As an alternative to using PingFederate's own internal datastore for authentication to the administrative console, you can configure PingFederate to use your network's LDAP user-datastore, the RADIUS protocol, client certificates, or OIDC-based authentication.
You can configure any of these alternative console authentication methods at any time. Most user-management functions are handled outside the scope of the PingFederate administrative console when alternative authentication is enabled.
Unlike native authentication, for which you configure local accounts and their privileges in
, you must define roles in configuration files when using an alternative authentication scheme. Similar to native authentication, PingFederate provides two account types and three administrative roles for role-based access control, as shown in the following table.Account type | Administrative role | Access privileges |
---|---|---|
Admin | User Admin | Create users, deactivate users, change or reset passwords, and install replacement license keys. |
Admin | Admin | Configure partner connections and most system settings, except the management of local accounts and the handling of local keys and certificates. |
Admin | Expression Admin | Map user attributes by using the expression language, Object-Graph
Navigation Language (OGNL). Important:
Only Administrative users who have both the Admin role and the Expression Admin role:
|
Admin | Crypto Admin | Manage local keys and certificates. |
Auditor | Not applicable | View-only permissions for all administrative functions. When the Auditor role is assigned, no other administrative roles can be set. |
All four administrative roles are required to access and make changes through the following services:
- The /bulk, /configArchive, and /configStore administrative API endpoints
- The Configuration Archive window, accessed from , in the administrative console
- The Connection Management configuration item on the Service Authentication window, accessed from