Similar to the administrative console, access to the administrative API after initial setup is protected by one of the following authentication schemes:

  • Native authentication (against local administrative accounts)
  • LDAP authentication
  • RADIUS authentication
  • Mutual TLS client certificate-based authentication

For new installations, native authentication is chosen by default.

For upgrades, if the authentication method of the administrative API was not previously set (for example, when upgrading from PingFederate 7.3 or an earlier version), the Upgrade Utility sets the value to that of the administrative console; otherwise, it preserves the previously set value (for example, when upgrading from PingFederate 8.0 to a future release).

The authentication method for the administrative API can be changed at a later time to any of the four choices, regardless of which authentication method is chosen for the administrative console.

Besides authentication, PingFederate also provides role-based access control, as shown in the following table. The roles assigned to the accounts affect the results of the API calls.

PingFederate User Access Control
Account type Administrative role Access privileges
Admin Admin Configure partner connections and most system settings (except the management of local accounts and the handling of local keys and certificates).
Admin Crypto Admin Manage local keys and certificates.
Admin User Admin Create users, deactivate users, change or reset passwords, and install replacement license keys.
Auditor Not applicable View-only permissions for all administrative functions. When the Auditor role is assigned, no other administrative roles may be set.
Note:

All three administrative roles are required to access and make changes through the following services:

  • The /bulk, /configArchive, and /configStore administrative API endpoints
  • The System > Configuration Archive screen in the administrative console
  • The Connection Management configuration item on the Security > Service Authentication screen