Ping Identity Authentication: Methods, Credentials & Security

Authentication overview

Ping Identity provides a suite of identity and access management (IAM) products designed to secure access for both workforce and customer identities. The authentication mechanisms employed by Ping Identity solutions are built upon industry standards to ensure interoperability and security across diverse environments. These solutions manage user identities, enforce access policies, and facilitate secure connections between users, applications, and APIs.

Key components like PingFederate act as a security token service (STS) and identity provider (IdP), enabling single sign-on (SSO) and federated authentication across multiple applications and domains. PingAccess provides access control for applications and APIs, while PingDirectory serves as a high-performance user store. Cloud-native offerings under the PingOne platform abstract much of the underlying infrastructure, providing managed services for SSO, multi-factor authentication (MFA), and advanced identity verification.

The core objective of Ping Identity's authentication framework is to verify a user's identity reliably and consistently, then grant or deny access based on predefined policies. This is achieved through support for various authentication factors and integration with external identity sources, allowing organizations to tailor their security posture to specific risk profiles and compliance requirements.

Supported authentication methods

Ping Identity platforms support a range of authentication methods, accommodating different security needs and user experiences. These methods can be combined, particularly with multi-factor authentication (MFA), to enhance security.

PingFederate, for example, supports various authentication sources and adapters, allowing integration with existing identity stores and custom authentication flows. This flexibility enables organizations to implement adaptive authentication policies, where the level of authentication required can vary based on factors like user location, device, or access context. The official PingFederate authentication sources documentation provides further details on available adapters.

Getting your credentials

To integrate with Ping Identity products or to manage user credentials, the process depends on the specific product and deployment model (cloud or on-premises).

For Workforce IAM (e.g., PingFederate, PingAccess)

1. Administrator Access: Initial setup typically requires an administrator to access the PingFederate or PingAccess administrative console. This usually involves an initial administrative username and password set during installation or deployment.
2. Identity Store Integration: PingFederate connects to existing identity stores such as Active Directory, LDAP directories, or databases. User credentials for authentication are managed within these integrated systems. PingDirectory can also be deployed as a centralized, high-performance user store.
3. Application Registration: For applications to use PingFederate for SSO, they must be registered as Service Providers (SPs) or Relying Parties. This involves configuring connection details, assertion consumer service (ACS) URLs, and certificate management. The PingFederate Service Provider configuration guide outlines this process.
4. API Client Management: If using OAuth 2.0 for API security, administrators configure OAuth clients within PingFederate or PingAccess, assigning client IDs, client secrets, and permitted scopes. These credentials are then used by client applications to request access tokens.

For Customer IAM (CIAM) (e.g., PingOne for Customers)

1. PingOne Account Setup: Begin by creating an administrative account on the PingOne platform. This provides access to the PingOne admin console.
2. Application Configuration: Within the PingOne admin console, register your customer-facing applications. This process generates client IDs and client secrets for your applications, which are essential for initiating authentication flows (e.g., OIDC authorization code flow).
3. User Directory Management: PingOne provides a managed user directory. You can import existing users or allow new users to self-register. User passwords and other credentials are managed securely within PingOne.
4. MFA and Verification Policies: Configure MFA policies (e.g., SMS OTP, PingOne Protect) and integrate advanced identity verification services like PingOne Advanced Identity Verification as needed.

For developers integrating applications, SDKs and API documentation are available to facilitate credential handling and authentication flow implementation. For example, the Fetch API documentation on MDN Web Docs can provide context on making authenticated requests in web applications, while Ping Identity provides specific SDKs for various languages and platforms to streamline integration.

Authenticated request example

This example demonstrates an authenticated API request using an OAuth 2.0 bearer token obtained from a Ping Identity authorization server (e.g., PingFederate or PingOne). The client application first obtains an access token by completing an OAuth 2.0 flow (e.g., client credentials or authorization code flow), and then includes this token in the Authorization header of subsequent API requests.

GET /api/v1/user/profile HTTP/1.1
Host: your-protected-api.example.com
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImE4YjQzMDY2LT...
Content-Type: application/json

// Example using JavaScript Fetch API
async function getProtectedResource() {
  const accessToken = 'eyJhbGciOiJSUzI1NiIsImtpZCI6ImE4YjQzMDY2LT...'; // Obtained via OAuth flow
  const apiUrl = 'https://your-protected-api.example.com/api/v1/user/profile';

  try {
    const response = await fetch(apiUrl, {
      method: 'GET',
      headers: {
        'Authorization': `Bearer ${accessToken}`,
        'Content-Type': 'application/json'
      }
    });

    if (!response.ok) {
      throw new Error(`HTTP error! status: ${response.status}`);
    }

    const data = await response.json();
    console.log('Protected resource data:', data);
  } catch (error) {
    console.error('Failed to fetch protected resource:', error);
  }
}

getProtectedResource();

In this example, your-protected-api.example.com would be an API secured by PingAccess or another API gateway integrated with PingFederate or PingOne. The API gateway validates the provided bearer token against the Ping Identity authorization server before allowing the request to proceed to the backend service. For further details on secure API integration, refer to the PingAccess API protection documentation.

Security best practices

Implementing strong authentication practices with Ping Identity products involves several key considerations:

• Implement Multi-Factor Authentication (MFA): Mandate MFA for all users, especially administrators and users accessing sensitive data. PingOne MFA supports various factors, including biometrics (FIDO), TOTP, and push notifications, significantly reducing the risk of unauthorized access even if primary credentials are compromised. The FIDO Alliance provides insights into strong authentication methods and their benefits.
• Enforce Strong Password Policies: If using passwords, ensure policies require complexity, length, and regular rotation. Consider passwordless authentication methods where feasible to mitigate password-related risks.
• Leverage Adaptive Authentication: Configure PingFederate or PingOne to dynamically adjust authentication requirements based on context (e.g., user location, device posture, time of day). This provides a balance between security and user experience.
• Secure API Access with OAuth 2.0: Use OAuth 2.0 with appropriate grant types and scopes to secure API endpoints. Ensure client secrets are stored securely and never exposed in client-side code. Implement token introspection or validation at the API gateway.
• Monitor and Audit Authentication Events: Regularly review authentication logs for suspicious activity, failed login attempts, and unauthorized access. Ping Identity products provide extensive logging capabilities that can be integrated with SIEM (Security Information and Event Management) systems.
• Use Federation for SSO: Implement SAML 2.0 or OpenID Connect for single sign-on across applications. This centralizes identity management and reduces the number of credentials users need to manage, while enhancing security through consistent policy enforcement.
• Protect Credentials: Store client secrets, API keys, and other sensitive credentials in secure vaults or environment variables, not directly in code repositories. Rotate these credentials regularly.
• Regularly Update and Patch: Keep Ping Identity products and underlying infrastructure updated with the latest security patches to address known vulnerabilities.
• Principle of Least Privilege: Grant users and applications only the minimum necessary permissions to perform their functions. Regularly review and revoke unnecessary access.
• Secure Communication Channels: Enforce HTTPS/TLS for all communication between clients, Ping Identity components, and backend applications to protect credentials and data in transit. Ensure valid, trusted certificates are used.