If you are using the SAML 2.0 Attribute Query profile as a service provider (SP), then the requesting applications at your site must authenticate to the PingFederate Bridge server. For more information, see Attribute Query and XASP and the /sp/startAttributeQuery.ping SP application endpoint.

Authentication is required to access PingFederate Bridge runtime data via JMX (see Runtime monitoring using JMX) or to make SOAP calls to the Connection Management Service. Authentication is optional for the SSO Directory Service. For more information, see Web service interfaces and APIs and SSO Directory Service.


To help ensure network security, access to all of these services is deactivated when PingFederate Bridge is first installed.

To activate and configure authentication for the Connection Management Service, grant the administrators all three administrative roles: Admin, Crypto, and User Admin. For more information, see Connection Management Service.

  • To enable a service:
    1. On Security > System Integration > Service Authentication, select Action > Activate for your desired service.
    2. Enter or modify) the service account ID and define or reset the Shared Secret.
      You and the application developer must agree to these values.

      Authentication is optional for the SSO Directory Service.

  • To disable a service, on Security > Service Authentication, select Deactivate under Action for your desired service.

    Although not accessible when deactivated, the Connection Management Service and the SSO Directory Service are deployed by default with PingFederate Bridge. If your organization does not plan to use one or both of these services, you can remove the following WAR file or files:

    • <pf_install>/pingfederate/server/deploy2/pf-mgmt-ws.war for the Connection Management Service
    • <pf_install>/pingfederate/server/deploy/pf-ws.war for the SSO Directory Service