Authoritative identity providers (IdPs) are a special type of external IdPs that have authority over user records and credentials.
By using an authoritative IdP, you can automatically provision users to PingOne if their identity is registered with an external IdP. The user account in PingOne exists as a shadow record of the user’s identity data, of which the external IdP retains authentication control.
Identifier-first authentication
With identifier-first authentication, if PingOne determines that a user’s authentication authority is a configured external IdP, then PingOne redirects the user to that IdP for authentication. If a user account in PingOne is pre-registered and the user authenticates through their authoritative IdP for the first time, PingOne links the user account without requiring the user to verify their account or password.
Just-in-time provisioning
Use an authoritative IdP to enable just-in-time (JIT) provisioning and automate user registration. If a user authenticates through an authoritative IdP, then PingOne can register the user automatically without self-service registration being enabled in the authentication policy.
Users that are JIT-provisioned automatically have the authoritative IdP configured and linked with the user account at the IdP. These features can help create a seamless experience for the user when PingOne isn’t the primary IdP.
An authoritative IdP has the ability to register user accounts in PingOne, so ensure that you have a high level of trust with the IdP.