--- title: PingAM description: PingAM modules: component: platform version: 8 page_id: platform:platform-guide:access-management canonical_url: https://docs.pingidentity.com/platform/8/platform-guide/access-management.html section_ids: am-overview: Overview of capabilities am-dependencies: Dependencies authentication-module: Intelligent Access modules authorization-module: Authorization module federation-module: Federation module strong-auth: Self-Managed Strong Authentication module uma-module: User-Managed Access module --- # PingAM PingAM modules: ![](../_images/fr-icon-Intelligent_Authentication_2020-120919_11COLOR.vecta.svg) #### [Intelligent Access](access-management.html#authentication-module) ![](../_images/fr-icon-Authorization_2020-120919_38COLOR.vecta.svg) #### [Authorization](access-management.html#authorization-module) ![](../_images/fr-icon-Federation_2020-120919_23COLOR.vecta.svg) #### [Federation](access-management.html#federation-module) ![](../_images/digital-identity.svg) #### [Self-Managed Strong Authentication](access-management.html#strong-auth) ![](../_images/fr-icon-Control_Access_2020-120919_30COLOR.vecta.svg) #### [User-Managed Access](access-management.html#uma-module) ## Overview of capabilities * Intelligent access * Mobile authentication * Push authentication * Adaptive risk authentication * Authorization policies and enforcement * Federation * Single sign-on (SSO) * User self-services and social sign-on * High-availability and scalability * Adaptable monitoring and auditing services * Developer-friendly, rich standards support ## Dependencies Several Access Management modules require other modules. For example, the Federation module requires the Intelligent Access module. The following diagram summarizes Access Management module dependencies: ![PingAM module dependencies](../_images/AMDependencies.svg) ## Intelligent Access modules This module helps you build secure, robust, centrally managed single sign-on services. The user, application, or device signs on once and is granted appropriate access everywhere. Authentication management integrates delegated authentication with many authentication methods supported by default. Authentication journeys store authentication sessions in the client as a cookie, or in the CTS store. If the PingAM server goes down or the user is redirected to another PingAM while authenticating, the new PingAM server can grab the authentication session and continue the flow. All authentication-related events are logged for auditing and reporting purposes. Required modules: none. | Feature | Description | Documentation | | -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Authentication trees and nodes | Authentication trees provide fine-grained authentication, social authentication, and multi-factor authentication. Trees are made up of authentication nodes. Authentication nodes allow multiple paths and decision points throughout the authentication flow, enabling PingAM to handle different modes of authenticating users. | [Authentication nodes and trees](https://docs.pingidentity.com/pingam/8/authentication-guide/about-authentication-trees.html) | | Session high availability | Persistent access management sessions, authenticating the user until the session expires. | Session high availability is enabled by default with no setup required. | | Multi-factor and strong authentication | Capability to challenge for additional credentials when authentication takes place under centrally-defined risky or suspicious conditions. | [Multi-factor authentication](https://docs.pingidentity.com/pingam/8/authentication-guide/authn-introduction-authn.html#about-mfa) | | External configuration store | Configuration storage in PingDS for high-availability. | [Prepare configuration stores](https://docs.pingidentity.com/pingam/8/install-guide/prepare-configuration-store.html) | | Security token service | Bridges identities across web and enterprise identity access management (IAM) systems through a token transformation process, securely providing cross-system access to service resources by authenticated requesting applications. | [STS overview](https://docs.pingidentity.com/pingam/8/sts-guide/chap-sts-introduction.html) | | Web and Java agents for SSO | Intercept requests to access protected resources and redirect for appropriate authentication. | [Web policy agents](https://docs.pingidentity.com/web-agents/2025.3) and [Java policy agents](https://docs.pingidentity.com/java-agents/2025.3) | | User login analytics | Measure authentication flows using counters and start/stop timers to monitor performance. | [Timer Start node](https://docs.pingidentity.com/auth-node-ref/8/auth-node-timer-start.html), [Timer Stop node](https://docs.pingidentity.com/auth-node-ref/8/auth-node-timer-stop.html), [Meter node](https://docs.pingidentity.com/auth-node-ref/8/auth-node-meter.html), and [Monitoring metrics](https://docs.pingidentity.com/pingam/8/maintenance/monitoring-metrics.html) | ## Authorization module This module will help you create powerful, context-based policies with a GUI-based policy editor and with REST APIs to control access to online resources. Resources can be URLs, external services, or devices and things. Authorization management lets you manage policies centrally and enforce them locally through installable agents, or through REST, C, and Java applications. Authorization management is extensible, making it possible to define external subjects, complex conditions, and custom access decisions. Required module: Intelligent Access. | Feature | Description | Documentation | | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | | Entitlement policies | Modern web-based policy editor for building policies, making it possible to add and update policies as needed without touching the underlying applications. | [Authorization and policy decisions](https://docs.pingidentity.com/pingam/8/authorization-guide/what-is-authz-decision.html) | | Web and Java agents for enforcement | Access enforcement for online resources with the capability to require higher levels of authentication and session upgrade when accessing sensitive resources. | [Web policy agents](https://docs.pingidentity.com/web-agents/2025.3) and [Java policy agents](https://docs.pingidentity.com/java-agents/2025.3) | | Transactional authorization | Requires a user to perform additional actions such as reauthenticating to a module or node, or responding to a push notification, to gain access to a protected resource. | [Transactional authorization](https://docs.pingidentity.com/pingam/8/authorization-guide/transactional-authorization.html) | | OAuth 2.0 dynamic scopes | A single OAuth 2.0 client configured for a comprehensive list of scopes can serve different scope subsets to resource owners based on policy conditions. | [Dynamic OAuth 2.0 authorization](https://docs.pingidentity.com/pingam/8/authorization-guide/oauth2-authorization.html) | ## Federation module This module will help you extend SSO capabilities across organization boundaries based on standards-based interoperability. Required module: Intelligent Access. | Feature | Description | Documentation | | ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | | SAML 2.0 IDP and SP | Identity federation with SaaS applications, such as Salesforce.com, Google Apps, WebEx, and many more. | [Configure IdPs, SPs, and COTs](https://docs.pingidentity.com/pingam/8/saml2-guide/saml2-providers-and-cots.html) | | SAML 2.0 SSO and SLO | Web Single Sign-On and Single Logout profile support. | [Implement SSO and SLO](https://docs.pingidentity.com/pingam/8/saml2-guide/saml2-sso-slo.html) | | ADFS | Federation with Active Directory Federation Services. | [Introduction to SAML v2.0](https://docs.pingidentity.com/pingam/8/saml2-guide/saml2-introduction.html) | | SAML 2.0 Attribute and Advanced Profiles | Support for transmitting only attributes used by targeted applications. | [SAML v2.0](https://docs.pingidentity.com/pingam/8/saml2-guide/preface.html) | | OpenID Connect | OpenID Connect 1.0 compliance for running an OpenID Provider, including advanced profiles, such as Mobile Connect. | [OpenID Connect 1.0](https://docs.pingidentity.com/pingam/8/oidc1-guide/preface.html) | | OAuth 2.0 | OAuth 2.0 compliance for running an authorization server. | [OAuth 2.0](https://docs.pingidentity.com/pingam/8/oauth2-guide/preface.html) | | Social login | For acting as an OAuth 2.0 client of social identity providers, such as Facebook, Google, and Microsoft. | [Social authentication](https://docs.pingidentity.com/pingam/8/authentication-guide/social-registration.html) | | OAuth 2.0 dynamic scopes | A single OAuth 2.0 client configured for a comprehensive list of scopes can serve different scope subsets to resource owners based on policy conditions. | [Dynamic OAuth 2.0 authorization](https://docs.pingidentity.com/pingam/8/authorization-guide/oauth2-authorization.html) | ## Self-Managed Strong Authentication module This module gives end users additional authentication capabilities through their own devices. Multi-faceted device management enhances security and simplifies the authentication experience for end users. Required modules: Intelligent Access | Feature | Description | Documentation | | ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Geolocation | Manages risk by assessing whether the authenticating user's device is located within range of configured, trusted locations, or within range of somewhere the user has authenticated from, and saved, previously.PingAM compares collected device location metadata with trusted locations in the authentication configuration or with device locations stored in the user's profile. | [Device Geofencing node](https://docs.pingidentity.com/auth-node-ref/8/auth-node-device-geofencing.html) and [Device Profile Location Match node](https://docs.pingidentity.com/auth-node-ref/8/auth-node-device-profile-location-match.html) | | Device tampering | Provides a configurable threshold for assessing the risk of a user's device during authentication based on a risk score. The higher the score returned from the device, the more likely the device is jailbroken, rooted, or is a potential security risk. | [Device Tampering Verification node](https://docs.pingidentity.com/auth-node-ref/8/auth-node-device-tampering-verification.html) | | Device binding and trust | During the Device Binding process, secure cryptography keys are generated, which are used to perform various functions, such as encryption and decryption of user data. These keys are unique to the device and can't be transferred to another device, ensuring that the user's account can only be accessed from authorized devices. This helps to protect against unauthorized access.One user can have multiple associated devices and multiple users can associate with one device.Devices are bound using authentication journeys. PingAM supports a number of different authentication types for device binding, including biometric,biometric with fallback, application PIN and silent authentication. | [Device Binding node](https://docs.pingidentity.com/auth-node-ref/8/auth-node-device-binding.html), [Device Binding Storage node](https://docs.pingidentity.com/auth-node-ref/8/auth-node-device-binding-storage.html), and [Device Signing Verifier node](https://docs.pingidentity.com/auth-node-ref/8/auth-node-device-signing-verifier.html) | | Application MFA | Open AuTHentication (OATH) OATH-related nodes supports the following MFA methods:- Time-based one-time passwords (TOTP) - HMAC-based one-time passwords (HOTP) - Push notificationsThese nodes can integrate with the ForgeRock Authenticator app for Android and iOS and with third-party authenticator apps that support the HOTP and TOTP standards. | [OATH Device Storage node](https://docs.pingidentity.com/auth-node-ref/8/auth-node-oath-device-storage.html), [OATH Registration node](https://docs.pingidentity.com/auth-node-ref/8/auth-node-oath-registration.html), [OATH Token Verifier node](https://docs.pingidentity.com/auth-node-ref/8/auth-node-oath-token-verifier.html), and [ForgeRock Authenticator](https://docs.pingidentity.com/sdks/latest/authenticator/index.html) | | Transaction signing | Digital signing helps ensure the authenticity and integrity of customer data in a variety of use cases, including financial transactions, end user agreements, changes in account details, and so on. | [Device Signing Verifier node](https://docs.pingidentity.com/auth-node-ref/8/auth-node-device-signing-verifier.html) | | WebAuthN passwordless authentication | Passwordless authentication (WebAuthn) is better than traditional password-based authentication because it reduces the risk of password-based attacks like phishing and brute-force attacks. Passwordless authentication also creates a better, more seamless experience for end users. It's compatible across most devices and systems and end users don't have to remember a number of passwords across systems.Passwordless authentication uses other forms of identity verification instead of a standard password login. These methods can include face recognition, fingerprints, software or hardware token devices, and so on. End users authenticate with an authenticator device, such as the fingerprint scanner on their laptop or phone. | [MFA: Web authentication (WebAuthn)](https://docs.pingidentity.com/pingam/8/authentication-guide/authn-mfa-webauthn.html) | ## User-Managed Access module This module consists of a consumer-facing implementation of the User-Managed Access (UMA) 2.0 standard. The standard defines an OAuth 2.0-based protocol designed to give individuals a unified control point for authorizing who and what can access their digital data, content, and services. For example, you can use this module to build a solution where end users can delegate access through a share button, and then monitor and change sharing preferences through a central dashboard. Required modules: Authorization, Intelligent Access. | Feature | Description | Documentation | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | | UMA standard conformance | Conformance to the UMA 2.0 standard for interoperability with organizational and partner systems, including federated authorization and customer-centric use cases. | [User-Managed Access (UMA) 2.0](https://docs.pingidentity.com/pingam/8/uma-guide/preface.html) | | UMA authorization server | Authorization server with dynamic resource set registration, end-user control of resource sharing, responses to access requests, and full audit history. | [PingAM as UMA authorization server](https://docs.pingidentity.com/pingam/8/uma-guide/uma-introduction.html) | | UMA protector | PingGateway protection for resources and services with the UMA 2.0 standard. | [UMA support](https://docs.pingidentity.com/pinggateway/2025.11/gateway-guide/uma.html) |