PingOne

Configuring administrator security

Use the Administrator Security page to view or change the authentication settings for the PingOne admin console.

You can use PingOne, an external identity provider (IdP), or a combination of an external IdP and PingOne to provide secure access to the admin console.

This topic only applies to environments that do not include PingID. If your environment includes PingID, go to Configuring administrator security - PingID.

This topic is applicable if either:

  • Your organization was created after July 20, 2024.

  • You enable enhanced security early for environments in an organization created before July 20, 2024, either from the New Security Requirement message in Administrator Security or by clicking Update Now on the Update Admin MFA Settings modal presented when you signed on to the environment.

Ping Identity will require multi-factor authentication (MFA) for all PingOne administrators as of June 1, 2025. Learn more in the PingOne administrators MFA requirement - FAQ.

You must have the Organization Admin role, Environment Admin role, or a custom role with equivalent permissions to configure Administrator Security.

Steps

  1. Go to Settings > Administrator Security.

    If the environment was created after July 20, 2024, Administrator Security opens.

    Screen capture of the Administrator Security page showing PingOne as the authentication source.

    If the environment was created before July 20, 2024, and you haven’t enabled enhanced security, you must click Enable Enhanced Security on the New Security Requirement message to access Administrator Security.

  2. Click the Pencil icon to change the security settings.

    Screen shot of the Administrator Security page in edit mode. External IdP & PingOne is shown as the selected authentication source, and the PingOne DaVinci IdP is selected under Identity Provider.

  3. For Authentication Source, select one of the following.

    Choose from:

    • PingOne (default): PingOne is used as the authentication source. A system-delivered authentication policy requiring MFA is enabled. You can’t use a different authentication policy, but you can select which supported methods to use for MFA. Supported MFA methods include email, authenticator app (TOTP), and FIDO2. The first time an administrator signs on to the admin console, they’re prompted to configure one of the methods you enable.

      If you haven’t updated the MFA policies for your environment to use FIDO2 instead of FIDO, you won’t see the FIDO2 option on Administrator Settings. Learn more in Updating an existing MFA policy to use FIDO2.

      FIDO isn’t supported for new device registration during just-in-time (JIT) registration of administrators. If existing administrators have a registered FIDO device for MFA, that method is valid as long as your MFA policy is not updated to FIDO2.

    • External IdP: This option is enabled only if you have configured at least one external IdP in your environment. The selected IdP is used as the authentication source for the admin console. If you select this option, ensure that your external IdP is configured to follow best practice security recommendations.

      You should also test the connection to ensure that it is configured correctly. Administrators will be unable to sign on if this connection is configured incorrectly.

      You can’t make changes to the IdP configuration from this page. Go to Integrations > External IdPs if you need to edit the connection. Learn more in Editing an identity provider.

    • PingOne & External IdP: This option is enabled only if you’ve configured at least one external IdP in your environment. The selected IdP is used as the initial authentication source for the admin console. After the user authenticates through the IdP, PingOne sends a secondary authentication request.

      Test the connection to the IdP to ensure that it is configured correctly. If the connection to the IdP fails, the administrator can sign on to PingOne directly, as long as they have valid credentials in PingOne.

  4. Configure the applicable settings:

    Setting Description

    Allowed Authentication Methods

    PingOne and PingOne & External IdP only.

    Select at least one MFA method for verification.

    • Authenticator App (TOTP)

    • FIDO2

    • Email

    Account Recovery

    PingOne and PingOne & External IdP only.

    If selected, PingOne administrators who forget their password can recover their accounts with a one-time passcode (OTP) sent to their email.

    This setting applies only to the PingOne account and not to the external IdP. Account recovery for the external IdP is managed by the provider.

    Identity Provider

    External IdP and PingOne & External IdP only.

    Select the IdP to use for authentication.

    This IdP will be labeled with an Administrator IDP badge in Integrations > External IdPs. The IdP can’t be disabled or deleted while assigned in Administrator Security.

    If you change the selected IdP, the settings for the new IdP are used for authentication. You should always test the connection configuration when you change this setting to ensure that administrators are able to sign on to PingOne. Learn more in Troubleshooting test connection failure.

  5. Click Save.