An identity repository stores the user credentials necessary to validate a user's local or network access to your organization. You can use PingOne for Enterprise Directory as your identity repository, or use an identity bridge to establish a connection to an identity repository. An identity bridge establishes a standards-based, high security relationship with an identity repository to authenticate and provision your users for single sign-on (SSO).

Provisioning dynamically creates and updates SSO user information in your PingOne for Enterprise user groups based on attributes in incoming SAML assertions from a cloud application provider. Only SAML-enabled applications can support provisioning.
Note: User provisioning is supported by the following identity repositories:
  • PingOne for Enterprise Directory
  • PingFederate Bridge
  • AD Connect

PingOne for Enterprise Directory

The PingOne for Enterprise Directory is a cloud-based user directory as a service, providing user and group management, user provisioning, directory access entitlements, easy user registration, and API support for custom applications.

Identity bridges

The identity bridges use Federated SSO. Federated SSO uses the industry-standard protocols SAML or OpenID Connect to establish a secure connection, an identity bridge, to your user repositories. User credentials are authenticated through the identity bridge using either SAML or OAuth. You can also choose to apply a secondary level of authentication using PingID through the use of an authentication policy.

AD Connect
AD Connect is a free PingOne for Enterprise plugin that provides an identity bridge to AD Connect, and supports user provisioning. AD Connect comes in two versions:
  • Standard AD Connect uses a secure backchannel protocol to communicate with PingOne. This eliminates the requirement for IIS, open ports, or signing certificates.
  • The AD Connect with IIS version uses IIS with open ports for HTTPS to communicate with PingOne for Enterprise, and verifies the communication with signing certificates.
You need to install either version of AD Connect on a Windows Server host in an Active Directory domain.
PingFederate Bridge
PingFederate Bridge is a lightweight version of PingFederate, designed for use with PingOne for Enterprise. PingFederate Bridge can connect to a large variety of user repositories, and supports user provisioning.
A PingFederate license can be either a "Bridge" license or a "Full" license. You can use either type of license with PingOne. This documentation references PingFederate Bridgee. If your organization has a full PingFederate license, all instructions are the same unless otherwise noted. See Introduction to PingFederate Bridge for more information.
OpenID Connect
If you have an identity provider that supports OpenID Connect, you can set up PingOne to use OpenID Connect as your identity bridge.
Microsoft ADFS
If you have a Microsoft Active Directory Federation Services (ADFS) identity provider, you can set up PingOne for Enterprise to use ADFS as your identity bridge.
If you are already using Google Apps for mail and calendar, there are just a few extra steps to set up PingOne for Enterprise to use Google as your identity bridge.
Third Party SAML
There are many federation tools that support the SAML protocol. Examples of third party SAML products that can operate as identity bridges are Shibboleth®, CA Siteminder®, Oracle Identity Federation, and others. PingOne for Enterprise can interoperate with all identity providers supporting SAML 2.0.

Connections to multiple PingOne for Enterprise accounts

In some cases, your organization may want to configure the identity bridge to support connections to multiple PingOne for Enterprise accounts. A typical scenario is organizations needing distinct connections from a number of divisions or subsidiaries.

PingOne for Enterprise supports these types of multiple connections through the identity bridge setup option Enable account-specific Entity IDs. Choosing this option creates a unique Entity ID based on your PingOne for Enterprise account (Company ID). This custom entity ID is written to the PingOne for Enterprise metadata file that you download for import to your identity bridge.
Note: When changing an existing entity ID for a PingOne for Enterprise identity repository, you also need to see that this value is changed on the Identity Provider (IdP). Otherwise, SSO can be disrupted.

To make use of PingOne for Enterprise's account-specific IDs for multiple connections to a single identity bridge instance, your identity bridge needs to support the PingFederate concept of "virtual server IDs". This is an identity bridge feature for aliasing entity IDs (connection IDs) for use by multiple service providers (SPs). Using account-specific IDs, PingOne for Enterprise effectively impersonates multiple SPs.

The Google identity bridge doesn't support a "virtual server IDs" facility, so you cannot use account-specific entity IDs in this case.