PingFederate includes a REST-based application programming interface (API) for administrative functions. The administrative API provides a programmatic way to make configuration changes to PingFederate as an alternative to using the administrative console. The configuration changes that you can make through the administrative API include, but are not limited to:
  • Adapters and connections
  • Authentication policy contracts
  • Cluster management
  • Data stores and password credential validators
  • Keys and certificates
  • License management
  • Local administrative account management
  • OAuth settings
  • Server settings

For a complete list, see Accessing the API interactive documentation. For known limitations, see Release notes.

Initial setup using the administrative API

After installing PingFederate, instead of using the administrative console to begin the initial setup process, you may make four unauthenticated administrative API requests to perform the following tasks:

  1. A GET request to /license/agreement to retrieve an URL to the license agreement.
  2. A PUT request to /license/agreement to accept the license agreement.
  3. A PUT request to /license to import a license file.
  4. A POST request to /administrativeAccounts to create the first local administrative account (for native authentication).

You must assign the administrative role User Admin (USER_ADMINISTRATOR) to the first local administrative account. Other administrative roles are optional at this point. For more information, refer to the interactive documentation for the administrative API (see Accessing the API interactive documentation).

Once the first local administrative account is created, you can make other authenticated administrative API requests to configure various components in PingFederate.

Authentication

Similar to the administrative console, access to the administrative API is protected after initial setup. The administrative API supports various authentication options, see Configure access to the administrative API for more information.

Concurrent access

The administrative API supports concurrent access. When concurrent API calls are made to modify the same API resource (such as the same IdP Adapter instance or the same SP connection), the last request processed by PingFederate wins.

Logging

PingFederate records actions performed via the administrative API in the admin-api.log file. Information includes the time of the event, the action performed, the authentication method, and other fields. For more information, see Administrative API audit log.