You can configure any of these alternative console authentication methods at any time. Most user-management functions are handled outside the scope of the PingFederate administrative console when alternative authentication is enabled.

Unlike native authentication, for which you configure local accounts and their privileges in System > Server > Administrative Accounts , you must define roles in configuration files when using an alternative authentication scheme. Similar to native authentication, PingFederate provides two account types and three administrative roles for role-based access control, as shown in the following table.

PingFederate User Access Control
Account type Administrative role Access privileges
Admin User Admin Create users, deactivate users, change or reset passwords, and install replacement license keys.
Admin Admin Configure partner connections and most system settings, except the management of local accounts and the handling of local keys and certificates.
Admin Expression Admin Map user attributes by using the expression language, Object-Graph Navigation Language (OGNL).

Only Administrative users who have both the Admin role and the Expression Admin role:

  • Can be granted the User Admin role. This restriction prevents non-Expression Admin users from granting themselves the Expression Admin Role.
  • Can be granted write access to the file system or directory where PingFederate is installed. This restriction prevents a non-Expression Admin user from placing a file containing expressions into the <pf_install>/pingfederate/server/default/deploy directory, which would introduce expressions into PingFederate.
Admin Crypto Admin Manage local keys and certificates.
Auditor Not applicable View-only permissions for all administrative functions. When the Auditor role is assigned, no other administrative roles can be set.

All four administrative roles are required to access and make changes through the following services:

  • The /bulk, /configArchive, and /configStore administrative API endpoints
  • The Configuration Archive window, accessed from System > Server, in the administrative console
  • The Connection Management configuration item on the Service Authentication window, accessed from Security > System Integration