The PingOne integration enables teams to synchronize personnel identities from PingOne into Drata. This integration connects Drata to your PingOne identity provider.
Prerequisites & Data Access
The email domain of the account connecting the IdP must match each of the personnel’s email domains that you would like to sync. Personnel with different domains or multiple domains are not synced.
If you need to sync multiple email domains, please reach out to our Technical Support team.
For individuals who have SSO configured:
If your Drata tenant has previously connected to PingOne using our Enterprise Single Sign-On (SSO) connection, you can maintain that connection.
For individuals who are using Privileged Access Manager:
Drata can monitor who has enabled Multi-Factor Authentication (MFA) and also automate Test 86 (MFA on Identity Provider test).
Role requirements: To connect, you must be assigned one of the following Drata roles: Admin, Workspace Managers, DevOps Engineer.
If you have the Access Reviewer role, you can only view the Connections page.
Step-by-Step Setup
Note: There may be a delay between the initial connection and the first import of accounts.
At the longest, this should take no more than one hour for individuals who are syncing hundreds of accounts. There are three parts to the PingOne integration:
Connect PingOne as an Identity Provider: Sync personnel into Drata by opening the Drata connection drawer and entering the required connection details.
Connect PingOne as an Enterprise SSO Provider: Allow personnel to use single sign-on (SSO) to access Drata.
Limit the Scope for Drata (Optional): Limit the synchronization to a specific subset of personnel.
Step 1: Connect PingOne as an Identity Provider
In Drata, select Connections from the left navigation menu.
Click the Available Connections tab, search for PingOne, and select Connect.
Follow the instructions in the connection drawer.
When prompted, enable the “Read all users” permission level.
Paste the required PingOne connection values into each field as indicated.
Step 2: Connect PingOne as an Enterprise SSO Provider
If you have not yet connected the Enterprise Single Sign-On (SSO) integration, Drata will display a banner after the IdP is connected.
If SSO is not configured, only administrators will be able to log in using magic link authentication.
To configure SSO, go to the Connections page and select the Enterprise Single Sign-On filter.
Step 3: (Optional) Limit Scope to a Specific PingOne Group
Note: Drata does not support nested groups. We will sync members in the top level of the specified group, but not individual members in second-level or further groups.
After establishing the connection, you can optionally limit the synchronization to a specific group of individuals by following these steps:
Select the small edit icon to the far right of Setup details.
Designate a PingOne group to sync with. Make sure this group includes the Drata administrator as well. You may also want to visit the PingOne group page to verify group membership.