PingOne

Configuring administrator security - PingID

Use the Administrator Security page to view or change the authentication settings for the PingOne admin console.

You can use PingID, an external identity provider (IdP), or a combination of external IdP and PingID. Some configuration might need to be done in the PingID console.

This topic only applies to environments that include PingID. If your environment does not include PingID, go to Configuring administrator security.

Ping Identity requires multi-factor authentication (MFA) for all PingOne administrators.

You must have the Organization Admin role, Environment Admin role, or a custom role with equivalent permissions to configure Administrator Security.

Steps

  1. In the PingOne admin console, go to Settings > Administrator Security.

    Screen capture of the Administrator Security page showing PingID as the authentication source.

  2. Click the Pencil icon to change the settings.

    Screen shot of the Administrator Security page in edit mode. PingID is shown as the selected authentication source.

  3. For Authentication Source, select one of the following.

    Choose from:

    • PingID (default): PingID is used as the authentication source. You configure the authentication policy and set the allowed MFA methods in the PingID console. Click Configure Now to open the PingID admin portal in a separate window and configure the authentication policy. Learn more in the Authentication Policy section of the PingID documentation.

      If the environment was created after January 7, 2025, or if your PingID tenant was migrated to PingOne after March 31, 2025, the default MFA policy is managed from Authentication > MFA in PingOne. Learn more in Configuring an MFA policy for strong authentication.

    • External IdP: This option is enabled only if you have configured at least one external IdP in your environment. The selected IdP is used as the authentication source for the admin console. If you select this option, ensure that your external IdP is configured to follow best practice security recommendations.

      You should also test the connection to ensure that it is configured correctly. Administrators will be unable to sign on if this connection is configured incorrectly.

      You can’t make changes to the IdP configuration from this page. Go to Integrations > External IdPs if you need to edit the connection. Learn more in Editing an identity provider.

    • PingID & External IdP: This option is enabled only if you have configured at least one external IdP in your environment. The selected IdP is used as the initial authentication source for the admin console. After the user authenticates through the IdP, PingID sends a secondary authentication request.

      Test the connection to the IdP to ensure that it is configured correctly. If the connection to the IdP fails, as long as the administrator has a recovery account in PingOne, the administrator can sign on to PingOne directly. PingID will then prompt them for secondary authentication.

  4. Configure the applicable settings:

    Setting Description

    Account Recovery

    PingID and PingID & External IdP only.

    If selected, PingOne admins who forget their password can recover their accounts with a one-time passcode (OTP) sent to their email.

    This setting applies only to the PingID account and not to the external IdP. Account recovery for the external IdP is managed by the provider.

    Identity Provider

    External IdP and PingID & External IdP only.

    Select the IdP to use for authentication.

    This IdP will be labeled with an Administrator IDP badge in Integrations > External IdPs. The IdP can’t be disabled or deleted while assigned in Administrator Security.

    If you change the selected IdP, the settings for the new IdP are used for authentication. You should always test the connection configuration when you change this setting to ensure that administrators are able to sign on to PingOne.

    Identifier First

    PingID & External IdP only.

    If selected, you can identify users before you authenticate them.

    Click Add Discovery Rule to configure rules that will take different authentication actions based on who the user is. You can also edit existing rules.

    • Username Contains: Enter a domain name to be evaluated by this rule. The rule evaluates to true if the string contains any part of the provided value.

      For increased security, be specific and enter multiple canonical domains, such as @marketing.example.com and @payroll.example.com. To add fewer entries, you could just enter example.com, and the rule would pick up both @marketing.example.com and @payroll.example.com, but that configuration might match users at unintended hosts.

    • Identity Provider: Select the IdP to use for authentication if the rule is matched. Discovery rules are evaluated in the order they appear in the list.

    If the user name matches a configured rule, the system sends the user to a particular external IdP. If the user name doesn’t match a configured rule, the user authenticates through PingID.

  5. Click Save.