PTC customers use a variety of different methods to authenticate and manage users authorized to access deployments of PTC products (“Identity and Access Management” or “IAM”). One such method is through Single Sign-On (“SSO”), which can facilitate use of a customer’s existing Identity Provider (“IdP”). To unify and standardize IAM implementation, PTC has developed this policy, which is applicable to all SSO-enabled products, except for PTC SaaS Applications.
PingFederate License Policy
Beginning April 1st, 2025, PTC will no longer be providing PingFederate licenses to on-prem customers for any PTC SSO-enabled application. This includes no longer providing renewals for customers when their existing PTC provided PingFederate licenses expire (all existing licenses are set to expire March 31st, 2025). Previously, PTC had provided PingFederate licenses as a convenience to their customers. These PingFederate licenses were for use in customer on-premises configurations of PTC SSO-enabled applications only. Therefore, this licensing change is not expected to impact any other customer applications or solutions.
This license policy update will provide PTC on-premises customers more flexibility to integrate PTC applications into their own existing SSO technology stack for their on-premises deployments. Use of PingFederate for PTC SSO-enabled products will no longer be required. Customers can choose to shift to using their own technology which they are more familiar with and may be more desirable to maintain. Functionality of the PTC SSO-enabled products will not be impacted.
With this change, on-premises customers will need to select one of two options for their PTC SSO-enabled on-premises configurations:
1) Customer may plan and contract with Ping Identity to obtain their own PingFederate licenses if they choose to continue using PingFederate in their on-prem SSO deployments.
2) Alternatively, customers may choose to shift their on-premises configurations to use their own SSO technology stack.
NOTE: The updated support model is described further down on this page (refer to PTC Support Policy section below).
PTC Cloud Hosted IAM (SaaS and Hosted Systems)
Identity Access Management (IAM) is a key component of PTC SaaS and cloud hosted systems. Customers will continue to contract with PTC to select defined cloud offerings that meet their requirements. Each cloud offering will identify the specific configuration and considerations associated with IAM. PTC Cloud customers will continue to be provided a PingFederate license if it is required as part of their contracted PTC Cloud offering. Any future change to an existing cloud offering would be clearly communicated to customers as part of a planned update. Any PingFederate license needed for a PTC Cloud hosted SSO configuration will be owned and managed internally by PTC and customers will not receive a license directly.
PingFederate Reference Architecture
The identified PingFederate architectures validated to support the SSO solution for PTC SSO-enabled products are identified below and are covered by this policy (see “Standard” IAM architectures). Each PTC SSO enabled product will continue to provide a support matrix that will identify the PingFederate version(s) currently validated.
PTC will test its SSO-enabled products against specific PingFederate builds (e.g. 8.4.4 Patch 3) and support that build as well as all subsequent maintenance (third digit) and patch (fourth digit) releases of PingFederate within that minor version (e.g. 8.4.x). PTC will identify supported PingFederate builds in the system requirements page for each respective product.
On-Premise (non PTC Cloud hosted) customers are responsible for deploying and maintaining PingFederate software when choosing to use PingFederate in their SSO configuration.
Ping Identity regularly releases updates to PingFederate that include both security improvements and functional bug fixes. Towards this end, PTC strongly recommends that customers continuously update to the latest build of PingFederate within a supported minor version.
PTC Support Policy
The updated IAM support policy will align with the existing 3rd Party support expectations. PTC will continue to validate the standard protocols (SAML, OAUTH and for some products OIDC – refer to product specific documentation for future updates) on reference architectures using PingFederate and, where supported, Azure AD or ADFS. PTC cannot provide guidance on advanced or atypical configurations of third-party components other than those configurations that are currently documented in the PTC software help centers (related to SSO-enabled applications). Technical Support can provide assistance with setting the necessary configuration of the standard SSO protocols to interface with the PTC SSO-enabled application(s). Issues outside of specific PTC application configurations for SSO will be up to the customer to address.
Due to the wide range of available IdPs and the varying levels of technical expertise and time needed to ensure their compatibility and interoperability with PingFederate or other authorization server, PTC will only assist in configuring and supporting a limited range of “Standard” IAM architectures. In no case will PTC process technical support tickets related solely to the functionality or installation or setup of the IdP itself (e.g. not directly involved with its interaction with SSO-enabled PTC products).
For “Standard” IAM architectures, PTC will:
For “Non-Standard” IAM architectures, PTC will:
Standard architectures include the use of: