PingOne

Integrating an existing PingID account with an existing PingOne environment

You can integrate an existing PingID account with an existing PingOne environment.

Before you begin

Before you begin, read What you need to know before integrating or migrating a PingID account into a PingOne environment.

Integration with a PingOne environment should be considered a permanent change. Make sure you connect the correct PingOne environment because after integration is complete this change cannot be rolled back.

Before the integration process starts, PingOne performs several validations to ensure the PingID account is compatible with the PingOne environment. Before you start the integration process, you can do several checks to minimize the possibility of the validation failing.

Make sure that:

  • You have the necessary licenses:

    • Your PingOne license must covers the same number of unique user accounts that exist in your PingID account.

The PingOne license must be sufficient to cover all user accounts unique to PingID that will be added to the PingOne environment.

  • Your PingID account license must still be valid.

    To update a license, contact your Ping Identity representative.

    • The PingOne environment that you create is in the same region as your PingID environment.

    • PingOne MFA is not added as a service.

    • Even if PingOne MFA is not added as a service, if the environment includes PingOne SSO, make sure that no paired MFA devices have been added to the PingOne environment.

      Learn more in User Devices report.

    • For environments that use DaVinci flows, the PingOne MFA connector is not included in any existing flows.

    • The user accounts in your PingID environment do not include any duplicate users or usernames that contain unsupported characters. You’ll have the opportunity to fix issues during the PingID account validation process. Learn more about how to fix issues before you begin and find more detailed technical information in "Duplicate users found" error when attempting to connect a PingID environment to PingOne in the Ping Identity Support Portal.

    • Some policy rules are deprecated in PingOne. You’ll need to remove them from the legacy PingID web portal before you start the integration:

  • Remove the Mobile OS version rule from any PingID polices. In PingOne, the functionality in this rule is provided by the Device Requirements. To ensure existing Mobile OS version rule functionality is migrated to PingOne:

    • Before migration, in the legacy PingID admin portal, go to Device Requirements section of the PingID application.

  • Remove the location-based part of the following rules:

    • Access from the company network rule

    • Recent authentication from the office rule

    • Recent authentication from company network rule

  • In PingOne environments, the Limit Push Notification Rule is updated to a configuration in the MFA policy. If you have the rule defined in the PingID admin portal, you’ll be asked to redefine it during the integration process.

About this task

Integrate your existing PingID account with an existing PingOne environment so that you can:

  • Manage PingID users from PingOne

  • Allow users to manage their devices using MyAccount.

  • Apply a FIDO policy to PingID user accounts.

  • Bring Your Own (BYO) SMS or Voice account

  • Implement a Windows login passwordless flow.

Steps

  1. Go to the PingOne admin console, open the PingOne environment that you want to use and click the Overview tab.

  2. In the Services area, click +, select PingID, and then select Integrate an existing PingID account.

    If the PingOne environment did not include PingOne SSO, it is added automatically.

    Screen capture of the add service wizard showing selected and the option to Integrate an existing PingID account selected.

  3. Enter the username and password for the PingID account you want to integrate and then click Validate Account.

    Screen capture of the Validate your PingID Account window, asking you to sign in to the PingID account that you want to integrate with PingOne. Username and password fields and a Valdiate Account button are shown.

    • Do not close the window during the validation process, which can take several minutes.

    • The validation wizard lists any issues that cause the validation to fail. Some issues can be fixed during the validation process. Others, such as licensing issues, must be fixed independently. Fix all issues, then rerun the validation, if required.

    You’ll see the Validation Successful status.

    A screen capture of the migration summary window, indicating that Policy rules are valid

  4. Click Next.

    PingOne performs a review of the user accounts in PingID and PingOne and provides a list of actions required before migration. It also provides a summary of the user distribution indicating the number of accounts that are unique to PingID or PingOne and the number that they have in common (Identical Users).

    The Review User Accounts window displays only the actions required that are relevant to your integration.

    A screen capture of the Review User Accounts window, showing three sections that might require action. The first to identify and delete any users accounts that should not be migrated, the second to select which attribute source to use for user accounts that appear in both PingID and PingOne but have mismatching attributes, and the third to select the PingOne population to which to add PingID users

  5. Perform the actions listed for the user accounts you want to integrate, and then click Next.

    • If you have user accounts that only appear in either PingID or PingOne, or have mismatching attributes within the same user account, you’ll need to fix them. Click Download next to the relevant section to download a report to help you.

    • For user accounts that are unique to PingID, select the population in which you want to create those user accounts in PingOne.

    You’ll see the Migrate PingID Account to PingOne window.

    Screen capture that informs the admin that Migration can take several hours,depending on the number of users and paired authentication methods in the PingID and PingOne tenants, and that it’s not possible to perform user or admin-related administrative actions relating to authentication methods including pairing, unpairing, updating, or modify any configurations. Users can continue to authenticate with authentication methods that are already paired. The window includes a checkbox to indicate the admin understands this and wants to continue, and a Finish button.

    • Migration can take several hours, depending on the number of users and paired authentication methods in the PingID and PingOne tenants. During migration, you can’t perform user or admin administrative actions relating to authentication methods including pairing, unpairing, updating, or modify any configurations.

    • Users can continue to authenticate with authentication methods that are already paired.

  6. Click I understand and want to continue, and then click Finish.

    You can check progress in the Services area of the Overview tab.

    A screen capture of the Services area of the Overview tab, showing the PingID service, with a grey progress icon and a tooltip indicating Connection is in progress, check back later. This icon changes to green when connection is complete

    When integration is complete, the PingID services status icon turns green.

    If the migration fails, a message shows indicating when you can retry migration (usually after 24 hours) and includes a link to the PingID migration report. View the report and fix any issues before you restart this procedure. If you require further help, contact your Ping Identity support representative.

Result

You can now manage your users through PingOne. Although most of the PingID APIs are still supported, you should use the PingOne APIs when working out of PingOne. Learn more in What you need to know before integrating or migrating a PingID account into a PingOne environment.

Consider any post-requisites that might be required for your environment. Learn more in Considerations after integrating or migrating a PingID account into a PingOne environment.

Learn more about allowing your users to manage their devices using MyAccount in Self service.

Learn more about creating and managing FIDO policies in FIDO policies.

Learn more about BYO Telephony in Using a custom provider account with PingOne.

Learn more about implementing a Windows login passwordless flow in Creating and configuring a passwordless Windows login application in PingOne.