The PingFederate Authentication API supports two modes of authentication:

  • Redirectless or Application Embedded

    This mode of deployment is useful when you want to manage the sign-on experience without redirecting users to an external identity provider (IdP). 

  • Authentication Portal

    In this mode of deployment, applications are still configured as clients on PingFederate. However, rather than authenticating using out of the box templates in PingFederate, users are directed to the authentication portal. The authentication portal presents the desired look, feel, and workflow while authenticating users to PingFederate through the Authentication API.


The deployment modes described above are not mutually exclusive. For example, you can build a central authentication portal that allows single sign-on (SSO) for web clients while also using the redirectless flow for mobile apps. You’ll see this later when you test a redirect flow using ground and a redirectless flow using Postman.

The following table lists URLs you'll be revisiting throughout this task:

Interface URL

PingFederate administrative console


OAuth Playground


Authentication API Explorer