Ping Identity TSA separation is the work of standing up a dedicated Newco identity tenant, rebuilding the federation and single sign on connections to every Newco application, recreating the multi factor and access policies, and exiting the seller deployment before Newco logins keep flowing through the seller identity provider. The work sits inside the broader carve-out advisory program because federation is the front door to every application the workforce touches. Treated casually, it leaves Newco authentication dependent on the seller and the seller able to control Newco access.
Ping separation starts with an inventory of the seller deployment across the Ping estate, whether PingOne in the cloud, PingFederate for federation, or PingAccess for web access. The buyer needs the federated applications and which serve Newco, the connection protocols whether SAML or OIDC, the identity stores behind the deployment, the multi factor configuration, the access policies, and the administrators. Federation is the authentication layer the whole workforce passes through, so the inventory maps every login path rather than an application list.
The seller runs Newco authentication inside a shared Ping deployment alongside the rest of the seller workforce. The clean end state is a dedicated Newco tenant, often PingOne for a standalone business, contracted and administered by Newco. A shared seller deployment is acceptable only as a bridge during the TSA, because the seller controls the identity provider that authenticates Newco users and can see and govern Newco access.
Target tenant strategy favors the cloud platform for most carve-outs because a standalone business rarely wants to operate PingFederate infrastructure. Where the seller ran self hosted PingFederate and PingAccess, the separation is often a move to PingOne, settled early because it changes the federation model and how applications reconnect.
A clean inventory drives the sequence: the tenant build, the identity store connection, the application federation rebuild, the policy and multi factor recreation, and the cutover. Because every application federates to the identity provider, the inventory is the master list that the application reconnection works through.
Ping is licensed by identity or by monthly active user across its cloud and software products, often inside a broader seller agreement. That agreement does not transfer in a carve-out. Newco signs a direct subscription sized to its real user population and the capabilities it needs, whether single sign on, multi factor, or risk based authentication. The risk is that Newco inherits a capability set and identity tier scaled for the seller enterprise.
Ping reads a carve-out as a buyer that must authenticate a defined workforce. Negotiating leverage comes from the user commitment and from a credible alternative identity platform. The buyer scopes the Newco subscription from the inventory before negotiating, and writes implementation support into the contract so the tenant and its federation are validated before cutover.
Where the seller continues to authenticate Newco users through a TSA period, the pricing is cost-plus or fixed-fee with a defined exit ramp, and the TSA defines who administers Newco federation, how directory data is returned, and what the seller retains. Authentication is a Day-One service, so the TSA keeps the seller identity provider available until the Newco tenant is proven.
Implementation, where a partner is engaged, is fixed fee for defined deliverables under disciplined change control. A federation rebuild has a finite scope, contracted against named applications, connections, and policies rather than open ended consulting time. The engagement model is Fixed Fee plus Portfolio Retainer.
The Newco tenant connects to the Newco identity store before any application can federate to it. Ping authenticates against a directory, so the connection to the Newco directory is established first, which is why Ping separation depends on the underlying directory separation finishing first. With the store connected, the tenant has a population to authenticate.
Application federation is the bulk of the work. Every application that trusted the seller identity provider through SAML or OIDC must be reconfigured to trust the Newco tenant. This is a two sided change: the connection is built in the Newco tenant, and the application itself is updated with the new identity provider metadata, certificates, and endpoints. An application updated on only one side cannot complete a login.
The applications are reconnected in priority order so the systems the workforce needs on Day One federate first. Email, collaboration, and the core business applications lead, with lower use applications following. The buyer tests each reconnection with a real login before relying on it, because a federation that looks configured but fails the assertion locks users out of the application.
Where the seller used PingAccess to protect web applications, the access rules are rebuilt in the Newco deployment so the same authorization governs Newco web resources. The discipline parallels the broader Okta identity separation work where the same application by application federation rebuild applies.
Multi factor authentication is rebuilt in the Newco tenant. The factors users rely on, whether an authenticator application, a passkey, or a hardware key, are re enrolled against the Newco identity provider, and the buyer plans the re enrollment so users are not locked out when authentication moves. A factor enrolled only in the seller tenant does not carry across, so the enrollment campaign is part of the cutover.
Access policies are recreated so Newco enforces the same authentication controls. The rules that require multi factor for sensitive applications, restrict access by location or device, and step up authentication for risky logins are rebuilt against Newco applications and the Newco directory. A policy gap at cutover either locks legitimate users out or lets risky logins through.
Risk and adaptive authentication, where the seller used it, is reconfigured so Newco keeps the same protection against credential abuse. The signals that drive a step up challenge are rebuilt in the Newco tenant, and the buyer confirms the policies behave correctly before relying on them.
Administrator access to the Newco tenant itself is locked down with strong multi factor and a small set of Newco administrators, so control of the identity provider sits with Newco from the first day rather than depending on seller administrators.
Cutover moves authentication from the seller identity provider to the Newco tenant. Because every login depends on it, the cutover is sequenced application by application where possible and coordinated tightly where a single switch is required, and the runbook covers the directory connection, the application reconnections, the multi factor re enrollment, the policy activation, and a communication plan that tells users how their login changes.
Validation confirms authentication works for real users. Users can sign in once and reach their applications, multi factor challenges correctly, access policies enforce, and the applications accept the Newco assertions. The buyer tests a real login to every priority application before declaring the move complete, because a federation that fails on a single critical application keeps the workforce locked out of it.
Stabilization runs while enrollment settles and any missed applications surface. Failed logins, broken federations, and enrollment gaps are triaged within agreed service-level commitments because an authentication failure blocks all work in the affected application. The buyer confirms every Newco application federates to the Newco tenant before certifying identity for TSA exit.
Decommissioning the seller federation is explicit. Once the Newco tenant authenticates every Newco application and the TSA tail closes, the seller removes the Newco connections and the Newco directory data so Newco logins no longer flow through the seller identity provider.
Ping separation cost is driven by the user count, the capability set, and the effort of reconnecting every federated application. The discipline is to size the subscription and capabilities to Newco real needs, prioritize the applications the workforce needs on Day One, and use the move to retire federations for applications the standalone business no longer uses rather than rebuild every one.
The common failure mode is underestimating the application reconnection. Federation is a two sided change per application, so a separation that builds the Newco connections but does not coordinate the application side updates leaves logins failing across the estate. Buyers that inventory every federated application and plan both sides avoid the discovery that users cannot reach their tools.
The common access mistake is mishandling multi factor enrollment. The fix is to plan the re enrollment so users move their factors before the seller identity provider goes away, not after. A PMO maintains the dependency map across federation, the directory, and every federated application, escalating blocks inside forty eight hours.
A clean Ping separation produces a Newco that authenticates its own workforce, with its own tenant, federations, and policies, and a seller that no longer controls Newco logins. The discipline runs through the TSA exit acceleration program under a Fixed Fee plus Portfolio Retainer engagement model.
Yes. The clean end state is a dedicated Newco tenant, often PingOne, contracted and administered by Newco, federating its own applications with its own policies. A shared seller deployment is acceptable only as a bridge during the TSA, because the seller otherwise controls the identity provider that authenticates Newco users and can govern Newco access.
Because each application federation is a two sided change. The connection is built in the Newco tenant and the application itself is updated with the new identity provider metadata, certificates, and endpoints. An application updated on only one side cannot complete a login, so every federated application needs coordinated changes on both sides.
Factors enrolled in the seller tenant do not carry across, so users re enroll their authenticator, passkey, or hardware key against the Newco identity provider. The buyer plans the enrollment campaign as part of the cutover so users move their factors before the seller identity provider goes away rather than getting locked out.
Federation follows the directory separation and touches every application, so the timeline depends on reconnecting the estate without locking users out. Most buyers plan three to five months so applications can be federated and tested in priority order and multi factor can be re enrolled before TSA exit.
Tenant strategy, the connector rebuild, and the certification restart for Newco.
Read the article →Vault strategy, the credential and safe move, and the privileged access cutover.
Read the article →Tenant strategy, the user and app move, and the federation rebuild for Newco.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
Stand up a clean identity tenant first — every application cutover and every security control depends on it, and the seller holds the keys until you do.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →