top of page
Stronger Identity,
Happier Customers.

Ready to modernize your identity infrastructure?

Let's secure your growth together.

Navigating the Move from Heritage Ping to AIS/AIC: Realities, Challenges, and Strategic Benefits

  • Writer: Paul McKeown
    Paul McKeown
  • Apr 8
  • 7 min read
ree

Introduction

Digital identity is the backbone of modern enterprises. It’s the mechanism through which users interact with applications and services – often across distributed, multi-cloud environments.

Many organizations that rely on heritage Ping (e.g., PingFederate, PingAccess) are now examining a transition to Ping AIS (previously ForgeRock’s self-managed platform) or PingOne AIC (previously ForgeRock’s SaaS offering).

Many are also looking to leveraging additional advanced capabilities by including PingAM in their strategy to leverage MFA or Intelligent Access, or PingOne AIC to leverage orchestration for PingOne Verify, PingOne Protect etc.

While a migration brings its share of challenges – compatibility, complexity, organizational change – it also offers a wealth of strategic and technical advantages. This paper covers:

  1. The real challenges of moving from heritage Ping to PingOne AIC

  2. What can (and cannot) be automated

  3. Strategies to limit changes for downstream services

  4. Why you might consider the move or adding extra Ping products to your toolkit

  5. How Midships can help ensure a smooth transition

It is important to mention at this point, that Ping remains committed to supporting and enhancing its heritage products, including PingFederate and PingAccess. Customers can confidently continue leveraging these proven solutions, while also benefiting from the option to integrate newer capabilities offered by Ping AIS and PingOne AIC, enabling a flexible, phased approach to modernizing their IAM strategies.


1. The Real Challenges of Moving from Heritage Ping

1.1 Legacy Customizations and Integrations

Over time, organizations build custom plug-ins, specialized user flows, or layered integration logic within heritage Ping deployments. These may rely on Ping-specific classes or proprietary APIs. Such customizations rarely migrate with a simple “lift and shift,” creating friction when moving to PingOne AIC.

1.2 Downstream Services Dependence

Downstream applications or microservices that consume Ping tokens, rely on Ping SDKs, or integrate via legacy endpoints can break if token structures or endpoints change. Even small variances in claims or token lifetimes may ripple through your ecosystem.

1.3 Knowledge Gaps and Skill Sets

Teams used to PingFederate or PingAccess might need training to administer Ping AIS/AIC components or to leverage the PingOne AIC SaaS console and configuration APIs effectively.

Adapting to new architecture patterns, different configuration models, and new DevOps processes can be a significant hurdle.

1.4 Organizational Resistance

Beyond technology, migration often entails changes to process and culture. Stakeholders may worry about business disruptions, retraining costs, or question ROI. Proactive communication and realistic planning can help address these concerns.


2. What Can (and Cannot) Be Automated

2.1 What Can Be Automated

  1. Configuration Extraction and TransformationBoth Heritage Ping and Ping AIS/AIC store many configurations (realms, authentication flows, policies) in exportable formats. Scripts can parse these, apply mapping rules, and generate configuration artifacts for Ping AIS/AIC.

  2. User and Group Data MigrationIf user identities reside in an external directory or database, migrating them can be streamlined via ETL (Extract-Transform-Load) scripts. These scripts handle attribute transformations and help maintain user/group relationships.

  3. Automated Testing and ValidationContinuous testing frameworks – API tests, integration tests, or security checks – quickly flag discrepancies in token issuance, claims, or user flows, allowing you to fix issues before production cutover.

2.2 What Cannot Be Automated

  1. Custom Code and Specialized IntegrationsPlug-ins, advanced policy logic, or code compiled against Ping-specific libraries require manual analysis and refactoring. These pieces may need to be rebuilt to align with Ping AIS/AIC APIs and architectural patterns.

  2. Downstream Application RefactoringIf downstream apps use proprietary Ping SDKs, you must re-architect or replace them with standard OAuth 2.0, OIDC, or SAML integrations supported by Ping AIS/AIC.

  3. Governance and Organizational ProcessesWhile scripts can migrate data, they don’t solve governance or operational changes. Introducing new approval flows, identity governance models, or DevOps pipelines demands stakeholder buy-in and structured rollouts.


3. Limiting Changes for Downstream Services

Minimizing disruptions to dependent applications is often the top concern during an IAM migration. Key strategies include:

  1. Standards-Based ProtocolsRely on widely adopted standards (OIDC, OAuth 2.0, SAML) rather than proprietary APIs. This ensures minimal breakage when transitioning from heritage Ping to PingOne AIC.

  2. Compatibility or ‘Bridge’ LayersA bridging service can translate heritage Ping endpoints to new PingOne AIC endpoints. This approach allows a gradual migration of downstream apps without forcing an all-or-nothing cutover.

  3. API Versioning and Endpoint StabilityIf you must introduce new endpoints or token formats, consider versioning them. Legacy services can continue using the old version until they’re ready to be updated, reducing immediate disruption.

  4. Consistent Token ClaimsDownstream services often parse specific user attributes or session details. Configuring Ping AIS/AIC to replicate or closely match these claims greatly reduces the effort in updating every downstream consumer.


4. Why You Might Consider Moving to PingOne AIC

4.1 Advanced Authentication & Authorization

Expanding beyond heritage Ping products by adding AIS or PingOne AIC provides additional advanced capabilities while preserving your existing investment:

  • Adaptive Authentication: Leverage risk-based factors (e.g., device reputation, IP intelligence) to elevate the security of each login session.

  • Fine-Grained Authorization: Define detailed access controls with context-specific policies (time of day, device type, geolocation).

  • Built-In MFA and FIDO Compliance: Support for multi-factor authentication methods and FIDO2/WebAuthn protocols help future-proof your organization against evolving security threats.

4.2 Operational Advantages – Especially with PingOne AIC

  • Reduced Maintenance: AIS, as a self-managed solution, offers control but also has high operational overhead – deployments, patches, scaling, and upgrading. PingOne AIC, on the other hand, is Ping’s SaaS offering, offloading much of that burden. You can focus on value-adding business functionality instead of infrastructure management.

  • Always Up-to-Date: PingOne AIC’s SaaS model ensures you automatically receive the latest patches, enhancements, and security updates, sparing you complex upgrade cycles.

4.3 Enhanced Developer and User Experience

  • Modern APIs & SDKs: Developer-friendly documentation and tooling help integrate identity features more rapidly.

  • User-Centric Flows: PingOne AIC (and AIS) supports sophisticated orchestration of login journeys, including social login, passwordless approaches, and step-up authentication (like MFA prompts only for high-risk transactions).

4.4 Future-Readiness and Innovation

By leveraging a platform with robust extensibility and community support, you can quickly adopt emerging security standards, such as Verifiable Credentials, Decentralized Identity, or advanced device biometrics. With PingOne AIC, your IAM strategy evolves seamlessly alongside industry trends.

4.5 Choosing To Leverage Additional Products

Some clients are looking to add PingAM as part of a self-managed Ping AIS deployment to provide additional MFA capabilities and out of the box FIDO2 support. This enhances your customer security and authentication options greatly without the burden of a full scale migration to a new platform.

Similarly,. PingFederate can be used to invoke PingOne products, like AIC, Verify, Protect etc to again additional capabilities without the need for a migration. These could be good options for customers who are heavily invested in the heritage Ping suite.


5. How Midships Can Help

In any identity migration project – especially one as substantial as moving from heritage Ping to PingOne AIC – choosing the right partner is crucial. Midships brings:

  1. Years of IAM Expertise and AIS/AIC Delivery Experience

    • Midships has worked with a broad spectrum of identity solutions in both the Customer and Staff IAM spaces, and can help map your existing Ping environment to Ping AIS or PingOne AIC, identifying complex customizations and edge cases along the way.

  2. Experience in Site-to-Site or Site-to-Cloud User Data Migrations

    • Midships has a proven track record of seamlessly migrating user data (identity records, attributes, and group memberships) between on-premises data centers or from on-premises to cloud environments.

    • Their expertise mitigates the risks associated with large-scale data moves – such as downtime, data integrity issues, and network complexities – ensuring a smooth transition with minimal disruption to user access.

  3. Accelerators for Self-Managed AIS on Kubernetes & PingOne AIC 

    • Running AIS on any Kubernetes distribution can be challenging if you’re starting from scratch. Midships has pre-built accelerators that streamline deployments, ensuring best practices for scalability, resiliency, and security.

    • These accelerators have helped clients the world over perform no-impact, zero downtime migrations and releases of AIS for the last 7 years.

  4. Mature Automation Tooling for Deploying to PingOne AIC

    • For organizations opting for the SaaS route, Midships offers automation scripts and frameworks that enhance developer productivity while ensuring repeatability and consistency when setting up or updating PingOne AIC environments.

  5. Local Development for Self-managed and SaaS

    1. Midships have curated Ping-focused development environments to help your teams get immediate feedback on AIS and AIC configuration changes, no matter if that configuration is to be deployed to a self-managed AIS or PingOne AIC SaaS environment.

  6. Ready-to-Adapt Test Suites

    • Midships maintains standards-based test suites that can be tailored to your environment. These ensure your OIDC, SAML, or other authentication journeys work consistently post-migration, reducing the risk of downtime or integration failures.

  7. Free Cloud Assessment

    • Not sure whether SaaS or Self-Managed is the right fit? Midships provides a free cloud assessment to evaluate your infrastructure, business requirements, and security posture. This helps you make an informed decision on your ideal deployment model.

  8. Awarded and Globally Recognized Ping Partner

    • As a trusted Ping Partner, Midships has access to the latest Ping resources, best practices, and partner support channels – making them the perfect organization to guide you through evaluation, planning, and execution of your IAM journey.


Conclusion: Embrace a Modern Identity Future

Migrating from heritage Ping to AIS (on-premise) or PingOne AIC (SaaS) can feel daunting, but the long-term gains often outweigh the short-term challenges:

  • Automation can handle repetitive tasks like configuration transformation and user data migration.

  • Custom logic and downstream integrations demand a careful, phased approach.

  • Advanced authentication, FIDO compliance, and fine-grained authorization are built into PingOne AIC – capabilities that heritage Ping may not offer or will de-emphasize moving forward.

  • Test Suites help to validate interface contracts remain consistent before and after the migration.

  • Midships offers a unique combination of IAM expertise, deployment accelerators, free assessments, and test suites, positioning them perfectly to help you evaluate and execute your next steps.

Ultimately, the choice between Ping AIS (self-managed) and PingOne AIC (SaaS) depends on your team’s expertise, compliance requirements, and appetite for managing infrastructure. Regardless, both options offer enhanced security and flexibility that help you stay ahead of evolving market and regulatory demands. With a clear migration plan, thoughtful automation, and well-defined governance, you can transform your IAM strategy – and future-proof your enterprise’s digital identity for years to come.

For more information about how we help clients move into the Cloud for their IAM solutions, please email sales@midships.io for our white paper.


Writer’s Overview

Paul McKeown – Chief Technology Officer, Midships

Paul is a seasoned engineering leader with 19 years in IAM, DevOps, and continuous delivery, with a specialty in ForgeRock and secure banking platforms. He’s delivered CIAM on Kubernetes for major banks in New Zealand and Australia.

Short bio: Paul blends engineering rigor with coaching excellence, driving Midships' technical strategy and delivery risk reduction practices across markets.

 
 
 

Comments

bottom of page