--- title: Configuring PingFederate for PingAccess SSO description: Configure PingFederate to enable administrator single sign-on (SSO) for PingAccess. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_pf_for_pa_sso_configuration canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_pf_for_pa_sso_configuration.html revdate: August 24, 2023 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps next-steps: Next steps --- # Configuring PingFederate for PingAccess SSO Configure PingFederate to enable administrator single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* for PingAccess. ## Before you begin You must do one of the following: * [Configure a PingFederate runtime](pa_pf_runtime.html). * [Configure an admin token provider](pa_configuring_an_admin_token_provider.html). ## About this task To enable administrator SSO to PingAccess, configure the following settings within the PingFederate OAuth authorization server (OAuth AS) *(tooltip: \
\

The authorizing service in an OAuth framework that issues and manages access tokens for clients to access protected resources.\

\
)*. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This document doesn't cover all the required steps for each PingFederate OAuth *(tooltip: \
\

A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\

\
)* settings page, only the fields that are necessary for successful SSO to the PingAccess administrative console.For more detailed configuration information on the PingFederate OAuth settings pages, see [Using OAuth Menu Selections](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_oauth_config.html). | ## Steps 1. In PingFederate, go to **System → Server → Protocol Settings → Roles and Protocols** and configure the following roles and protocols: 1. Select the **OAuth 2.0 AS** federation role and the OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* protocol as described in step 2 of [Choosing roles and protocols](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-100.pdf#page=138). 2. Select the **IdP Provider** federation role and a corresponding protocol as described in step 2 of [Choosing roles and protocols](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-100.pdf#page=138). 2. Create a **Password Credential Validator (PCV)** to authenticate administrative users. For more information, see [Configuring the Simple Username Password Credential Validator](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configure_simple_username_pcv.html). 3. On the **IdP Adapters** page, create an HTML Form IdP Adapter and specify the PCV that you configured in step 2 of this procedure. For more information, see [Configuring an HTML Form Adapter instance](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_config_html_form_adapt_instance.html). 4. On the **Authorization Server Settings** page, select the **Implicit** check box in the **Reuse Existing Persistent Access Grants for Grant Types** section. For more information, see [Configuring authorization server settings](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_authorizationserversettingstasklet_oauthauthorizationserversettingsstate.html). 5. Configure access token management: 1. Go to **Access Token Management → Type** and in the **Type** list, select **Internally Managed Reference Tokens**. 2. On the **Access Token Attribute Contract** page, add the `Username` attribute to extend the contract. For more information, see [Access token management](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_access_token_management.html). 6. Configure **OpenID Connect Policy Management**. | | | | - | ----------------------------------------------------------------------------------------------- | | | Create an OIDC policy to use specifically for PingAccess administrative console authentication. | For more information, see [Configuring OpenID Connect policies](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_oidc_policies.html). 1. On the **Attribute Contract** tab, delete all of the attributes that appear in the **Extend the Contract** section. The only required attribute is `sub`. 2. On the **Contract Fulfillment** tab, in the **Source** list, select **Access Token**, and in the **Value** list, select **Username**. 7. Configure **Client Management**. | | | | - | ----------------------------------------------------------------------------------------- | | | Create a client to use specifically for PingAccess administrative console authentication. | For more information, see [Managing OAuth Clients](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_oauthclientsmanagementtasklet_oauthclientsmanagementstate.html). 1. In the **Client Authentication** list, select an option other than **None**. 2. Add the location of the PingAccess host as a **Redirection URI**. For example, `https://://oidc/cb`. 3. In the **Allowed Grant Type** list, select **Authorization Code**. 4. In the **ID Token Signing Algorithm** list, select one of the elliptic curve (**ECDSA**) algorithms, and in the **Policy** list, select the OIDC policy to use for PingAccess administrative console authentication. 8. To configure **IdP Adapter Mapping**, map the **HTML Form IdP Adapter Username** value to the `USER_KEY` and the `USER_NAME` contract attributes for the persistent grant and the user's display name on the authorization page, respectively. For more information, see [Managing IdP adapter grant mapping](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_oauthsource2targetmappingtasklet_oauthidpadapter2targetmappingsstate.html). 9. To configure **Access Token Mapping**, on the **Contract Fulfillment** tab, map values into the token attribute contract for the `Username` attribute: 1. In the **Source** list, select **Persistent Grant**. 2. In the **Value** list, select **USER\_KEY**. These are the attributes included or referenced in the access token *(tooltip: \
\

A data object by which a client authenticates to a resource server and lays claim to authorizations for accessing particular resources.\

\
)*. For more information, see [Managing access token mappings](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_accesstokenmappingtasklet_oauthuserkey2accesstokenmappingstate.html). ## Next steps To finish configuring administrator SSO, see [Configuring admin UI SSO authentication](pa_configuring_admin_ui_sso_authn_task.html).