--- title: PingOne Advanced Identity Cloud cross-domain single sign-on description: Configure cross-domain single sign-on (CDSSO) using PingOne Advanced Identity Cloud as the authentication server for PingGateway component: pinggateway version: 2026 page_id: pinggateway:aic:cdsso canonical_url: https://docs.pingidentity.com/pinggateway/2026/aic/cdsso.html revdate: 2026-01-19T12:00:00Z keywords: ["Single sign-on (SSO)", "Security", "Authenticate", "OAuth 2.0", "OpenID Connect (OIDC)", "Cross Domain SSO (CDSSO)"] page_aliases: ["identity-cloud-guide:cdsso.adoc"] --- # PingOne Advanced Identity Cloud cross-domain single sign-on For organizations relying on AM's session and policy services with SSO, consider Cross-Domain Single Sign-On (CDSSO) as an alternative to SSO through OpenID Connect. This example sets up PingOne Advanced Identity Cloud as an SSO authentication server for requests processed by PingGateway. Learn about PingGateway and CDSSO in [Cross-domain single sign-on for PingAM](../gateway-guide/cdsso.html). Before you start, prepare PingOne Advanced Identity Cloud, PingGateway, and the sample application as described in [Example installation for this guide](preface.html#preface-examples). 1. Set up PingOne Advanced Identity Cloud: 1. Log in to the Advanced Identity Cloud admin UI as an administrator. 2. Make sure you are managing the `alpha` realm. If not, click the current realm at the top of the screen, and switch realm. 3. Go to [icon: group, set=material, size=inline] Identities > Manage > [icon: settings_system_daydream, set=material, size=inline] Alpha realm - Users, and add a user with the following values: * Username: `demo` * First name: `demo` * Last name: `user` * Email Address: `demo@example.com` * Password: `Ch4ng3!t` 4. Register a PingGateway agent with the following values, as described in [Register a PingGateway agent in PingOne Advanced Identity Cloud](preface.html#register-agent-idc): * ID: `ig_agent` * Password: `password` * Redirect URLs: `https://ig.ext.com:8443/home/cdsso/redirect` 5. Add a Validation Service: 1. In PingOne Advanced Identity Cloud, select [icon: open_in_new, set=material, size=inline] Native Consoles > Access Management. The AM admin UI is displayed. 2. Select Services, and add a validation service with the following Valid goto URL Resources: * `https://ig.ext.com:8443/*` * `https://ig.ext.com:8443/*?*` 2. Set up PingGateway: 1. Set up PingGateway for HTTPS, as described in [Configure PingGateway for TLS (server-side)](../installation-guide/securing-connections.html#server-side-tls). 2. Make sure PingGateway connects to the sample application over HTTPS with a route to access static resources. Learn more in [Using the sample application](../getting-started/start-sampleapp.html). 3. Add the following `session` configuration to `admin.json`. This ensures the browser passes the session cookie in the form-POST to the redirect endpoint (step 6 of [Information flow during CDSSO](../gateway-guide/cdsso.html#figure-cdsso-auth)): ``` { "connectors": […​], "session": { "type": "InMemorySessionManager", "config": { "cookie": { "sameSite": "none", "secure": true } } }, "heap": […​] } ``` This step is required for the following reasons: * When `sameSite` is `strict` or `lax`, the browser doesn't send the session cookie, which contains the nonce used in validation. If PingGateway doesn't find the nonce, it assumes that the authentication failed. * When `secure` is `false`, the browser is likely to reject the session cookie. Learn more in [AdminHttpApplication (`admin.json`)](../reference/AdminHttpApplication.html). 4. Set an environment variable for the PingGateway agent password, and then restart PingGateway: ```console $ export AGENT_SECRET_ID='cGFzc3dvcmQ=' ``` The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded. 5. Add the following route to PingGateway and correct the value for the property `amInstanceUrl`: * Linux `$HOME/.openig/config/routes/cdsso-idc.json` * Windows `%appdata%\OpenIG\config\routes\cdsso-idc.json` ```json { "name": "cdsso-idc", "baseURI": "https://app.example.com:8444", "condition": "${find(request.uri.path, '^/home/cdsso')}", "properties": { "amInstanceUrl": "https://myTenant.forgeblocks.com/am" }, "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AmService-1", "type": "AmService", "config": { "url": "&{amInstanceUrl}", "realm": "/alpha", "agent": { "username": "ig_agent", "passwordSecretId": "agent.secret.id" }, "secretsProvider": "SystemAndEnvSecretStore-1", "sessionCache": { "enabled": false } } } ], "handler": { "type": "Chain", "config": { "filters": [ { "name": "CrossDomainSingleSignOnFilter-1", "type": "CrossDomainSingleSignOnFilter", "config": { "redirectEndpoint": "/home/cdsso/redirect", "authCookie": { "path": "/home", "name": "ig-token-cookie" }, "amService": "AmService-1" } } ], "handler": "ReverseProxyHandler" } } } ``` Source: [cdsso-idc.json](../_attachments/config/routes/cdsso-idc.json) Notice the following features of the route where PingAM is running locally: * The AmService `URL` points to PingAM in PingOne Advanced Identity Cloud. * The AmService `realm` points to the realm where you configure your PingGateway agent. 6. Restart PingGateway. 3. Test the setup: 1. In your browser's privacy or incognito mode, go to and accept the server certificate. The PingOne Advanced Identity Cloud login page is displayed. 2. Sign on to PingOne Advanced Identity Cloud as user `demo`, password `Ch4ng3!t`. PingAM calls `/home/cdsso/redirect` and includes the CDSSO token. The CrossDomainSingleSignOnFilter passes the request to the sample application.