The PingFederate administrative console supports four authentication schemes:

  • Native authentication
  • LDAP authentication
  • RADIUS authentication
  • Certificate-based authentication

For role-based access control, PingFederate provides two account types and three administrative roles, as shown in the following table:

PingFederate User Access Control
Account type Administrative role Access privileges
Admin Admin Configure partner connections and most system settings (except the management of local accounts and the handling of local keys and certificates).
Admin Crypto Admin Manage local keys and certificates.
Admin User Admin Create users, deactivate users, change or reset passwords, and install replacement license keys.
Auditor Not applicable View-only permissions for all administrative functions. When the Auditor role is assigned, no other administrative roles may be set.

All three administrative roles are required to access and make changes through the following services:

  • The /bulk, /configArchive, and /configStore administrative API endpoints
  • The System > Configuration Archive screen in the administrative console
  • The Connection Management configuration item on the Security > Service Authentication screen

For native authentication, access and authorization are controlled by the local accounts defined on the System > Administrative Accounts screen.

As needed, you can switch from native authentication to an alternative console authentication. Note that access and authorization are defined in the respective configuration file.

An administrative user may log on from more than one browser or location. Moreover, multiple administrative users can log on to the PingFederate administrative console at a time. You can optionally restrict the administrative console to one administrative user at a time by modifying the pf.console.login.mode property in <pf_install>/pingfederate/bin/ file. Regardless of the property configuration, any number of auditors may log on at any time.


For security, after three failed sign-on attempts from the same location within a short time period, the administrative console and the administrative API will temporarily lock out further attempts by the same user. The user must wait one minute to try again.

Local accounts defined on the Administrative Accounts screen are shared between the administrative console and the administrative API if they are both configured to use native authentication (the default). If the administrative console is configured to use an alternative console authentication, the Administrative Accounts screen appears only if the administrative API is left to use native authentication, and vice versa.


If you have connected PingFederate to PingOne® for Enterprise, you may also single sign-on from the PingOne admin portal to the administrative console.