PingOne

Setting up a custom domain

Before you create a Canonical Name (CNAME) record with your Domain Name System manager, you must create an entry for the custom domain in PingOne. PingOne provides a CNAME value that you’ll use to create a CNAME record for your domain name.

You can configure one custom domain per environment.

Custom domains created after March 17, 2025 will use Cloudflare instead of Amazon CloudFront. Contact your organization’s network infrastructure team and direct them to review the Custom domain migration to Cloudflare support article for more information (sign-on required). This post contains details about how to assess whether your network and firewall settings require updates to support the new infrastructure.

Before you begin

Before you begin, you’ll need the following:

  • An existing custom domain

  • Access to your DNS manager

  • A valid Secure Sockets Layer (SSL) certificate

Adding a custom domain

Add a custom domain to your PingOne environment.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

    Result:

    The Custom Domain and Email Trust page opens.

  2. Next to Custom Domain, click the icon.

  3. In the Configure Custom Domain panel, enter a Domain Name, such as auth.example.com, and click Save.

    PingOne validates the domain name to ensure it isn’t already in use.

    Before the custom domain becomes active, PingOne requires that you provide an appropriate SSL certificate and point your custom domain to a PingOne-supplied canonical name using a CNAME record. The CNAME record proves that your custom domain isn’t already in use and directs requests to your custom domain through your PingOne environment.

Adding the CNAME record to your DNS configuration

After you add the custom domain name, copy the CNAME record from PingOne and add it to your DNS configuration.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

    Result:

    The Custom Domain and Email Trust page opens.

  2. Click the custom domain entry.

  3. Copy the CNAME Record and add it to your DNS configuration.

    Some DNS providers don’t support a trailing period in the CNAME. If you’re using one of these DNS providers, omit the trailing period from the CNAME record.

    The CNAME won’t have a DNS resolution until you complete the steps in Verifying the custom domain name and Adding an SSL certificate.

Verifying the custom domain name

Ensure that you have added a CNAME record to your DNS configuration before starting this task. You can’t verify a custom domain until you update the DNS manager to add the CNAME record value, which consists of your domain name pointing to the canonical name that you copied from PingOne.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

    Result:

    The Custom Domain and Email Trust page opens.

  2. Click the custom domain entry and then click Verify.

    The specifics of DNS configuration depend on your DNS manager. Changes to the DNS can take up to 24 hours to propagate through the internet, so you might need to click Verify multiple times over that period of time until the DNS record is found.

Result

PingOne verifies that the CNAME record is associated with the custom domain name you entered. This association is needed to set up domain control and enable the functionality of a custom domain.

Adding an SSL certificate

To enable HTTPS for your custom domain or update a certificate that has expired, make sure you’ve verified your custom domain and then add an SSL certificate from a certificate authority (CA). Learn more in Generating a CSR for a custom domain.

  • Minimum encryption of RSA-2048 or ECDSA-256 is required.

  • Don’t use a self-signed certificate or a certificate signed by a CA that’s internal to your own organization. Certificates must be signed by a globally trusted CA.

  • The certificate must be valid.

  • You can use wildcard and Subject Alternative Name (SAN) certificates, but they must match the domain name.

  • When you reimport a certificate, the key type and size can’t be changed.

  • If you want to change the key type or size, you must delete the custom domain and recreate it using the new certificate. Recreating the domain will also change the CNAME.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

    Result:

    The Custom Domain and Email Trust page opens.

  2. Click the listed custom domain and then click Add SSL Certificate.

  3. In the Add SSL Certificate modal, enter the following information:

    • Private Key: A PEM-encoded unencrypted private key that matches the certificate’s public key.

    • Certificate: A PEM-encoded certificate to import.

    • Intermediate Certificates: A PEM-encoded certificate chain. Do not include the end-entity certificate.

  4. Click Save.

  5. In the SSL Certificate Added modal, click Continue.

    You must update any applications you’ve configured to use the custom domain.

Result

The Custom Domain and Email Trust page shows the custom domain’s SSL Certificate valid until date.

Testing the custom domain

Test your custom domain to ensure that it resolves to the correct location. After you add a certificate, it can take up to several hours for the changes to propagate through the network.

Steps

  1. Open a web browser, and enter the address of your custom domain, such as https://auth.example.com/myaccount.

  2. Verify that you are presented with the sign-on screen for your application or other appropriate resource.