PingOne Platform APIs

Administrator Security

Use the administrator security endpoints to read and update environment administrator sign-on settings. By default, MFA is enforced for administrators. You can use the PUT operation to:

  • Use an external identity provider or a hybrid configuration by making a request to PUT {{apiPath}}/environments/{{envID}}/adminConfig and setting the authenticationMethod property.

  • Require MFA for all admin sign-ons. In this case, use PingOne as the value of authenticationMethod, set the mfaStatus value to ENFORCE, and the allowedMethods to the MFA methods you want to enable.

Refer to Configuring Administrator Security in the PingOne administrator documentation for more information.

Misconfiguring an external IdP can result in a lockout.

Administrator security data model

Property Type Required? Mutable? Description

allowedMethods

Object

Optional

Mutable

Indicates the methods to enable or disable for admin sign-on. Required properties are TOTP (temporary one-time password), FIDO2, and EMAIL.

allowedMethods.EMAIL

String

Required

Mutable

Indicates whether to enable email for sign-on. Must be set to either {\"enabled\":true} or {\"enabled\":false}.

allowedMethods.FIDO2

String

Required

Mutable

Indicates whether to enable FIDO2 for sign-on. Must be set to either {\"enabled\":true} or {\"enabled\":false}.

allowedMethods.TOTP

String

Required

Mutable

Indicates whether to enable TOTP for sign-on. Must be set to either {\"enabled\":true} or {\"enabled\":false}.

authenticationMethod

String

Required

Mutable

Indicates whether to use PingOne MFA, an external IdP, or a combination of both for admin sign-on. Possible values are PINGONE, EXTERNAL, or HYBRID. The default is PINGONE.

createdAt

Date

N/A

Read-only

The timestamp the resource was created.

environment.id

UUID

N/A

Read-only

The ID of the environment.

hasFido2Capabilities

Boolean

N/A

Read-only

Indicates whether the environment supports FIDO2 passkeys for MFA.

isPingIDInBOM

Boolean

N/A

Read-only

Indicates whether the environment supports PingID for MFA.

mfaStatus

String

Required

Immutable

This property must be set to ENFORCE as MFA is required for administrator sign-ons. This property applies only to the specified environment.

provider.id

UUID

Optional

Mutable

The UUID of the external IdP, if applicable.

recovery

Boolean

Required

Mutable

Indicates whether to allow account recovery within the admin policy.

updatedAt

Date

N/A

Read-only

The timestamp the resource was last updated.

Response codes

Code Message

200

Successful operation.

201

Successfully created.

400

The request could not be completed.

401

You do not have access to this resource.

403

You do not have permissions or are not licensed to make this request.

404

The requested resource was not found.