If a user authenticates from an external IdP that is different from their authoritative IdP set in PingOne, and they do not have an existing account link for that IdP, the user must link their account by signing on through the authoritative IdP first (for example, by entering their PingOne username and password). This creates an account link between the external IdP and the PingOne user. Learn more in Adding an external identity provider sign-on step.

Note:

If a user’s authoritative IdP is PingOne, but they don’t have a PingOne password, the user cannot sign on through an external IdP and cannot link their account between the external IdP and PingOne. This can occur when users are created through an external integration that does not set an authoritative IdP or password, such as through the PingID or PingOne MFA adapters for PingFederate. This can also occur with any other custom integration that creates users without setting an authoritative IdP or password.

Setting the IdP

The authoritative IdP can be set either on the user or on a population in PingOne. Setting the authoritative IdP on a population means that all users in that population whose authoritative IdP is not set (by default, PingOne) will use the authoritative IdP set for the population. For example, if you’re using the PingID or PingOne MFA adapters, users can be created by the adapters without an authoritative IdP or password, and they cannot sign on to PingOne. In this scenario, setting the authoritative IdP as PingFederate for that population applies the authoritative IdP to the users created by the adapters. Learn more in Adding a user and Managing populations.

You can change a user’s authoritative IdP in the PingOne admin console or using the API. For example, if a user’s authoritative IdP is PingOne but you want them to authenticate through an external IdP without needing a PingOne password, set their authoritative IdP to that external IdP. Learn more about using the API in Update User Identity Provider.

Just-in-time provisioning
With just-in-time (JIT) provisioning, you can automate user registration and account creation. If a user authenticates through an external IdP that has registration enabled, and the user doesn't already exist in PingOne, the user is automatically created through JIT provisioning without their authoritative IdP set to the external IdP.

Users that are JIT provisioned automatically have the authoritative IdP configured and linked with the user account at the IdP.

Identifier-first authentication

With identifier-first authentication, you can identify users before you authenticate them. If the user has an authoritative IdP, then PingOne redirects the user to that IdP for authentication after they enter their email or username.

If a user account in PingOne is pre-registered and the user authenticates through their authoritative IdP for the first time, PingOne links the user account without requiring the user to verify their account or password. If you use a login authentication step instead, users must choose their IdP from a list that you can configure. Learn more in Adding an identifier first authentication step and Adding a login authentication step.