As an alternative to using PingFederate's own internal datastore for authentication to the administrative console, you can configure PingFederate to use either your network's LDAP user-datastore, the RADIUS protocol, or client certificates. You can configure any of these alternatives at any time.

Note that most user-management functions are handled outside the scope of the PingFederate administrative console when alternative authentication is enabled.

Unlike native authentication, for which you configure local accounts and their privileges in the System > Administrative Accounts screen, you must define roles in configuration files when using an alternative authentication scheme. Similar to native authentication, PingFederate provides two account types and three administrative roles for role-based access control, as shown in the following table:

PingFederate User Access Control
Account type Administrative role Access privileges
Admin Admin Configure partner connections and most system settings (except the management of local accounts and the handling of local keys and certificates).
Admin Crypto Admin Manage local keys and certificates.
Admin User Admin Create users, deactivate users, change or reset passwords, and install replacement license keys.
Auditor Not applicable View-only permissions for all administrative functions. When the Auditor role is assigned, no other administrative roles may be set.
Note:

All three administrative roles are required to access and make changes through the following services:

  • The /bulk, /configArchive, and /configStore administrative API endpoints
  • The System > Configuration Archive screen in the administrative console
  • The Connection Management configuration item on the Security > Service Authentication screen