By using an authoritative IdP, you can automatically provision users to PingOne if their identity is registered with an external IdP. The user account in PingOne exists as a shadow record of the user’s identity data, of which the external IdP retains authentication control.

Identifier-first authentication

With identifier-first authentication, if PingOne determines that a user’s authentication authority is a configured external IdP, then PingOne redirects the user to that IdP for authentication. If a user account in PingOne is pre-registered and the user authenticates through their authoritative IdP for the first time, PingOne links the user account without requiring the user to verify their account or password.

Just-in-time provisioning

Use an authoritative IdP to enable just-in-time (JIT) provisioning and automate user registration. If a user authenticates through an authoritative IdP, then PingOne can register the user automatically without self-service registration being enabled in the authentication policy.

Users that are JIT-provisioned automatically have the authoritative IdP configured and linked with the user account at the IdP. These features can help create a seamless experience for the user when PingOne isn’t the primary IdP.


An authoritative IdP has the ability to register user accounts in PingOne, so ensure that you have a high level of trust with the IdP.