System requirements



  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2019
  • Red Hat Enterprise Linux ES 7.6
  • Red Hat Enterprise Linux ES 8.0


  • Chrome
  • Firefox

Java runtime environments:

  • Oracle Java 11 LTS
  • OpenJDK 11
External databases:
  • MySQL 5.7+
  • PostgreSQL 11.5+

Supported configurations

PingCentral is an orchestrator for PingFederate. Configurations are sourced from PingFederate to define PingCentral applications and templates. Configure each environment in advance and ensure you have working authentication policies with persistent grants, access token mappings, and access token managers (ATMs) in place before using PingCentral to promote new applications.

Review additional information regarding supported features, protocols, and frameworks before you get started:

Configuration Supported Unsupported
Single sign-on and user management
  • Directly managing users, which are stored in PingCentral embedded database.
  • Signing on with SSO using an OIDC token.
  • Beta feature: Provisioning users from an external store using API calls.
  • Assigning one or more application owners that have already been provisioned.
  • Editing and promoting entitlements for an application.
Assigning groups of users entitlements based on an external attribute, such as LDAP group membership.
Backup and restoration Saving the database and configuration files by copying the directories h2-data/ and config/ to a new instance.
Note: To ensure these files contain the most up-to-date information, do not copy them while PingCentral is running.
Using an API to export PingCentral configuration information.
Configuration Supported Unsupported
Client authentication Using None or the client secret method. Client secrets can be provided by the user or generated. Using a client TLS certificate, private key JWT, or symmetric keys.
Grant types Using all OAuth and OIDC grant types.
Scopes All scopes and exclusive scopes referenced in the PingFederate client JSON file, which is obtained during the template creation process. Scopes cannot be customized when creating an application in PingCentral.
ATMs and OIDC policies Saving ATMs or OIDC policies into templates created from client applications that have them.
Note: If ATMs or OIDC policies do not exist in an environment, PingCentral will create them during the promotion process. If an ATM or OIDC policy of the same name already exists in a target environment, it will not be modified.
Saving or promoting access token mapping, persistent grants, policy contracts, or authentication policies.
Selectors Connection set selectors. Clients can only be automatically connected to authentication policies via policy contracts. If your authentication logic requires use of a selector, add it in PingFederate.
Configuration Supported Unsupported
Bindings Using POST bindings. Using artifact, redirect, or SOAP bindings.
  • IdP-initiated SSO
  • SP-initiated SSO
  • IdP-initiated SLO
  • SP-initiated SLO
Attribute mapping Mapping attributes, provided by a single authentication policy contract, in an “unspecified” format. You can also map attributes to static text.
  • Mapping attributes from data sources, such as “basic” or “URI.”
  • Using OGNL expressions as part of attribute mapping.
Policy contracts Referencing one policy contract per template.

Referencing more than one policy per template. If multiple policy contracts are referenced in a template when it is promoted, newly-created applications will only map attributes from the first policy contract referenced. If PingFederate applications are directly added to PingCentral, the mappings from each policy contract are preserved.

Adapter mappings Authentication policies must be specified through a policy contract consistent with PingFederate best practices.
Certificate management
  • Providing a public certificate for an SP connection. PingCentral creates a self-signed certificate with an expiration date of one year from today and configures it as the PingFederate IDP certificate.
  • Uploading a key pair to use as the IdP certificate for all SAML connections promoted to an environment.
An SP certificate is required to promote a SAML connection, but might be optional in future releases.