---
title: Using a specific PingAM journey
description: This page shows how to authenticate with SSO and the example AM authentication journey (tree) instead of the default authentication journey.
component: pinggateway
version: 2026
page_id: pinggateway:gateway-guide:proc-sso-authservice
canonical_url: https://docs.pingidentity.com/pinggateway/2026/gateway-guide/proc-sso-authservice.html
revdate: 2025-11-17T14:08:08Z
---

# Using a specific PingAM journey

This page shows how to authenticate with SSO and the example AM authentication journey (tree) instead of the default authentication journey.

1. Set up the example in [Using the default PingAM journey](proc-sso.html).

2. Add the following route to PingGateway:

   * Linux

     `$HOME/.openig/config/routes/sso-authservice.json`

   * Windows

     `%appdata%\OpenIG\config\routes\sso-authservice.json`

   ```json
   {
     "name": "sso-authservice",
     "baseURI": "https://app.example.com:8444",
     "condition": "${find(request.uri.path, '^/home/sso-authservice')}",
     "heap": [
       {
         "name": "SystemAndEnvSecretStore-1",
         "type": "SystemAndEnvSecretStore"
       },
       {
         "name": "AmService-1",
         "type": "AmService",
         "config": {
           "agent": {
             "username": "ig_agent",
             "passwordSecretId": "agent.secret.id"
           },
           "secretsProvider": "SystemAndEnvSecretStore-1",
           "url": "http://am.example.com:8088/openam/"
         }
       }
     ],
     "handler": {
       "type": "Chain",
       "config": {
         "filters": [
           {
             "name": "SingleSignOnFilter-1",
             "type": "SingleSignOnFilter",
             "config": {
               "amService": "AmService-1",
               "authenticationService": "Example"
             }
           }
         ],
         "handler": "ReverseProxyHandler"
       }
     }
   }
   ```

   Source: [sso-authservice.json](../_attachments/config/routes/sso-authservice.json)

   Notice the features of the route compared to `sso.json`:

   * The route matches requests to `/home/sso-authservice`.

   * The `authenticationService` property of SingleSignOnFilter points to an `Example` tree. PingGateway uses this authentication tree instead of the AM admin UI.

3. Create the `Example` authentication tree.

   1. Sign on to the AM admin UI as adminstrator.

   2. Go to Top Level Realm > Authentication > Trees and click [icon: plus, set=fa]Create Tree.

   3. Name the new tree `Example` and click Create.

   4. Arrange the nodes in the `Example` tree and click Save when done.

      ![Example authentication tree](_images/example-tree.png)

      * The Start node begins processing authentication.

      * The Zero Page Login Collector node lets the tree gather credentials without presenting a page.

      * The User Name Collector node gets the username.

      * The Password Collector node gets the password.

      * The Data Store Decision node validates the username and password against the stored credentials.

      * The Success node completes authentication.

      * The Failure node returns an authentication error.

4. Test the setup:

   1. In your browser's privacy or incognito mode, go to <https://ig.example.com:8443/home/sso-authservice>.

   2. If you see warnings that the site isn't secure, respond to the warnings to access the site.

   3. Note that the login page is different from [Using the default PingAM journey](proc-sso.html).