PingOne Advanced Identity Cloud

Configure federated access for tenant administrators

Federated access lets tenant administrators use your company’s single sign-on (SSO) to sign on to your PingOne Advanced Identity Cloud tenant environments.

By using federation to authenticate your tenant administrators to Advanced Identity Cloud, you can quickly and easily provision and deprovision users from your centralized identity provider (IdP) instead of managing them separately in each Advanced Identity Cloud tenant environment.

The groups feature allows you to add and remove tenant administrators depending on their group membership in your IdP. You can also specify the level of administrator access (super administrator[1] or tenant administrator) for groups of users.

Advanced Identity Cloud lets you configure federated access in two main ways:

Configure federated access using PingOne

You can configure PingOne as a federation IdP for PingOne Advanced Identity Cloud. To do this, configure it in PingOne itself. Learn more in Set up SSO to PingOne Advanced Identity Cloud.

After you configure PingOne as a federation IdP, each configured tenant environment in Advanced Identity Cloud automatically displays PingOne in its list of federation IdPs:

  1. Sign on to the Advanced Identity Cloud admin UI for any of the environments you configured for federated access using PingOne.

  2. Go to Tenant settings.

  3. Click Federation.

  4. If configured correctly in PingOne, the list contains a PingOne federation IdP:

    federation pingone list item

  5. Click the PingOne list item to view its configuration settings page. For PingOne, this is a basic page containing the Status and the Well-Known Endpoint of the PingOne federation IdP:

    federation pingone configuration settings page

If you configure a federation IdP in PingOne, the corresponding Advanced Identity Cloud tenant environments are configured automatically. You do not need to promote configuration changes.

Configure federated access using PingOne Advanced Identity Cloud

You can configure the following federation IdPs using the Advanced Identity Cloud admin UI:

  • Entra ID[2] using OIDC.

  • AD FS using OIDC.

  • Any other federation IdP that’s OIDC compliant.

If you configure a federation IdP using the Advanced Identity Cloud admin UI, you must do so in your development environment and promote the configuration changes. You must also store the federation IdP secrets for each of your environments in ESV secrets and set corresponding placeholders in your configuration. Learn more in Configure federated access across your tenant environments.

Configure federated access across your tenant environments

The high-level process to set up federated access across your tenant environments is as follows:

  1. Set up a federation IdP for each of your tenant environments and note the client secrets.

  2. In your development environment:

    1. Follow the instructions in Configure a mutable environment to use a federation IdP, entering the federation IdP values for your development environment. These values will be replaced by ESVs in the following steps.

    2. Create the following ESVs to substitute into configuration:

      • Federation IdP fields:

        Field ESV type

        Client ID

        Variable

        Well-known endpoint

        Variable

        Authorization endpoint

        Variable

        Client secret

        Secret

        Issuer

        Variable

        Redirect URI

        Variable

        Token endpoint

        Variable

      • (Optional) Federation IdP groups fields:

        Field ESV type

        Super administrators[1] group ID

        Variable

        Tenant administrators group ID

        Variable

    3. Restart Advanced Identity Cloud services.

    4. Use the following instructions to update the federation IdP configuration:

  3. (Optional) If you have a UAT[3] environment, adapt the next step to suit the revised promotion order. Learn more in Additional UAT environments.

  4. In your staging environment:

    1. Repeat step 2b for your staging environment. Ensure the ESV names are the same as you set up in the development environment.

    2. Run a promotion to move the configuration change from your development environment to your staging environment. Learn more in:

  5. In your production environment:

    1. Repeat step 2b for your production environment. Ensure the ESV names are the same as you set up in the development environment.

    2. Run a further promotion to move the configuration change from your staging environment to your production environment.

  6. (Optional) If you have a sandbox[4] environment:

    1. Repeat step 2a for your sandbox environment.

    2. (Optional) Repeat step 2b – d for your sandbox environment.

  7. Configure federation sign-on requirements in each environment.

Ensure that the federation IdP for each environment is configured with a redirect URL. If you are using the same federation IdP for your sandbox[4], development, UAT[3], staging, and production environments, ensure that it is configured with redirect URLs for each environment.

Set up a federation IdP

You can find instructions for setting up a federation IdP in the following guides:

Configure a mutable environment to use a federation IdP

After you’ve set up a federation IdP, you can configure it in a mutable environment (development or sandbox[4]) to provide federated access to tenant administrators.

To understand how the instructions in this section fit into the process of configuring federated access across your tenant environments, refer to step 2a in the high-level process.

  1. Sign on to the Advanced Identity Cloud admin UI of your mutable environment (development or sandbox[4]) as a super administrator[1].

  2. Go to Tenant settings.

  3. Click Federation.

  4. Click + Identity Provider.

  5. Select the federation provider to use:

    • Microsoft Azure

    • ADFS

    • OIDC

  6. Click Next.

  7. Follow the steps on the Configure Application page and click Next.

  8. On the Identity Provider Details page:

    1. Complete the following fields:

      • Name: The name of the provider.

      • Application ID: The ID for the application.

      • Application Secret: The client secret for the application.

      • Well-known Endpoint:

        • For Entra ID, this is the URL from the OpenID Connect metadata document field. In the URL, make sure to replace organization with the actual tenant ID for your tenant.

        • For AD FS, this is the endpoint from the OpenID Connect section.

        • For OIDC, refer to your IdP vendor’s documentation on locating a client’s well-known endpoint.

        When you populate the Well-known Endpoint field with a valid URL, the following fields are automatically populated:

        • Authorization Endpoint: The endpoint for authentication and authorization. The endpoint returns an authorization code to the client.

        • Token Endpoint: The endpoint that receives an authorization code. The endpoint returns an access token.

        • User Info Endpoint: The endpoint that receives an access token. The endpoint returns user attributes.

      • (For OIDC only): OAuth Scopes: The scopes the application uses for user authentication. The default scopes are openid, profile, and email.

      • (For OIDC only): Client Authentication Method: Options are client_secret_post and client_secret_basic. The default option is client_secret_post.

      • Button Text: The text for the application button.

    2. Click Save. By default all users are given the tenant administrator level of access when they access the tenant using your IdP. To give some or all users the super administrator[1] level of access, configure groups in the next step.

  9. (Optional) Configure group membership to determine administrator access level (super administrator[1] or tenant administrator).

    1. Set up groups in your IdP:

    2. On the Identity Provider Details page:

      1. Select one of the following options:

        • For Entra ID: Enable Use group membership to allow federated login to Ping Identity.

        • For AD FS: Enable Use ADFS group membership to allow federated login to Ping Identity.

        • For OIDC: Enable Use OIDC group membership to allow federated login to Ping Identity.

      2. Enter the name of the group claim in the Group Claim Name field. For example, groups.

        By default, Entra ID sends the ID of the group. You might need to configure it to send the name of the group.

      3. To apply an access level to specific IdP groups:

        • To apply the super administrator[1] access level:

          1. Locate the Group Identifiers field to the left of Super Admins.

          2. Enter one or more group identifiers. For example, 8c578f67-cac4-49eb-8f28-8e4f2c22945e.

        • (Optional) To apply the tenant administrator access level:

          1. Locate the Group Identifiers field to the left of Tenant Admins.

          2. Enter one or more group identifiers. For example, 3623050d-3604-45a2-942e-f6be9ec9f9ed.

      4. Click Save.

Configure federation sign-on requirements

After you have enabled federated access to your tenant environments, you can choose how strictly to enforce it. It can be enforced for just tenant administrators or for both tenant administrators and super administrators[1]. These settings are stored in dynamic configuration, so need to be configured per environment.

To understand how the instructions in this section fit into the process of configuring federated access across your tenant environments, refer to step 5 in the high-level process.

  1. Sign on to the Advanced Identity Cloud admin UI as a super administrator[1].

  2. Go to Tenant settings, then click the Federation tab.

  3. In the Enforcement section, click Edit.

  4. On the Edit Tenant Federation Enforcement page, select one of the following items:

    • Optional for All Admins: Allow all administrators to use either their Advanced Identity Cloud credentials or federated access to sign on.

    • Required for All Admins Except Super Admins: Require all administrators that are not super administrators to use federated access to sign on. Super administrators can use their Advanced Identity Cloud credentials or federated access to sign on.

    • Required for All Admins: Require all administrators to use federated access to sign on. If you choose this option, then subsequently need to switch to a lower enforcement level, you must create a support case in the Ping Identity Support Portal.

  5. Click Update. It can take about 10 minutes for the changes to take effect.

  6. On the Change Federation Enforcement? modal:

    • To confirm your changes, click Confirm.

    • To cancel your changes, click Cancel.

Deactivate a federation IdP

You can deactivate a federation IdP and reactivate it later. For example, you might want to deactivate a federation IdP if the provider is experiencing technical issues. If you deactivate all federation IdPs for a tenant, tenant administrators can no longer use federation to sign on to the tenant.

You can only deactivate a federation IdP if one of the following is true:

  • Optional for All Admins is selected as the federation enforcement level (learn more in Configure federation sign-on requirements).

  • More than one federation IdP is enabled in the Advanced Identity Cloud tenant.

To deactivate a federation IdP:

  1. Sign on to the Advanced Identity Cloud admin UI of your development environment as a super administrator[1].

  2. Go to Tenant settings, then click Federation.

  3. Perform one of the following actions:

    • To deactivate a federation IdP, click the ellipsis icon () to the right of an active federation IdP, then click Deactivate.

    • To activate a federation IdP, click the ellipsis icon () to the right of a deactivated federation IdP, then click Activate.

  4. Run a series of promotions to move the updated configuration to your UAT[3], staging, and production environments.

Rotate a federation IdP client secret

Most IdPs force you to rotate the client secrets they generate by setting an expiry on the secret. To ensure that federated access continues uninterrupted,you must create and configure a new client secret before the old one expires. If the client secret is stored in an ESV, you can rotate it by creating a new secret version.

For your development, UAT[3], staging, or production environment:

  1. In the IdP’s UI:

    1. Locate the client configured for the Advanced Identity Cloud environment.

    2. Create a new secret and make a note of it:

      • For Azure AD, add a new client secret to the application.

      • For AD FS, reset the client secret for the application group.

      • For OIDC, refer to your IdP vendor’s documentation on creating a new client secret.

  2. In Advanced Identity Cloud admin UI:

    1. Add a new secret version to the ESV secret using the value of the new federation IdP secret from the previous step. Learn more in Update an ESV referenced by a configuration placeholder.

    2. Restart Advanced Identity Cloud services.

1. A super administrator is a tenant administrator with elevated permissions for configuring tenant administrators and federated tenant access. Learn more in Types of administrators.
2. Microsoft Entra ID used to be known by the name Microsoft Azure AD. Learn more in New name for Azure Active Directory.
3. A user acceptance testing (UAT) environment is an add-on capability.
4. A sandbox environment is an add-on capability.