In the secret manager, you can store the passwords and other credentials that PingFederate needs to access LDAP, JDBC, and REST API datastores. If you have a secret manager, you can integrate it with PingFederate and then configure one or more instances of the secret manager plugin. After using an instance to generate a reference code for a specific datastore credential in the secret manager, you can add the reference code to a PingFederate datastore plugin instance, allowing PingFederate to get the credential from your secret manager.

Storing datastore credentials in a secret manager is not only secure, it also lets you change the credentials in the secret manager without needing to change the configuration of the datastore plugins because the credential reference codes do not change. This is particularly useful when you rotate credentials.

You can integrate PingFederate with the CyberArk Credential Provider out-of-the-box. If you have a different secret manager, you can use the SecretManager interface in the PingFederate SDK to build a custom solution that connects PingFederate to your secret manager.