--- title: Ping Identity DevOps Docker Image - pingfederate description: This docker image includes the Ping Identity PingFederate product binaries and associated hook scripts to create and run both PingFederate Admin and Engine nodes. component: devops page_id: devops::docker-images/pingfederate/README canonical_url: https://developer.pingidentity.com/devops/docker-images/pingfederate/README.html section_ids: devops-ping-identity-devops-docker-image: Ping Identity DevOps Docker Image - pingfederate devops-related-docker-images: Related Docker Images devops-environment-variables: Environment Variables devops-ports-exposed: Ports Exposed devops-running-a-pingfederate-container: Running a PingFederate container devops-docker-container-hook-scripts: Docker Container Hook Scripts --- # Ping Identity DevOps Docker Image - `pingfederate` ## Ping Identity DevOps Docker Image - `pingfederate` This docker image includes the Ping Identity PingFederate product binaries and associated hook scripts to create and run both PingFederate Admin and Engine nodes. ### Related Docker Images * `pingidentity/pingbase` - Parent Image > This image inherits inherits, and can use, Environment Variables from [pingidentity/pingbase](https://devops.pingidentity.com/docker-images/pingbase/) * `pingidentity/pingcommon` - Common Ping files (i.e. hook scripts) ### Environment Variables In addition to environment variables inherited from **[pingidentity/pingbase](https://devops.pingidentity.com/docker-images/pingbase/)**, the following environment `ENV` variables can be used with this image. | ENV Variable | Default | Description | | ----------------------------------- | ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | BASE | ${BASE:-/opt} | | | ROOT\_USER | administrator | the default administrative user for PingData | | JAVA\_HOME | /opt/java | | | STAGING\_DIR | ${BASE}/staging | Path to the staging area where the remote and local server profiles can be merged | | OUT\_DIR | ${BASE}/out | Path to the runtime volume | | SERVER\_ROOT\_DIR | ${OUT\_DIR}/instance | Path from which the runtime executes | | IN\_DIR | ${BASE}/in | Location of a local server-profile volume | | SERVER\_BITS\_DIR | ${BASE}/server | Path to the server bits | | BAK\_DIR | ${BASE}/backup | Path to a volume generically used to export or backup data | | LOGS\_DIR | ${BASE}/logs | Path to a volume generically used for logging | | PING\_IDENTITY\_ACCEPT\_EULA | NO | Must be set to 'YES' for the container to start | | PING\_IDENTITY\_DEVOPS\_FILE | devops-secret | File name for devops-creds passed as a Docker secret | | STAGING\_MANIFEST | ${BASE}/staging-manifest.txt | Path to a manifest of files expected in the staging dir on first image startup | | CLEAN\_STAGING\_DIR | false | Whether to clean the staging dir when the image starts | | SECRETS\_DIR | /run/secrets | Default path to the secrets | | TOPOLOGY\_FILE | ${STAGING\_DIR}/topology.json | Path to the topology file | | HOOKS\_DIR | ${STAGING\_DIR}/hooks | Path where all the hooks scripts are stored | | CONTAINER\_ENV | ${STAGING\_DIR}/.env | Environment Property file use to share variables between scripts in container | | SERVER\_PROFILE\_DIR | /tmp/server-profile | Path where the remote server profile is checked out or cloned before being staged prior to being applied on the runtime | | SERVER\_PROFILE\_URL | | A valid git HTTPS URL (not ssh) | | SERVER\_PROFILE\_URL\_REDACT | true | When set to "true", the server profile git URL will not be printed to container output. | | SERVER\_PROFILE\_BRANCH | | A valid git branch (optional) | | SERVER\_PROFILE\_PATH | | The subdirectory in the git repo | | SERVER\_PROFILE\_UPDATE | false | Whether to update the server profile upon container restart | | SECURITY\_CHECKS\_STRICT | false | Requires strict checks on security | | SECURITY\_CHECKS\_FILENAME | .jwk .pin | Perform a check for filenames that may violate security (i.e. secret material) | | UNSAFE\_CONTINUE\_ON\_ERROR | | If this is set to true, then the container will provide a hard warning and continue. | | LICENSE\_DIR | ${SERVER\_ROOT\_DIR} | License directory | | PD\_LICENSE\_DIR | ${STAGING\_DIR}/pd.profile/server-root/pre-setup | PD License directory. Separating from above LICENSE\_DIR to differentiate for different products | | STARTUP\_FOREGROUND\_OPTS | | The command-line options to provide to the the startup command when the container starts with the server in the foreground. This is the normal start flow for the container | | STARTUP\_BACKGROUND\_OPTS | | The command-line options to provide to the the startup command when the container starts with the server in the background. This is the debug start flow for the container | | PING\_IDENTITY\_DEVOPS\_KEY\_REDACT | true | | | TAIL\_LOG\_FILES | | A whitespace separated list of log files to tail to the container standard output - DO NOT USE WILDCARDS like /path/to/logs/\*.log | | COLORIZE\_LOGS | true | If 'true', the output logs will be colorized with GREENs and REDs, otherwise, no colorization will be done. This is good for tools that monitor logs and colorization gets in the way. | | LOCATION | Docker | Location default value If PingDirectory is deployed in multi cluster mode, that is, K8S\_CLUSTER, K8S\_CLUSTERS and K8S\_SEED\_CLUSTER are defined, LOCATION is ignored and K8S\_CLUSTER is used as the location | | LOCATION\_VALIDATION | true | Any string denoting a logical/physical location | | MAX\_HEAP\_SIZE | 384m | Heap size (for java products) | | JVM\_TUNING | AGGRESSIVE | | | JAVA\_RAM\_PERCENTAGE | 75.0 | Percentage of the container memory to allocate to PingFederate JVM DO NOT set to 100% or your JVM will exit with OutOfMemory errors and the container will terminate | | VERBOSE | false | Triggers verbose messages in scripts using the set -x option. | | PING\_DEBUG | false | Set the server in debug mode, with increased output | | PING\_PRODUCT | | The name of Ping product, i.e. PingFederate, PingDirectory - must be a valid Ping product type. This variable should be overridden by child images. | | PING\_PRODUCT\_VALIDATION | true | i.e. PingFederate,PingDirectory | | ADDITIONAL\_SETUP\_ARGS | | List of setup arguments passed to Ping Data setup-arguments.txt file | | LDAP\_PORT | 1389 | Port over which to communicate for LDAP | | LDAPS\_PORT | 1636 | Port over which to communicate for LDAPS | | HTTPS\_PORT | 1443 | Port over which to communicate for HTTPS | | JMX\_PORT | 1689 | Port for monitoring over JMX protocol | | ORCHESTRATION\_TYPE | | The type of orchestration tool used to run the container, normally set in the deployment (.yaml) file. Expected values include: - compose - swarm - kubernetes Defaults to blank (i.e. No type is set) | | USER\_BASE\_DN | dc=example,dc=com | Base DN for user data | | DOLLAR | '$' | Variable with a literal value of '$', to avoid unwanted variable substitution | | PD\_ENGINE\_PUBLIC\_HOSTNAME | localhost | PD (PingDirectory) public hostname that may be used in redirects | | PD\_ENGINE\_PRIVATE\_HOSTNAME | pingdirectory | PD (PingDirectory) private hostname | | PDP\_ENGINE\_PUBLIC\_HOSTNAME | localhost | PDP (PingDirectoryProxy) public hostname that may be used in redirects | | PDP\_ENGINE\_PRIVATE\_HOSTNAME | pingdirectoryproxy | PDP (PingDirectoryProxy) private hostname | | PDS\_ENGINE\_PUBLIC\_HOSTNAME | localhost | PDS (PingDataSync) public hostname that may be used in redirects | | PDS\_ENGINE\_PRIVATE\_HOSTNAME | pingdatasync | PDS (PingDataSync) private hostname | | PAZ\_ENGINE\_PUBLIC\_HOSTNAME | localhost | PAZ (PingAuthorize) public hostname that may be used in redirects | | PAZ\_ENGINE\_PRIVATE\_HOSTNAME | pingauthorize | PAZ (PingAuthorize) private hostname | | PAZP\_ENGINE\_PUBLIC\_HOSTNAME | localhost | PAZP (PingAuthorize-PAP) public hostname that may be used in redirects | | PAZP\_ENGINE\_PRIVATE\_HOSTNAME | pingauthorizepap | PAZP (PingAuthorize-PAP) private hostname | | PF\_ENGINE\_PUBLIC\_HOSTNAME | localhost | PF (PingFederate) engine public hostname that may be used in redirects | | PF\_ENGINE\_PRIVATE\_HOSTNAME | pingfederate | PF (PingFederate) engine private hostname | | PF\_ADMIN\_PUBLIC\_BASEURL | https\://localhost:9999 | PF (PingFederate) admin public baseurl that may be used in redirects. PF\_RUN\_PF\_ADMIN\_BASEURL will override this value for PingFederate 11.3 and later. | | PF\_ADMIN\_PUBLIC\_HOSTNAME | localhost | PF (PingFederate) admin public hostname that may be used in redirects. PF\_RUN\_PF\_ADMIN\_HOSTNAME will override this value for PingFederate 11.3 and later. | | PF\_ADMIN\_PRIVATE\_HOSTNAME | pingfederate-admin | PF (PingFederate) admin private hostname | | PA\_ENGINE\_PUBLIC\_HOSTNAME | localhost | PA (PingAccess) engine public hostname that may be used in redirects | | PA\_ENGINE\_PRIVATE\_HOSTNAME | pingaccess | PA (PingAccess) engine private hostname | | PA\_ADMIN\_PUBLIC\_HOSTNAME | localhost | PA (PingAccess) admin public hostname that may be used in redirects | | PA\_ADMIN\_PRIVATE\_HOSTNAME | pingaccess-admin | PA (PingAccess) admin private hostname | | ROOT\_USER\_DN | cn=${ROOT\_USER} | DN of the server root user | | ENV | ${BASE}/.profile | | | PS1 | \\${PING\_PRODUCT}:\h:\w\n> | Default shell prompt (i.e. productName:hostname:workingDir) | | PATH | ${JAVA\_HOME}/bin:${BASE}:${SERVER\_ROOT\_DIR}/bin:${PATH} | PATH used by the container | | SHIM | ${SHIM} | | | IMAGE\_VERSION | ${IMAGE\_VERSION} | | | IMAGE\_GIT\_REV | ${IMAGE\_GIT\_REV} | | | DATE | ${DATE} | | | PING\_PRODUCT\_VERSION | ${VERSION} | | | PING\_PRODUCT | PingFederate | Ping product name | | LICENSE\_DIR | ${SERVER\_ROOT\_DIR}/server/default/conf | License directory | | LICENSE\_FILE\_NAME | pingfederate.lic | Name of license file | | LICENSE\_SHORT\_NAME | PF | Short name used when retrieving license from License Server | | LICENSE\_VERSION | ${LICENSE\_VERSION} | Version used when retrieving license from License Server | | STARTUP\_COMMAND | ${SERVER\_ROOT\_DIR}/bin/run.sh | The command that the entrypoint will execute in the foreground to instantiate the container | | PING\_IDENTITY\_PASSWORD | 2FederateM0re | Specify a password for administrator user for interaction with admin API | | TAIL\_LOG\_FILES | ${SERVER\_ROOT\_DIR}/log/server.log | Files tailed once container has started | | PF\_LOG\_SIZE\_MAX | 10000 KB | Defines the log file size max for ALL appenders | | PF\_LOG\_NUMBER | 2 | Defines the maximum of log files to retain upon rotation | | PF\_ADMIN\_PORT | 9999 | Defines the port on which the PingFederate administrative console and API runs. PF\_RUN\_PF\_ADMIN\_HTTPS\_PORT will override this for PingFederate 11.3 and later. | | PF\_ENGINE\_PORT | 9031 | Defines the port on which PingFederate listens for encrypted HTTPS (SSL/TLS) traffic. PF\_RUN\_PF\_HTTPS\_PORT will override this for PingFederate 11.3 and later. | | PF\_ENGINE\_SECONDARY\_PORT | -1 | Defines a secondary HTTPS port that can be used for mutual SSL/TLS (client X.509 certificate) authentication for both end users and protocol requests. PF\_RUN\_PF\_SECONDARY\_HTTPS\_PORT (default 9032) will override this value. The default value of -1 disables the port in the product. | | PF\_ENGINE\_DEBUG | false | Flag to turn on PingFederate Engine debugging Used in run.sh | | PF\_ADMIN\_DEBUG | false | Flag to turn on PingFederate Admin debugging Used in run.sh | | PF\_DEBUG\_PORT | 9030 | Defines the port on which PingFederate opens up a java debugging port. Used in run.sh | | SHOW\_LIBS\_VER | true | Defines a variable to allow showing library versions in the output at startup default to true | | SHOW\_LIBS\_VER\_PRE\_PATCH | false | Defines a variable to allow showing library version prior to patches being applied default to false This is helpful to ensure that the patch process updates all libraries affected | | OPERATIONAL\_MODE | STANDALONE | Operational Mode Indicates the operational mode of the runtime server in run.properties Options include STANDALONE, CLUSTERED\_CONSOLE, CLUSTERED\_ENGINE. PF\_RUN\_PF\_OPERATIONAL\_MODE will override this for PingFederate 11.3 and later. | | PF\_CONSOLE\_AUTHENTICATION | | Defines mechanism for console authentication in run.properties. Options include none, native, LDAP, cert, RADIUS, OIDC. If not set, default is native. PF\_RUN\_PF\_CONSOLE\_AUTHENTICATION will override this for PingFederate 11.3 and later. | | PF\_ADMIN\_API\_AUTHENTICATION | | Defines mechanism for admin api authentication in run.properties. Options include none, native, LDAP, cert, RADIUS, OIDC. If not set, default is native. PF\_RUN\_PF\_ADMIN\_API\_AUTHENTICATION will override this for PingFederate 11.3 and later. | | HSM\_MODE | OFF | Hardware Security Module Mode in run.properties Options include OFF, AWSCLOUDHSM, NCIPHER, LUNA, BCFIPS. PF\_RUN\_PF\_HSM\_MODE will override this for PingFederate 11.3 and later. | | PF\_BC\_FIPS\_APPROVED\_ONLY | false | Defines a variable that allows instantiating non-FIPS crypto/random | | PF\_HSM\_HYBRID | false | Hardware Security Module Hybrid Mode When PF is in Hybrid mode, certs/keys can be created either on the local trust store or on the HSM. This can used as a migration strategy towards an HSM setup. PF\_RUN\_PF\_HSM\_HYBRID will override this for PingFederate 11.3 and later. | | PF\_LDAP\_TYPE | PingDirectory | This is the type of the LDAP directory server. This property is needed by PingFederate to determine how to handle different implementations between the available LDAP directory server types. Valid options include: ActiveDirectory, SunDirectoryServer, OracleUnifiedDirectory, PingDirectory, and Generic. | | PF\_LDAP\_USERNAME | | This is the username for an account within the LDAP Directory Server that can be used to perform user lookups for authentication and other user level search operations. Set if PF\_CONSOLE\_AUTHENTICATION or PF\_ADMIN\_API\_AUTHENTICATION=LDAP PF\_LDAP\_LDAP\_USERNAME will override this for PingFederate 11.3 and later. | | PF\_LDAP\_PASSWORD | | This is the password for the Username specified above. This property should be obfuscated using the 'obfuscate.sh' utility. Set if PF\_CONSOLE\_AUTHENTICATION or PF\_ADMIN\_API\_AUTHENTICATION=LDAP PF\_LDAP\_LDAP\_PASSWORD will override this for PingFederate 11.3 and later. | | CLUSTER\_BIND\_ADDRESS | NON\_LOOPBACK | IP address for cluster communication. Set to NON\_LOOPBACK to allow the system to choose an available non-loopback IP address. PF\_RUN\_PF\_CLUSTER\_BIND\_ADDRESS will override this for PingFederate 11.3 and later. | | PF\_PROVISIONER\_MODE | OFF | Provisioner Mode in run.properties Options include OFF, STANDALONE, FAILOVER. PF\_RUN\_PF\_PROVISIONER\_MODE will override this for PingFederate 11.3 and later. | | PF\_PROVISIONER\_NODE\_ID | 1 | Provisioner Node ID in run.properties Initial active provisioning server node ID is 1 PF\_RUN\_PROVISIONER\_NODE\_ID will override this for PingFederate 11.3 and later. | | PF\_PROVISIONER\_GRACE\_PERIOD | 600 | Node group ID in cluster-adaptive.conf file. Does not require a .subst file. Provisioner Failover Grace Period in run.properties Grace period, in seconds. Default 600 seconds PF\_RUN\_PROVISIONER\_FAILOVER\_GRACE\_PERIOD will override this for PingFederate 11.3 and later. | | PF\_JETTY\_THREADS\_MIN | | Override the default value for the minimum size of the Jetty thread pool Leave unset to let the container automatically tune the value according to available resources PF\_RUN\_PF\_RUNTIME\_THREADS\_MIN will override this for PingFederate 11.3 and later. | | PF\_JETTY\_THREADS\_MAX | | Override the default value for the maximum size of the Jetty thread pool Leave unset to let the container automatically tune the value according to available resources PF\_RUN\_PF\_RUNTIME\_THREADS\_MAX will override this for PingFederate 11.3 and later. | | PF\_ACCEPT\_QUEUE\_SIZE | 512 | The size of the accept queue. There is generally no reason to tune this but please refer to the performance tuning guide for further tuning guidance. PF\_RUN\_PF\_RUNTIME\_ACCEPTQUEUESIZE will override this for PingFederate 11.3 and later. | | PF\_PINGONE\_REGION | | The region of the PingOne tenant PingFederate should connect with. Valid values are "com", "eu" and "asia" PF\_RUN\_PF\_PINGONE\_ADMIN\_URL\_REGION will override this for PingFederate 11.3 and later. | | PF\_PINGONE\_ENV\_ID | | The PingOne environment ID to use PF\_RUN\_PF\_PINGONE\_ADMIN\_URL\_ENVIRONMENT\_ID will override this for PingFederate 11.3 and later. | | PF\_CONSOLE\_TITLE | Docker PingFederate | The title featured in the administration console — this is generally used to easily distinguish between environments PF\_RUN\_PF\_CONSOLE\_TITLE will override this for PingFederate 11.3 and later. | | PF\_NODE\_TAGS | | This property defines the tags associated with this PingFederate node. Configuration is optional. When configured, PingFederate takes this property into consideration when processing requests. For example, tags may be used to determine the data store location that this PingFederate node communicates with. Administrators may also use tags in conjunction with authentication selectors and policies to define authentication requirements. Administrators may define one tag or a list of space-separated tags. Each tag cannot contain any spaces. Other characters are allowed. Example 1: PF\_NODE\_TAGS=north Example 1 defines one tag: 'north' Example 2: PF\_NODE\_TAGS=1 123 test Example 2 defines three tags: '1', '123' and 'test' Example 3: PF\_NODE\_TAGS= Example 3 is also valid because the PF\_NODE\_TAGS property is optional. PF\_RUN\_NODE\_TAGS will override this for PingFederate 11.3 and later. | | PF\_CONSOLE\_ENV | | This property defines the name of the PingFederate environment that will be displayed in the administrative console, used to make separate environments easily identifiable. PF\_RUN\_PF\_CONSOLE\_ENVIRONMENT will override this for PingFederate 11.3 and later. | | JAVA\_RAM\_PERCENTAGE | 75.0 | Percentage of the container memory to allocate to PingFederate JVM DO NOT set to 100% or your JVM will exit with OutOfMemory errors and the container will terminate | | BULK\_CONFIG\_DIR | ${OUT\_DIR}/instance/bulk-config | | | BULK\_CONFIG\_FILE | data.json | | | ADMIN\_WAITFOR\_TIMEOUT | 300 | wait-for timeout for 80-post-start.sh hook script How long to wait for the PF Admin console to be available | | CREATE\_INITIAL\_ADMIN\_USER | false | Set to true to create the initial admin user after PingFederate starts up. The initial admin user will only be created on the first startup of the server after the license is accepted. | | ENABLE\_AUTOMATIC\_HEAP\_DUMP | true | Set to true to add the following Java flags and enable memory dumps -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=$PF\_HOME\_ESC/log" | ### Ports Exposed The following ports are exposed from the container. If a variable is used, then it may come from a parent container * 9031 * 9999 ### Running a PingFederate container To run a PingFederate container: ```shell docker run \ --name pingfederate \ --publish 9999:9999 \ --detach \ --env SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git \ --env SERVER_PROFILE_PATH=getting-started/pingfederate \ --env PING_IDENTITY_ACCEPT_EULA=YES \ --env PING_IDENTITY_DEVOPS_USER \ --env PING_IDENTITY_DEVOPS_KEY \ --tmpfs /run/secrets \ pingidentity/pingfederate:edge ``` Follow Docker logs with: ```shell docker logs -f pingfederate ``` If using the command above with the embedded [server profile](https://devops.pingidentity.com/reference/config/), log in with: \* https\://localhost:9999/pingfederate/app \* Username: Administrator \* Password: 2FederateM0re ### Docker Container Hook Scripts Please go [here](https://github.com/pingidentity/pingidentity-devops-getting-started/tree/master/docs/docker-images/pingfederate/hooks/README.md) for details on all pingfederate hook scripts *** This document is auto-generated from *[pingfederate/Dockerfile](https://github.com/pingidentity/pingidentity-docker-builds/blob/master/pingfederate/Dockerfile)* Copyright © 2026 Ping Identity Corporation