--- title: Setting up SSO to PingDirectory description: Set up SSO access from PingOne to PingDirectory. component: pingone page_id: pingone:getting_started_with_pingone:p1_set_up_sso_pd canonical_url: https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_set_up_sso_pd.html revdate: February 10, 2025 section_ids: before-you-begin: Before you begin about-this-task: About this task linking-pingone-to-pingdirectory: Linking PingOne to PingDirectory before-you-begin-2: Before you begin steps: Steps configuring-matching-administrator-accounts: Configuring matching administrator accounts steps-2: Steps adding-the-oidc-application-to-pingone: Adding the OIDC application to PingOne steps-3: Steps configuring-the-application-in-pingdirectory: Configuring the application in PingDirectory steps-4: Steps testing-sso-to-pingdirectory: Testing SSO to PingDirectory steps-5: Steps result: Result: result-2: Result --- # Setting up SSO to PingDirectory To set up single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* access from the PingOne admin console to PingDirectory, configure PingOne and PingDirectory and test the sign-on experience. ## Before you begin Ensure that you have: * A PingDirectory server that accepts LDAPS connections This server will host the admin console that is being configured for SSO. * The host name and port for the PingDirectory server * A PingOne account Learn more in [Getting started with PingOne SSO](p1_gettingstarted.html). * A PingOne environment that includes PingDirectory Learn more in [Adding an environment](../pingone_tutorials/p1_tutorial_passwordless_create_environment.html) and [Adding a service to an environment](../settings/p1_add_a_service.html). | | | | - | ----------------------------------------------------------------------------------------------- | | | When creating a new PingOne environment, select **Customer solution** for the environment type. | ## About this task During this process, you'll: * Set up matching users between PingOne and the PingDirectory environments to allow the server's `All Admin Users` identity mapper to map the PingOne ID token to a Directory Server LDAP user. * Add and configure the OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* application in PingOne. * Configure the PingOne admin console and PingDirectory server. ## Linking PingOne to PingDirectory Configure a link to connect PingOne and PingDirectory. ### Before you begin Ensure that you have the values for host name and port for the PingDirectory server. Contact the PingDirectory administrator for these values. ### Steps 1. In the PingOne admin console, go to **Overview**. 2. Locate the **PingDirectory** tile and click **Add Admin UI Link**. 3. For **Admin URL**, enter `https://:/console`. Replace \ and \ with the values for the PingDirectory server. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can specify the LDAP server to bind to by using the query parameters `ldap-hostname` and `ldaps-port` when the administrative console is configured for SSO. By binding to the LDAP server, you can use a single console instance to administer multiple PingDirectory servers. An LDAPS scheme is always assumed because an encrypted connection is always required for SSO. Using these parameters, you can specify the URL as follows:``` https://:/console?ldap-hostname=&ldaps-port= ``` | 4. Click **Save**. ## Configuring matching administrator accounts Set up user accounts for the users you want to have SSO access to PingDirectory. You can repeat this procedure for multiple user accounts. ### Steps 1. In the PingOne admin console, go to **Directory > Users**. 2. Locate the user you want to configure and click the user entry to open the details panel. 3. On the **Profile** tab, copy the following values to a secure location: * **Username** * **Given name** * **Family name** 4. Open a terminal window. 5. Run the following `dsconfig` command. 1. Replace \ with the PingDirectory version. 2. Replace the \, \, and \ variables with the values you copied from the PingOne user details panel. ``` ~//dsconfig create-root-dn-user --user-name \ --set first-name: \ --set last-name: ``` ## Adding the OIDC application to PingOne In PingOne, add an OIDC application that connects to PingDirectory. ### Steps 1. In the PingOne admin console, go to **Applications > Applications** and click **[icon: plus, set=fa]**. 1. Enter the following: * **Application Name**: Enter a name that helps you recognize this connection, such as `PingDirectory Administrative Console`. * **Description** (optional): Enter a brief description of this application that distinguishes it from others, such as `Application for the PingDirectory Administrative Console`. 2. For **Application Type**, select **OIDC Web App**. 3. Click **Save**. 2. Click the application entry to open the details panel. 3. On the **Configuration** tab, click the **Pencil** icon ([icon: pencil, set=fa]). 1. Enter or edit the following values: | Field | Description | | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Response Type** | Select the **Code** checkbox. | | **Grant Type** | Select the **Authorization Code** checkbox. | | **Redirect URIs** | Enter `https://:/console/oidc/cb` and replace the variables with the values for the PingDirectory server hostname and port.To find the port, run the `status` command from the `bin` directory.``` Step 0.0.0.0:11443 : HTTPS : Enabled : HTTPS Connection Handler ``` | | **Token Endpoint Authentication Method** | Select **Client Secret Basic** in the list. | | | | | - | --------------------------------------------------------------------------------------------------------------------------------- | | | Learn more about configuring OIDC applications in [Editing an application - OIDC](../applications/p1_edit_application_oidc.html). | 2. Click **Save**. 4. On the **Attribute Mappings** tab, click [icon: pencil, set=fa]. 1. For the default `sub` attribute, select `UserName` in the **PingOne Mappings** list. 2. Click **Save**. 5. To enable the application, click the toggle at the top of the details panel to the right (blue). You can disable the application by clicking the toggle to the left (gray). ## Configuring the application in PingDirectory Modify the `config` file in PingDirectory to add the PingOne admin console. ### Steps 1. In the PingOne admin console, go to **Applications > Applications** and click the application you created to open the details panel. 2. On the **Configuration** tab, copy the following values to a secure location: * **Issuer** * **Client ID** * **Client Secret** 3. Locate the PingDirectory `config` file at: ``` PingDirectory/config/sample-dsconfig-batch-files/enable-pingone-admin-console-sso.dsconfig ``` 4. Make a copy of the `config` file and leave the original file intact. 5. Open the copy of the `config` file in a text editor. 6. Replace the variables with the values you copied from PingOne. ``` # Create an ID token validator suitable for verifying ID tokens generated # by the PingOne service. The "All Admin Users" identity mapper will be used # to match users that authenticate with PingOne to either root DN users or # topology admin users defined in the server configuration. dsconfig create-id-token-validator \ --validator-name "PingOne ID Token Validator" \ --type ping-one \ --set enabled:true \ --set "identity-mapper:All Admin Users" \ --set evaluation-order-index:1 \ --set issuer-url: [...] # Configure the Administrative Console with your application's client # credentials and issuer URI. dsconfig set-web-application-extension-prop \ --extension-name Console \ --set sso-enabled:true \ --set oidc-client-id: \ --set oidc-client-secret: \ --set oidc-issuer-url: ``` 7. Run the following `dsconfig` command. ``` dsconfig --batch-file \ enable-pingone-admin-console-sso-copy.dsconfig \ --no-prompt ``` ## Testing SSO to PingDirectory Test the SSO experience from the PingOne admin console. ### Steps 1. In the PingOne admin console, go to **Overview**. 2. In the **Services** section, locate the **PingDirectory** tile. 3. Click **PingDirectory**. #### Result: A PingOne sign-on page opens. 4. Sign on using the credentials for a PingDirectory admin user. ### Result The PingDirectory server administrative console opens.