)
-
LDAP as a service
-
Open Banking
-
Security Token Service (STS)
-
Sub-entry PingDS password policies
-
User-Managed Access (UMA)
In addition, Advanced Identity Cloud only supports a subset of hashed passwords for import. Learn more in Synchronize passwords.
No planned support
Ping Identity does not plan to support the following in Advanced Identity Cloud:
-
AM XUI end user login
-
Authentication modules and chains
-
Groovy
-
Java binaries
-
SOAP STS
Frequently asked questions
Can I add a custom cookie domain?
Yes. You can configure the cookie domains of your custom domains in Advanced Identity Cloud. Learn more in Cookie domains.
Can I customize policy evaluation with a plugin?
Instead of a plugin, you can use scripted policy conditions to modify the actions taken by Advanced Identity Cloud during policy evaluation. Learn more in Scripted policy conditions.
Can I customize SAML 2.0 with plugins?
Advanced Identity Cloud provides a scripting engine and template scripts for you to extend SAML 2.0 behavior. Java plugins aren’t available with Advanced Identity Cloud. Learn more in Customize SAML 2.0.
Can I use Amster with Advanced Identity Cloud?
Amster is not supported in Advanced Identity Cloud deployments. However, several options are available for managing configuration data. These include:
-
Journey export and import: You can export and import journeys through the Advanced Identity Cloud admin UI. This includes all dependencies such as nodes, inner journeys, scripts, and themes attached to a journey. Learn more in Journeys.
-
Postman collection: Ping Identity provides a Postman collection with example requests organized by feature, making it easier to use and understand Advanced Identity Cloud REST APIs. Learn more in Advanced Identity Cloud Postman collection.
-
Open source tooling: Community-supported tools are also available for managing configuration.
Can I use ssoadm with Advanced Identity Cloud?
The ssoadm feature isn’t available in Advanced Identity Cloud. This is because ssoadm communicates directly with PingDS, which is not a requirement of Advanced Identity Cloud. Use the options mentioned in Can I use Amster with Advanced Identity Cloud? to help manage configuration data.
Can I have multiple realms?
Advanced Identity Cloud tenants include two configurable realms, Alpha and Bravo. If you need to group identities further, you can use the Organizations feature.
Can I extend the data model schema?
You can create managed objects through the UI. The storage of these objects is managed by Advanced Identity Cloud and cannot be explicitly configured.
Adding arbitrary custom attributes to the user schema is supported. However, there is a limitation on indexing custom attributes, so an indexed extension attribute is provided for this purpose.
Learn more in Advanced Identity Cloud identity schema.
Can I connect applications to LDAP (PingDS)?
Not directly. The PingDS instance in Advanced Identity Cloud is not exposed for connecting applications. If you have an existing on-premises PingDS instance that your applications connect to, you will need to use a Remote Connector Server (RCS) to connect to your on-premises PingDS instance and then synchronize data using Advanced Identity Cloud. Learn more in Sync identities.
Is Kerberos or desktop authentication supported in Advanced Identity Cloud?
Yes. You can delegate Kerberos or desktop authentication via PingGateway, by using the Identity Assertion node.
Are native log handlers implemented in Advanced Identity Cloud?
In Advanced Identity Cloud, audit and debug log data is extracted through a consolidated REST endpoint. Learn more in Get audit and debug logs.