PingOne Advanced Identity Cloud Licensing Guide (CIAM)
PingOne Advanced Identity Cloud licensing guide is designed to help MAEs and SAs understand the ID Cloud, annual subscription model. We offer 5 Identity Cloud packages to meet the wide range of our customer’s requirements. Pricing is based on the specific cloud packages purchased. All customers purchase the Identity Cloud Core package and can then add on some additional packages like Access Plus, Identity Plus, Edge, and Sync.
About the PingOne Advanced Identity Cloud
The PingOne Advanced Identity Cloud is the market’s first comprehensive identity platform as a service. Built for organizations looking for a comprehensive, enterprise-grade identity platform that delivers usability, customizability, and operational cost savings, Advanced Identity Cloud is packaged to meet your needs and align with your unique consumption model of the Ping Identity technologies.
Advanced Identity Cloud Licensing Subscription Model
PingOne Advanced Identity Cloud is licensed on an annual subscription model based on the number of Internal workforce or external consumer identities per year. For each identity purchased, customers have unlimited interaction making the model simpler and easier to budget for than other monthly active user models available.
We offer 5 Advanced Identity Cloud packages to meet the wide range of our customers requirements. Pricing is based on the specific cloud packages purchased. All customers purchase the Advanced Identity Cloud Core package and can then add on some additional simple packages designed to meet the specific needs of individual customers There are discounts available based on the number of identities purchased.
This subscription entitles you to one production instance and two pre-production instances which could be used for development and testing. In addition, customers can deploy the equivalent functionality on-premise if desired. This allows the customer to leverage all benefits of the PingOne Advanced Identity Cloud offering while maintaining corresponding capabilities in their own environments. This is particularly useful for our customers who are running a Hybrid Cloud model or want a gradual transition to the cloud.
Advanced Identity Cloud - Core
The PingOne Advanced Identity Cloud Core package provides industry-leading technology essential to meet the demand for superior digital experiences. The Core package is designed to solve the majority of customer use cases with a single offering. This includes identity management, access management, single sign-on (SSO) and federated SSO, adaptive and multi-factor authentication (MFA), as well as strong authentication factors, including one-time passcode (OTP), email confirmation, Mobile Push, Magic Link. Additionally, Core includes access to third-party solutions via the Ping Trust Network. Core also integrates seamlessly with Ping Identity’s software development kits (SDK) for ease of implementation with customer applications
Advanced Identity Cloud Core Features:
Intelligent Access Capabilities
Feature |
Description |
Documentation Link |
Authentication Journeys and Nodes |
Authentication trees provide fine-grained authentication, social authentication, and multifactor authentication. Trees are made up of authentication nodes. Authentication nodes allow multiple paths and decision points throughout the authentication flow, enabling AM to handle different modes of authenticating users. |
|
Session High Availability |
Persistent access management sessions, authenticating the user until the session expires. |
Session high availability is enabled by default with no setup required. |
Multi-Factor and Strong Authentication |
Capability to challenge for additional credentials when authentication takes place under centrally-defined risky or suspicious conditions. Does Not Include ForgeRock Go |
|
Web and Java Agents for SSO |
Intercept requests to access protected resources and redirect for appropriate authentication. |
|
User Login Analytics |
Measure authentication flows using counters and start/stop timers to monitor performance. |
Monitor journeys, Timer Start Node, Timer Stop Node, Meter Node |
Federation Capabilities |
||
SAML 2.0 IDP and SP |
Identity federation with SaaS applications, such as Salesforce.com, Google Apps, WebEx, and many more. |
|
SAML 2.0 SSO and SLO |
Web Single Sign-On and Single Logout profile support. |
|
ADFS |
Federation with Active Directory Federation Services. |
|
SAML 2.0 Attribute and Advanced Profiles |
Support for transmitting only attributes used by targeted applications. |
|
OpenID Connect |
OpenID Connect 1.0 compliance for running an OpenID Provider, including advanced profiles, such as Mobile Connect. |
|
OAuth 2.0 |
OAuth 2.0 compliance for running an authorization server. |
|
Authorization Capabilities |
||
Feature |
Description |
Documentation |
Entitlement Policies - Coarse Grained |
Modern web-based policy editor for building policies, making it possible to add and update policies based on static attributes such as group membership as needed without touching the underlying applications. |
Authorization and policy decisions - limited to “subject conditions” |
Transactional Authorization - Coarse Grained |
Requires a user to perform additional actions such as reauthenticating to a module or node, or responding to a push notification, to gain access to a protected resource based on static attributes such as group membership |
Authorize one-time access with transactional authz - limited to “subject conditions” |
Identity Lifecycle and Relationship Capabilities |
||
Inbound Provisioning Engine |
Provisioning engine to import data from an external resource into IDM. |
|
Identity Lifecycle Management |
An extensible object model that enables you to manage the complete lifecycle of identity objects. |
|
Identity Relationship Lifecycle Management |
Ability to create and track relationship references between objects. |
|
Role Lifecycle Management |
Provisioning roles to control how objects are exported to external systems and authorization roles to control authorization within IDM. |
|
Entitlement Lifecycle Management |
Entitlements to provision attributes or sets of attributes, based on role membership. |
|
Identity Self Service Capabilities |
||
User Self-Registration |
End-user self-service UI that lets users create their own accounts with customizable criteria. |
|
Password Reset |
End-user self-service UI for changing and resetting passwords based on predefined policies and security questions. |
|
Knowledge-Based Authentication |
Verification for user identities based on predefined and end user-created security questions. |
|
Forgotten Username |
Mechanisms to allow users to recover their usernames with predefined policies. |
|
Progressive Profile Completion |
Short forms used to simplify registration and incrementally collect profile data over time. |
|
Terms and Conditions (or Terms of Service) Versioning |
Manage multiple terms and conditions. |
|
Social Identity Capabilities |
||
Authentication |
Social login for identity management. |
|
Account Linking |
Users can select specific social identity providers for logins. |
|
Registration |
User registration with social identity accounts. |
|
Directory Services Capabilities (Available to deploy and leverage outside of Identity Cloud) |
||
LDAPv3 |
Compliance with the latest LDAP protocol standards. |
|
REST APIs |
HTTP-based RESTful access to user data and server configuration. |
|
DSMLv2 Gateway |
HTTP-based SOAP access to LDAP operations for web services. |
|
High-Availability Multi-Master Replication |
Data replication for always-on services, enabling failover and disaster recovery. |
|
User/Object Store |
Flexible key-value data model for storing users, devices, and things. |
|
Passwords and Data Security |
Password digests, encryption schemes, and customizable rules for password policy compliance to help protect data on disk and shared infrastructure. |
|
Advanced Identity Cloud — Access Plus
The Advanced Identity Cloud Access Plus package provides increased security while improving user experience with capabilities such as passwordless and usernameless authentication and support for Zero Trust and CARTA strategies. Additionally, organizations requiring more contextual and fine-grained authorization enforcement components can leverage Access Plus to enforce continuous and contextual authorization for transactions. Access Plus also includes dynamic scopes and continuous risk monitoring capabilities.
Advanced Identity Cloud Access Plus Features:
Authorization Capabilities
Feature |
Description |
Documentation |
Entitlement Policies - Fine Grained |
Modern web-based policy editor for building policies, making it possible to add and update policies based on environmental and contextual attributes as needed without touching the underlying applications. |
|
Transactional Authorization - Fine Grained |
Requires a user to perform additional actions such as reauthenticating to a module or node, or responding to a push notification, to gain access to a protected resource based on environmental and contextual attributes |
|
OAuth 2.0 Dynamic Scopes |
A single OAuth 2.0 client configured for a comprehensive list of scopes can serve different scope subsets to resource owners based on policy conditions. |
Advanced Identity Cloud — Personalization
The Personalization package manages user identity data and provides users with a privacy and consent dashboard that allows them to download, update, or delete personal information, as well as give consent to use their data. It also contains the ability to create custom relationship between identity objects to drive authentication and authorization policies.
Identity Cloud Personalization Features:
Profile and Privacy Management Dashboard |
Dashboard for managing personal user information. |
|
Consent and Preference Management |
Configurable user preferences. |
|
Relationships |
Relate identities to other identities, organizations or family groups |
Advanced Identity Cloud — Organizations
The Organizations package facilitates the hierarchical structuring and management of users. It allows for the grouping of identities based on business requirements, enabling granular administrative privileges within the organizational hierarchy. Organization owners possess substantial control over the organizations, members, and administrators within their designated domain.
Identity Cloud Organizations Features:
Managed Organizations |
Organizations let you give users fine-grained administrative privileges to users based on hierarchical groups. |
|
Delegated Administration |
Grant role-based, limited access to perform fine-grained administrative tasks on managed objects. |
Identity Cloud — Edge
The Edge package extends the security capabilities of PingOne Advanced Identity Cloud to legacy applications on premises and to modern microservices running in the cloud. Edge enables you to coexist Identity Cloud with other legacy IAM solutions and augment legacy or home-grown applications with modern IAM capabilities, giving you the time you need to execute on your cloud migration and security strategy. Edge also includes Ping Identity Gateway capabilities to create a secure perimeter for legacy applications and modern API traffic.
Identity Cloud Edge Features:
Identity Gateway Capabilities
Studio |
User interface for rapid development and prototyping. |
|
Single Sign-On |
Single sign-on in a single domain and across domains. |
Single sign-on with OpenID Connect and Cross-domain single sign-on |
Password Replay |
Secure replay of credentials to legacy applications or APIs. |
Password replay from AM, Password replay from a databaseand Password replay from a file |
Policy Enforcement |
Enforcement of centralized authorization policies for applications requiring Access Management. |
|
Federation |
OpenID Connect 1.0. |
|
OAuth 2.0. |
||
SAML 2.0. |
||
SAML resources for mobile applications. |
||
Finance APIs |
Support for OAuth 2.0 Mutual TLS and Financial-Grade APIs. |
Validate certificate-bound access tokens and FapiInteractionIdFilter |
WebSocket Protocol |
Detection of requests to upgrade from HTTPS to the WebSocket protocol, and creation of a secure, dedicated tunnel to send and receive WebSocket traffic. |
|
Throttling |
Throttling to limit access to protected applications. |
Identity Cloud — Sync
The Sync package includes a full-featured outbound provisioning engine with complete bi-directional and translatable synchronization to various systems and applications. Sync discovers new, changed, deleted, or orphaned accounts to determine user access privileges, and reconciles them seamlessly to ensure that user identity data, including passwords, are always accurate. It ensures that you have a stable hybrid environment where all identity data is consistent across all systems
Identity Cloud Sync Features:
Discovery and Synchronization |
Synchronization of identity data across managed data stores. |
|
Reconciliation |
Alignment between accounts across managed data stores. |
|
Password Synchronization |
Near real-time password synchronization across managed data stores. |
|
Directory Services and Active Directory Plugins |
Native password synchronization plugins for Ping Directory Services and Microsoft Active Directory. |
Synchronize passwords with DS, Synchronize passwords with Active Directory |
All Connectors |
Extensible interoperability for identity, compliance, and risk management across a variety of specific applications and services. |
|
Pass-through Authentication / Just In Time MIgration |
Authenticate and/or migrate identities from External Data Stores (Directories, Databases, etc) |