If you are using the SAML 2.0 Attribute Query profile as an SP, then the requesting application(s) at your site must authenticate to the PingFederate server (see Attribute Query and XASP and the /sp/startAttributeQuery.ping SP application endpoint).

In addition, authentication is required to access PingFederate runtime data via JMX (see Runtime monitoring using JMX) or to make SOAP calls to the Connection Management Service. Authentication is optional for the SSO Directory Service (see Web service interfaces and APIs).


To help ensure network security, access to all of these services is deactivated when PingFederate is first installed.

On the Security > Service Authentication screen, administrators with the Admin administrative role can activate and configure authentication for Attribute Query, JMX, and SSO Directory.

To activate and configure authentication for the Connection Management Service, the administrators must be granted all three administrative roles: Admin, Crypto, and User Admin.

  • Follow these steps to enable a service:
    1. Select Activate under Action.
    2. Enter (or modify) the service account name and define (or reset) the password.
      You and the application developer must agree to these values.

      Authentication is optional for the SSO Directory Service.

  • To disable a service, select Deactivate under Action.

    Although not accessible when deactivated, the Connection Management Service and the SSO Directory Service are still deployed by default as part of PingFederate. If your organization does not plan to use one or neither of these services, you can remove the following WAR file or files:

    • <pf_install>/pingfederate/server/deploy2/pf-mgmt-ws.war for the Connection Management Service
    • <pf_install>/pingfederate/server/deploy/pf-ws.war for the SSO Directory Service