--- title: Setting up PingOne SSO for the admin console description: Set up SSO access from PingOne to PingAuthorize. component: pingauthorize version: 11.0 page_id: pingauthorize:pingauthorize_server_administration_guide:paz_config_p1_sso_admin_console canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_server_administration_guide/paz_config_p1_sso_admin_console.html revdate: April 28, 2026 section_ids: before-you-begin: Before you begin connecting-pingone-to-pingauthorize: Connecting PingOne to PingAuthorize steps: Steps adding-administrator-accounts: Adding administrator accounts steps-2: Steps result: Result adding-an-oidc-application: Adding an OIDC application steps-3: Steps configuring-pingauthorize-for-sso: Configuring PingAuthorize for SSO steps-4: Steps testing-sso-to-pingauthorize: Testing SSO to PingAuthorize steps-5: Steps result-2: Result next-steps: Next steps --- # Setting up PingOne SSO for the admin console To set up single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* access from PingOne to the PingAuthorize admin console, configure PingOne and PingAuthorize and test the sign-on experience. ## Before you begin Ensure that you have: * A licensed version of PingAuthorize. * The host name and port for the PingAuthorize Server. * A PingOne organization. Learn more in [Starting a PingOne trial](https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_start_a_p1_trial.html) in the PingOne documentation. * A PingOne environment with the PingOne SSO and PingAuthorize services added. Learn more in [Adding a service to an environment](https://docs.pingidentity.com/pingone/settings/p1_add_a_service.html) in the PingOne documentation. ## Connecting PingOne to PingAuthorize Make the PingAuthorize admin console accessible from PingOne. ### Steps 1. In the PingOne admin console, go to **Overview**. 2. Under **Services**, locate the PingAuthorize tile and click **Add Admin UI Link**. 3. Enter the URL for the PingAuthorize admin console. For example: https\://\:\/console. ![Screen capture of the Add Admin UI Link field with an example PingAuthorize admin console URL.](_images/p1-sso-paz-admin-console-link.png) | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can specify the LDAP server to bind to by using the `ldap-hostname` and `ldaps-port` query parameters.By binding to the LDAP server, you can use a single admin console instance to administer multiple PingAuthorize Servers. The connection always uses LDAPS because SSO requires traffic between the console and LDAP server to be encrypted. Using these query parameters, provide the URL as follows:``` https://:/console?ldap-hostname=&ldaps-port= ``` | 4. Click **Save**. ## Adding administrator accounts For each admin user you want to have SSO access to PingAuthorize, create a corresponding root distinguished name (DN) user in the PingAuthorize Server. Root DN users are privileged server accounts required to perform administrative operations, such as managing server configuration. Each root DN user must have a unique username. Learn more in [Managing root user accounts](https://docs.pingidentity.com/pingdirectory/latest/pingdirectory_server_administration_guide/pd_ds_manage_root_user_accts.html) in the PingDirectory documentation. ### Steps 1. In the PingOne admin console, go to **Directory > Users** and browse or search for the user for which you want to enable SSO access. 2. Click the user entry to open the details panel. 3. On the **Profile** tab, copy the following values to a secure location: * **Username** * **Given Name** * **Family Name** 4. In a terminal instance, run the following command using the values you copied in the previous step: ```shell ~//bin/dsconfig create-root-dn-user \ --user-name \ --set first-name: \ --set last-name: \ ``` 5. In the `Root DN User` configuration menu, enter `f` to create the new root DN user: ``` >>>> Configure the properties of the Root DN User >>>> via creating 'demoUser' Root DN User Property Value(s) -------------------------------------------------------------------- User Information 1) alternate-bind-dn This root user is allowed to bind only using the DN of the associated configuration entry. 2) description - 3) password - 4) first-name firstName 5) last-name lastName 6) user-id - 7) email-address - 8) work-telephone-number - 9) home-telephone-number - 10) mobile-telephone-number - 11) pager-telephone-number - [...] /) search objects and properties by name ?) help f) finish - create the new Root DN User a) show advanced properties of the Root DN User s) sort properties alphabetically d) display the equivalent dsconfig arguments that would create this object r) display the equivalent Configuration API arguments that would create this object q) quit Enter option [q]: f ``` 6. (Optional) Specify a reason for adding the user and press Enter. ### Result You'll see: ``` The Root DN User was created successfully ``` ## Adding an OIDC application Add an OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* application in PingOne to represent the PingAuthorize admin console as a relying party (RP) *(tooltip: \
\

An OAuth 2.0 client that requires end-user's authenticity and claims (attributes) from an OpenID provider.\

\
)*. You'll use the application's client credentials and issuer URL in the next section to configure PingAuthorize to verify PingOne-issued ID tokens. ### Steps 1. In the PingOne admin console, go to **Applications > Applications** and click the **[icon: plus, set=fa]**icon. 2. Enter the following: * **Application Name**: A unique identifier for the application. * **Description** (optional): A brief description of the application. 3. For the **Application Type**, click **OIDC Web App**. 4. Click **Save**. 5. On the **Configuration** tab, click the **Pencil** icon ([icon: pencil, set=fa]). 6. Enter or edit the following: * **Response Type**: Select the **Code** checkbox. * **Grant Type**: Select the **Authorization Code** checkbox. * **Redirect URIs**: Enter `https://:/console/oidc/cb`. * **Token Endpoint Authentication Method**: Select **Client Secret Basic** in the list. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Learn more about configuring OIDC applications in [Editing an OIDC application](https://docs.pingidentity.com/pingone/applications/p1_edit_application_oidc.html) in the PingOne documentation. | 7. Click **Save**. 8. On the **Attribute Mappings** tab, click [icon: pencil, set=fa]. 9. For the default **sub** attribute, select **Username** in the **PingOne Mappings** list. ![Screen capture of the Attribute Mappings tab of the OIDC application configuration with the Username attribute highlighted in the PingOne Mappings list.](_images/p1-sso-paz-attr-mappings.png) 10. Click **Save**. 11. To enable the application, click the toggle at the top of the details panel. ## Configuring PingAuthorize for SSO Configure PingAuthorize with the OIDC credentials from PingOne so that the server can verify PingOne-issued ID tokens and grant admin users SSO access to the console. ### Steps 1. In the PingOne admin console, go to **Applications > Applications** and click the newly created OIDC application to open the details panel. 2. On the **Overview** tab, under **Connection Details**, copy the **Issuer ID** to a secure location. 3. On the **Configuration** tab, copy the following values to a secure location: * **Client ID** * **Client Secret** 4. In your PingAuthorize Server directory, make a copy of the `config/sample-dsconfig-batch-files/enable-pingone-admin-console-sso.dsconfig` file. 5. Open the copy of the `config` file in a text editor. 6. Update the placeholders with the values you copied in steps 2 and 3: ``` # Create an ID token validator suitable for verifying ID tokens generated # by the PingOne service. The "All Admin Users" identity mapper will be used # to match users that authenticate with PingOne to either root DN users or # topology admin users defined in the server configuration. dsconfig create-id-token-validator \ --validator-name "PingOne ID Token Validator" \ --type ping-one \ --set enabled:true \ --set "identity-mapper:All Admin Users" \ --set evaluation-order-index:1 \ --set issuer-url:[PING_ONE_APPLICATION_ISSUER_URL] [...] # Configure the Administrative Console with your application's client # credentials and issuer URI. dsconfig set-web-application-extension-prop \ --extension-name Console \ --set sso-enabled:true \ --set oidc-client-id:[PING_ONE_APPLICATION_CLIENT_ID] \ --set oidc-client-secret:[PING_ONE_APPLICATION_CLIENT_SECRET] \ --set oidc-issuer-url:[PING_ONE_APPLICATION_ISSUER_URL] ``` 7. Save the file changes. 8. Run the following command to apply the configuration changes: ```shell ~//bin/dsconfig \ --batch-file config/sample-dsconfig-batch-files/enable-pingone-admin-console-sso-copy.dsconfig \ --no-prompt ``` ## Testing SSO to PingAuthorize Test the SSO connection to PingAuthorize from the PingOne admin console. ### Steps 1. In the PingOne admin console, go to **Overview**. 2. Under **Services**, locate the PingAuthorize tile and click the **PingAuthorize** link. 3. Sign on using the credentials for the user account you configured previously. ### Result You're signed on to the PingAuthorize admin console with your PingOne credentials. You can now manage your PingAuthorize Server and its resources based on the permissions of the user account you used to sign on. ### Next steps Learn more about [using the PingAuthorize admin console](paz_using_admin_console.html).