Setting up SSO for PingCentral
The single sign-on (SSO) method is significantly more secure than the password authentication method. At this time, OpenID Connect (OIDC) is used for SSO.
To set up SSO:
When SSO access to PingCentral is configured, administrators cannot assign applications to application owners before they access PingCentral. After application owners sign on to PingCentral, administrators can access their account information and assign applications to them. |
Auto-provisioned users
For each SSO user, a local PingCentral user is auto-provisioned the first time they sign on with information obtained from the subject (sub) claim provided by the OpenID provider.
The user’s first name, last name, and role are also recorded. PingCentral derives the user’s name from the given_name
and family_name
claims defined by the profile scope.
If first-time access to PingCentral is with API access using a bearer token, auto-provisioning occurs if the user’s name and role are available. For performance reasons, subsequent bearer token access doesn’t update the local user information, such as first name and last name.
Although PingCentral administrators can modify or delete auto-provisioned users, doing so results in the SSO user being auto-provisioned again. Because the provisioning process generates a new PingCentral user ID, any application associations with the previous user ID will be lost.