PingOne

SPN reference

The following table shows the service principal name (SPN) values for the various PingOne regions.

SPN values by region
Region SPN 1 SPN 2 SPN 3

Australia

HTTP/d17e9v8kuwbj1g.cloudfront.net

HTTP/kerberos.pingone.com.au

HTTP/cloudflare.pingone.com.au

Canada

HTTP/d2zesjvkk5mc9z.cloudfront.net

HTTP/kerberos.pingone.ca

HTTP/cloudflare.pingone.ca

Europe

HTTP/d2g9q8z5merlnu.cloudfront.net

HTTP/kerberos.pingone.eu

HTTP/cloudflare.pingone.eu

North America (US)

HTTP/d3vol3lyj0eg62.cloudfront.net

HTTP/kerberos.pingone.com

HTTP/cloudflare.pingone.com

Singapore

HTTP/dcfgtxahv7i2c.cloudfront.net

HTTP/kerberose.pingone.sg

HTTP/cloudflare.pingone.sg

Asia Pacific (legacy)

Available only for existing .asia customers.

HTTP/d17e9v8kuwbj1g.cloudfront.net

HTTP/kerberos.pingone.asia

HTTP/cloudflare.pingone.asia

Custom domains

If the environment is configured with a custom domain, only one SPN is required. The address varies depending on the DNS result. See the examples below for more information.

Cloudflare examples

Custom domains created between March 17 and August 11, 2025 have unique references for each custom domain, such as <uuid>.ping-ccd.com. If your custom domain was created after August 11, 2025, then all domains in a geography share the same reference, such as cloudflare.ping-ccd.com. These references are listed by region in the SPN 3 column of the SPN values by region table.

The unique references that include the UUID will be phased out sometime in 2026, and all custom domains will use the region-specific shared references. In the meantime, for domains created between March 17 and August 11, 2025, you should add both SPN references to your Kerberos configuration to ensure that it remains valid.

The following examples assume the organization resides in the North America (US) region. If your organization is in a different region, the end of the SPN differs depending on that region:

  • North America (Canada): ping-ccd.ca

  • Europe: ping-ccd.eu

  • Australia: ping-ccd.com.au

  • Asia-Pacific: ping-ccd.asia

  • Singapore: ping-ccd.sg
Example 1: DNS result from nslookup
c:\>nslookup -type=A sso.example.com
Server:  127.0.0.1
Address:  127.0.0.1#53

Non-authoritative answer:
sso.example.com	canonical name = f97e2bbf-6680-44b6-a2cf-97aa0b4a4226.edge1.pingone.com.
f97e2bbf-6680-44b6-a2cf-97aa0b4a4226.edge1.pingone.com	canonical name = cloudflare.ping-ccd.com.
Name:    cloudflare.ping-ccd.com
Address:  130.250.137.31

Based on this DNS result from nslookup, the SPN address in Cloudflare is HTTP/cloudflare.ping-ccd.com.

Example 2: DNS result from dig
~$ dig sso.example.com A

; <<>> DiG 9.10.6 <<>> sso.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21003
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sso.example.com.        IN    A

;; ANSWER SECTION:
sso.example.com.    98    IN    CNAME    f97e2bbf-6680-44b6-a2cf-97aa0b4a4226.pingone.com.
f97e2bbf-6680-44b6-a2cf-97aa0b4a4226.pingone.com.    86198 IN CNAME cloudflare.ping-ccd.com.
cloudflare.ping-ccd.com. 98 IN    A    130.250.137.31

;; Query time: 31 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 23 10:26:50 PDT 2025
;; MSG SIZE  rcvd: 361

Based on this DNS result from dig, the SPN address in Cloudflare is cloudflare.ping-ccd.com.

If you created your custom domain between March 17 and August 11, 2025, instead of cloudflare.ping-ccd.com in the nslookup or dig result, you’ll see something like <uuid>.ping-ccd.com. For example,92b8af3f-0d5b-4cc8-8460-8a35a26efc5e.ping-ccd.com. In this case, add both the unique <uuid>.ping-ccd.com SPN reference and the reference relevant to your geography, such as cloudflare.ping-ccd.com if your PingOne organization is in North America.

CloudFront examples

Example 1: DNS result from nslookup
c:\>nslookup -type=A sso.example.com
Step 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
        primary name server = 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
        responsible mail addr = (root)
        serial  = 0
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)
Server:  UnKnown
Address:  ::1Non-authoritative answer:
Name:    d3laihe2ro8a3z.cloudfront.net
Addresses:  65.8.10.10
          65.8.10.20
          65.8.10.30
          65.8.10.40
Aliases:  sso.example.com
          45ffcbe6-ec42-48d2-999e-89a7eae22ea9.edge1.pingone.com

Based on this DNS result from nslookup, the SPN address in CloudFront is HTTP/d3laihe2ro8a3z.cloudfront.net. This remains true regardless of the PingOne region in which your organization resides.

Example 2: DNS result from dig
~$ dig sso.example.com A

; <<>> DiG 9.10.6 <<>> sso.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1344
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sso.example.com.        IN    A

;; ANSWER SECTION:
sso.example.com.    3526    IN    CNAME    45ffcbe6-ec42-48d2-999e-89a7eae22ea9.edge1.pingone.com.
45ffcbe6-ec42-48d2-999e-89a7eae22ea9.edge1.pingone.com.    86326 IN CNAME d3laihe2ro8a3z.cloudfront.net.
d3laihe2ro8a3z.cloudfront.net. 54 IN    A    65.8.10.10
d3laihe2ro8a3z.cloudfront.net. 54 IN    A    65.8.10.20
d3laihe2ro8a3z.cloudfront.net. 54 IN    A    65.8.10.30
d3laihe2ro8a3z.cloudfront.net. 54 IN    A    65.8.10.40

;; Query time: 30 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Fri Nov 25 14:02:32 PST 2022
;; MSG SIZE  rcvd: 221

Based on this DNS result from dig, in CloudFront the SPN address is HTTP/d3laihe2ro8a3z.cloudfront.net. This remains true regardless of the PingOne region.