Ping Identity
Thoma Bravo (private equity) · Thoma Bravo (acquisition closed October 2022, $2.8B)
Last verified 2026-05-30 · Reviewed by guptadeepak
Editorial verdict
Ping Identity remains the right CIAM choice for large enterprise and public-sector workloads with complex federation, on-prem requirements, or regulated-industry compliance baselines that hyperscaler CIAM cannot meet. DaVinci flow orchestration is genuinely capable for complex auth journeys. The trade-offs, opaque pricing, fragmented post-ForgeRock product family, heavy professional services, make Ping the wrong answer for everything below the enterprise-quote threshold. After the 2023 ForgeRock acquisition the combined product surface is broader but more confusing.
Last verified by @guptadeepak on 2026-05-30.
At a glance
- Best for
- Large enterprise and public-sector workloads with complex federation and on-prem requirements
- Pricing
- enterprise-quote
- Free tier
- None
- Deployment
- cloud-saas, on-prem, hybrid
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- Yes
- Open source
- No
Funding & business
- Funding model
- Private-equity owned
- Total raised
- Undisclosed
- Latest round
- Acquired · $2.8B · 2022
- Years in business
- 24 yrs
- Round led by
- Thoma Bravo
- Profitable
- Yes
Investors
Vista Equity bought it in 2016, IPO'd it (NYSE: PING) in 2019; Thoma Bravo took it private for $2.8B in 2022 and merged ForgeRock into it.
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- DaVinci visual flow orchestration is among the most capable in the market for complex enterprise auth journeys.
- FedRAMP High, PCI Level 1, HIPAA, full enterprise compliance footprint with on-prem deployment options.
- Deep enterprise federation breadth, supports the long tail of legacy IdPs, custom SAML edge cases, and federation chaining that hyperscaler CIAM struggles with.
- Strong governance, lifecycle, and consent capabilities suitable for regulated industries (banking, insurance, healthcare).
Limitations
- Pricing opacity is real, no public pricing, five-figure annual minimums, professional-services-heavy onboarding.
- DX trails the developer-first tier substantially, slower iteration loops, heavier admin tooling, longer time-to-first-login.
- Product family is fragmented post-ForgeRock acquisition: PingOne, PingFederate, PingAccess, DaVinci, ForgeRock Identity Cloud.
- Vendor lock-in via DaVinci flows is significant once production journeys are deployed.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | Yes |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Yes |
| Passwordless-only flows | Yes |
| Adaptive MFA | Yes |
| Step-up auth | Yes |
| RBAC | Yes |
|---|---|
| ABAC | Yes |
| ReBAC | Partial |
| FGA engine | Yes |
| API authorization | Yes |
| Fine-grained permissions | Yes |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | Yes |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, java, dotnet, python, go, ios, swift, android, kotlin |
| CLI | Yes |
| Terraform provider | Yes |
| Local emulator | No |
| Extension model | DaVinci flow orchestration + custom node SDK |
| Bot detection | Yes |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | Yes |
| Log streams | Yes |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Yes |
| Post-quantum roadmap | Partial |
| MCP support | Partial |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | Yes |
| Agent vs human token separation | Partial |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | Yes |
| ISO 27018 | Yes |
| HIPAA | Yes |
| PCI DSS | Level 1 |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | High |
| EU data residency | Yes |
| Consent management | Yes |
|---|---|
| Preference center | Yes |
| Purpose-specific consent | Yes |
| Integrates with CMPs | OneTrust, TrustArc |
Pricing
| 10,000 MAU | Quote required |
|---|---|
| 100,000 MAU | $6,000/mo |
| 500,000 MAU | $18,000/mo |
| 1,000,000 MAU | $30,000/mo |
- PingOne SaaS, PingFederate (on-prem), and DaVinci orchestration are commercially separate products
- Per-user / per-MAU / per-feature pricing varies by deal; expect five-figure annual minimums
- Professional services often required for complex enterprise federation deployments
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Large enterprise and public-sector workloads with complex federation and on-prem requirements
- Regulated industries requiring deep governance, consent, and lifecycle management
- Organizations with existing Ping or ForgeRock footprint
Not for
- Mid-market SaaS or startups prioritizing developer velocity
- Cost-sensitive consumer apps below the enterprise-quote threshold
- Teams that prefer transparent SaaS pricing
FAQ
- What is the relationship between Ping Identity and ForgeRock?
- Ping acquired ForgeRock in August 2023 (announced October 2022, closed 2023). Both companies were taken private by Thoma Bravo. The combined company sells both product families under the Ping brand; ForgeRock Identity Cloud and PingOne are still distinct platforms in 2026, with cross-product integration still in progress. New customers should evaluate which platform fits their workload rather than assuming convergence.
- Does Ping have a free tier?
- No. All Ping deployments are enterprise quote-based, with five-figure annual minimums typical. For teams below that threshold, look at Auth0, WorkOS, or open-source alternatives.
- What is DaVinci?
- DaVinci is Ping's visual flow orchestration product, a no-code editor for designing complex enterprise auth journeys with conditional logic, risk decisioning, and integration nodes. Among full-platform CIAM, DaVinci is the most mature visual orchestrator for enterprise scenarios; the trade-off is vendor lock-in once production flows are deployed.
Sources
- Ping Identity Documentationaccessed 2026-04-22
- Ping Identity Pricingaccessed 2026-04-22
- Thoma Bravo Ping Identity acquisition (2022)accessed 2026-04-22
What Ping Identity is
Ping Identity is one of the longest-running enterprise CIAM platforms, founded in 2002, public from 2019 to 2022, taken private by Thoma Bravo in October 2022 for $2.8B, and merged with ForgeRock in 2023. The product family covers PingOne (cloud), PingFederate (on-prem), PingAccess (web access management), and DaVinci (visual flow orchestration), plus the ForgeRock Identity Cloud platform that joined the portfolio post-acquisition. The buyer is typically a large enterprise or public-sector organization that needs deep federation, on-prem deployment, or a compliance baseline that hyperscaler CIAM cannot meet.
Where Ping Identity wins
The federation depth is the structural advantage. Twenty-plus years of enterprise SAML / OIDC / WS-Federation work shows up as edge-case coverage that hyperscaler CIAM lacks, older PingFederate connections, custom XACML policies, federation chaining across legacy IdPs, and the kind of healthcare-and-banking federation patterns that took decades to standardize.
DaVinci flow orchestration is genuinely capable. Among visual auth-journey builders, it sits at the top of the enterprise tier, handling conditional logic, risk decisioning, third-party integration nodes, and complex MFA step-up scenarios that smaller orchestrators cannot express. For regulated industries with multi-step KYC / consent / verification journeys, DaVinci's expressiveness justifies the platform on its own.
Compliance is full-stack: FedRAMP High, PCI DSS Level 1, HIPAA, ISO 27001/27018, with on-prem deployment options for jurisdictions or workloads that require it. Combined with consent management, preference center, and purpose-specific consent capabilities, uncommon in this index, Ping is appropriate for the most regulated buyer profiles.
Where Ping Identity hurts
Pricing opacity is the lasting friction. No public pricing, five-figure annual minimums typical, professional-services-heavy onboarding. For mid-market or startup buyers, the vendor selection process alone consumes weeks before pricing is even visible.
DX trails the developer-first tier substantially. The admin tooling reflects a generation of enterprise IAM design rather than a developer-product mindset; SDK ergonomics are functional but not modern; iteration loops are slower than Auth0 / Stytch / Clerk by a noticeable margin.
The product family is fragmented post-ForgeRock acquisition. PingOne, PingFederate, PingAccess, DaVinci, and ForgeRock Identity Cloud are still distinct platforms in 2026, with naming overlap that confuses new buyers. Cross-product integration is in progress but not yet seamless.
Migration in or out of Ping is a multi-quarter project in either direction. DaVinci flows in particular do not port cleanly to other vendors' orchestration models.
How Ping Identity compares
The closest comparisons are Auth0 vs Ping Identity for the modernization-vs-enterprise call and Ping Identity vs ForgeRock for the within-Ping-portfolio decision. For modern visual orchestration at lower cost, Descope covers a similar use case for mid-market buyers. For deep federation at lower cost, Auth0 and WorkOS are the developer-first alternatives.