Alert EnterpriseWiki

PingFederate Single Sign-On

Ping Identity·AE_PingFederate_SSO_ConfigurationGuide

IAMactivePingFederate (Ping Identity's enterprise federation server)
Transports
rest
Direction
inbound
Authentication
SAML 2.0 (AE as SP, PingFederate as IdP)
Last updated
2026-02-19
Compare with another connector →Open in composer →

Overview

The PingFederate SSO connector configures AlertEnterprise Guardian to federate authentication to Ping Identity PingFederate via SAML 2.0. AE Guardian acts as the SAML Service Provider; PingFederate acts as the Identity Provider. PingFederate is the second-most-common enterprise IdP in financial services after Okta, particularly in customer-managed federation deployments where the customer wants on-prem / private-cloud-hosted IdP infrastructure rather than a SaaS IdP.

Pattern mirrors adfs-sso / okta-sso / microsoft-entra-id-sso: AE provides metadata XML; PingFederate admin imports it as an SP Connection with appropriate attribute contracts (email → Name ID).

Architecture

Composed from this connector's actors + edges. Trust zones are color-coded; trust crossings render as thicker lines.

Composing diagram — running ELK layout4 actors · 3 edges

Authentication

1 method supported

SAML 2.0 (AE as SP, PingFederate as IdP)
saml

AE Guardian SP federates to PingFederate IdP. PingFederate posts a SAML response to AE's ACS endpoint with Name ID set to the user's email.

Prerequisites

Everything that must be in place for this connector to work, with the owner who's responsible.

PingFederate deployment with SP Connection for AE

customer

An operational PingFederate deployment. The PingFederate admin creates an SP Connection for AE Guardian, imports AE metadata XML, configures attribute contracts and policy.

User records pre-synced into AE Guardian database

ae

Same constraint as other SSO connectors — users authenticated by PingFederate must already exist in AE Guardian's database.

Known limitations

Documented constraints to set customer expectations before deployment.

Authentication only — no provisioning or reconciliation

informational

For Ping-side identity data, use a separate provisioning connector targeting Ping's authoritative source (typically AD / Entra ID / a directory PingFederate fronts).

IAM specifics

Protocol support
OIDC
yes
SAML
yes
SCIM
yes
JIT provisioning
configurable
Group sync mode
not-supported
Source of record
No
MFA model

MFA enforced by PingFederate authentication policy / Selector. AE Guardian inherits MFA enforcement from the PingFederate policy chain.

Source materials
  • src/connectors/ping-federate-sso/source.pdf Full configuration guide — 21 pages, updated 2026-02-19
Verifying access
Desktop only

The AE Mobile Wiki needs a bigger screen.

The diagrams, comparisons, and animated flows aren't built for phones. Open this link on your laptop or desktop browser and you'll see the full reference.

wiki.alertenterprise.app

Same Google sign-in as the AE App Hub — you'll be in once you open it on a larger screen.