---
title: Set Up Single Sign-On
description: Ping Autonomous Identity supports single sign-on (SSO) using OpenID Connect (OIDC) JWT tokens. SSO lets you log in once and access multiple applications without the need to re-authenticate yourself. You can use any third-party identity provider (IdP) to connect to Ping Autonomous Identity. In this example, we use PingOne Access Management (AM) as an OpenID Connect (OIDC) IdP for Ping Autonomous Identity.
component: autonomous-identity
version: 2022.11.12
page_id: autonomous-identity:admin-guide:chap-setup-sso
canonical_url: https://docs.pingidentity.com/autonomous-identity/2022.11.12/admin-guide/chap-setup-sso.html
---

# Set Up Single Sign-On

Ping Autonomous Identity supports single sign-on (SSO) using OpenID Connect (OIDC) JWT tokens. SSO lets you log in once and access multiple applications without the need to re-authenticate yourself. You can use any third-party identity provider (IdP) to connect to Ping Autonomous Identity. In this example, we use PingOne Access Management (AM) as an OpenID Connect (OIDC) IdP for Ping Autonomous Identity.

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | If you set up SSO-only, be aware that the following Ping Autonomous Identity services are not deployed with this setting (Note: these services are supported by your SSO provider):- Self Service

- Manage IdentitiesIf you want to use these services and SSO, set up the authentication as `"LocalAndSSO"`. With this setting, the Login page provides two authentication links: "Sign in using OpenID" and "Or sign in via email." |

The following procedure requires a running instance of AM. For more information, refer to [PingOne Access Management Quick Start Guide](https://docs.pingidentity.com/pingam/quick-start-guide/index.html).

Set up SSO:

1. First, set up your hostnames locally in `/etc/hosts`.

   ```
   35.189.75.99  autoid-ui.forgerock.com autoid-selfservice.forgerock.com
   35.246.65.234 openam.example.com
   ```

2. Open a browser and point to `http://openam.example.com:8080/openam`. Log in with username: `amadmin`, password: `cangetinam`.

3. On AM, go to Identities > Groups, and add the following groups:

   * AutoIdAdmin

   * AutoIdEntitlementOwner

   * AutoIdExecutive

   * AutoIdSupervisor

   * AutoIdUser

4. Add the `demo` user to each group.

5. Go back to the main AM Admin UI page. Click Configure OAuth Provider.

6. Click Configure OpenID Connect, and then Create.

7. Go to Applications > OAuth 2.0, and then click Add Client. Enter the following properties, specific to your deployment:

   ```
   Client ID:         <autoid>
   Client secret:     <password>
   Redirection URIs:  https://<autoi-ui>.<domain>/api/sso/finish
   Scope(s):          openid profile
   ```

   For example:

   ```
   Client ID:         autoid
   Client secret:     Welcome123
   Redirection URIs:  https://autoid-ui.forgerock.com/api/sso/finish
   Scope(s):          openid profile
   ```

8. On the New Client page, go to to the Advanced tab, and enable Implied Consent. Next, change the `Token Endpoint Authentication Method` to `client_secret_post`.

9. Edit the OIDC claims script to return `roles (groups)`, so that AM can match the Ping Autonomous Identity groups.

   ```
   "groups": { claim, identity -> [ "groups" : identity.getMemberships(IdType.GROUP).collect { group -> group.name }]}
   ```

   For more information about the OIDC claims script, refer to the [ForgeRock Knowledge Base](https://backstage.forgerock.com/knowledge/kb/article/a15751293).

10. The `id_token` returns the content that includes the group names.

    ```
    {
      "at_hash": "QJRGiQgr1c1sOE4Q8BNyyg",
      "sub": "demo",
      "auditTrackingId": "59b6524d-8971-46da-9102-704694cae9bc-48738",
      "iss": "http://openam.example.com:8080/openam/oauth2",
      "tokenName": "id_token",
      "groups": [
        "AutoIdAdmin",
        "AutoIdSupervisor",
        "AutoIdUser",
        "AutoIdExecutive",
        "AutoIdEntitlementOwner"
      ],
      "given_name": "demo",
      "aud": "autoid",
      "c_hash": "SoLsfc3zjGq9xF5mJG_C9w",
      "acr": "0",
      "org.forgerock.openidconnect.ops": "B15A_wXm581fO8INtYHHcwSQtJI",
      "s_hash": "bOhtX8F73IMjSPeVAqxyTQ",
      "azp": "autoid",
      "auth_time": 1592390726,
      "name": "demo",
      "realm": "/",
      "exp": 1592394729,
      "tokenType": "JWTToken",
      "family_name": "demo",
      "iat": 1592391129,
      "email": "demo@example.com"
    }
    ```

11. You have successfully configured AM as an OIDC provider. Next, we set up Ping Autonomous Identity.

12. Change to the Ping Autonomous Identity install directory on the deployer machine.

    ```
    $ cd ~/autoid-config/
    ```

13. Open a text editor, and set the SSO parameters in the `/autoid-config/vars.yml` file. Make sure to change `LDAP` to `SSO`.

    ```
    authentication_option: "SSO"

    oidc_issuer: "http://openam.example.com:8080/openam/oauth2"
    oidc_auth_url: "http://openam.example.com:8080/openam/oauth2/authorize"
    oidc_token_url: "http://openam.example.com:8080/openam/oauth2/access_token"
    oidc_user_info_url: "http://openam.example.com:8080/openam/oauth2/userinfo"
    oidc_callback_url: "https://autoid-ui.forgerock.com/api/sso/finish"
    oidc_jwks_url: "http://openam.example.com:8080/openam/oauth2/connect/jwk_uri"
    oidc_client_scope: 'openid profile'
    oidc_groups_attribute: groups
    oidc_uid_attribute: sub
    oidc_client_id: autoid
    oidc_client_secret: Welcome1
    admin_object_id: AutoIdAdmin
    entitlement_owner_object_id: AutoIdEntitlementOwner
    executive_object_id: AutoIdExecutive
    supervisor_object_id: AutoIdSupervisor
    user_object_id: AutoIdUser
    application_owner_object_id: AutoIDAppOwner
    role_owner_object_id:
    role_engineer_object_id:
    oidc_end_session_endpoint: "http://openam.example.com:8080/openam/oauth2/logout"
    oidc_logout_redirect_url: "http://openam.example.com:8088/openman/logout"
    ```

14. On the Target machine, edit the `/etc/hosts` file, and add an entry for `openam.example.com`.

    ```
    35.134.60.234  openam.example.com
    ```

15. On the Deployer machine, run `deployer.sh` to push the new configuration.

    ```
    $ deployer.sh run
    ```

16. Test the connection now. Access `https://autoid-ui.forgerock.com`. The redirect should occur with the following:

    ```
    http://openam.example.com:8080/openam/XUI/?realm=%2F&goto=http%3A%2F%2Fopenam.example.com%3A8080%2Fopenam%2Foauth2%2Fauthorize%3Fresponse_type%3Dcode%26client_id%3Dautoid
    ```