---
title: Setting up SSO to PingAccess
description: To set up single sign-on (SSO) access from the PingOne admin console to PingAccess, configure PingOne and PingAccess, and then test the sign-on experience.
component: pingone
page_id: pingone:getting_started_with_pingone:p1_set_up_sso_to_pa
canonical_url: https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_set_up_sso_to_pa.html
revdate: March 14, 2025
section_ids:
  before-you-begin: Before you begin
  configuring-pingone-for-sso-in-pingaccess: Configuring PingOne for SSO in PingAccess
  about-this-task: About this task
  steps: Steps
  example: Example:
  configuring-pingaccess: Configuring PingAccess
  steps-2: Steps
  testing-sso-to-pingaccess: Testing SSO to PingAccess
  steps-3: Steps
  result: Result:
  result-2: Result:
  troubleshooting: Troubleshooting:
---

# Setting up SSO to PingAccess

To set up single sign-on (SSO) *(tooltip: \<div class="paragraph">
\<p>The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\</p>
\</div>)* access from the PingOne admin console to PingAccess, configure PingOne and PingAccess, and then test the sign-on experience.

## Before you begin

Ensure that you have:

* A licensed version of PingAccess

* A PingOne account

## Configuring PingOne for SSO in PingAccess

### About this task

To configure PingOne for SSO in PingAccess:

### Steps

1. In the PingOne admin console, add a new attribute for PingAccess administrator roles:

   1. Go to **Directory > User Attributes** and click **[icon: plus, set=fa]**.

   2. In the **Add Attribute** panel, select **Declared** and click **Next**.

      Declared attributes maintain the values of the claims that authorize access to other products.

   3. Enter the following information:

      * **Name**: `PingAccess-Role` (this value is case sensitive)

      * **Display Name**: `PingAccess Role`

      * **Description** (optional): Enter a brief description of this attribute that distinguishes it from others.

   4. Click **Save**.

2. Create a new connection:

   1. Go to **Applications > Applications** and click **[icon: plus, set=fa]**.

   2. In the **Add Application** panel, enter the following information:

      * **Application Name**: A name that helps you recognize this connection, such as `The PingOne Admin Console SSO PingAccess`.

      * **Description** (optional): A brief description of this application that distinguishes it from others.

   3. For **Application Type**, select **OIDC Web App** and click **Save**.

   4. In the application details panel, on the **Configuration** tab, click the **Pencil** icon.

   5. Locate the **Redirect URIs** field and enter the appropriate URL.

      #### Example:

      For example, `https://<FQDNofPAServer>:9000/pa/oidc/cb`, where \<FQDNofServer> is the machine name or fully qualified domain name of your PingAccess server, such as `https://localhost:9000/pa/oidc/cb`.

   6. Click **Save**.

   7. On the **Resources** tab, click the **Pencil** icon.

   8. In the **Scopes** list, locate the **profile** scope and select the checkbox to add it to the **Selected Scopes** section.

      ![A screen capture of the Edit Resources page displaying the email and profile scopes in the list of allowed scopes.](_images/zwg1668727197349.png)

   9. Click **Save**.

   10. On the **Attribute Mappings** tab, click the **Pencil** icon.

   11. Click **[icon: plus, set=fa]Add** and add the following attribute mapping:

       | Attributes        | PingOne Mappings    |
       | ----------------- | ------------------- |
       | `PingAccess Role` | **PingAccess Role** |

   12. Click **Advanced Configurations**.

   13. For the attributes you just mapped, select the **Required** checkbox.

   14. Click **Save**.

3. To enable the application, click the toggle at the top of the details panel to the right (blue).

   You can disable the application by clicking the toggle to the left (gray).

4. Add a new PingAccess administrator and define their role and responsibilities.

   1. Go to **Directory > Users** and click **[icon: plus, set=fa]**.

   2. On the **Add User** panel, enter a username for a PingAccess administrator with the Administrator role assigned in PingAccess and select a population to which the administrator should belong.

      Learn more in [Admin UI SSO authentication](https://docs.pingidentity.com/pingaccess/latest/pingaccess_user_interface_reference_guide/pa_configuring_admin_ui_sso_authn_lp.html) in the PingAccess documentation.

   3. Click **Save**.

   4. In the **Profile** tab, click the **Pencil** icon and, in the **Custom Attributes** section, click **[icon: plus, set=fa]Add**.

   5. In the **New Attribute** list, select **PingAccess Role** and enter `fullAdmin`.

   6. Click **Save**.

   7. In the user details panel, go to the **Roles** > **Administrator Roles** tab, and click **Grant Roles**.

   8. In **Available Responsibilities**, click **Environment Admin** and select the checkboxes for the organizations and environments where the administrator should have this role.

   9. Click **Save**.

   10. Click the **More Options** (⋮) icon and select **Reset Password**.

   11. Select **Force password reset on next sign on**.

   12. Click **Save**.

5. Go to **Applications > Applications** and locate the application you created earlier.

6. Click the application entry to open the details panel.

7. On the **Configuration** tab, review the configuration information.

   |   |                                                                                                            |
   | - | ---------------------------------------------------------------------------------------------------------- |
   |   | You need this configuration information to configure PingAccess for SSO, so keep this browser window open. |

   ![A screen capture of the Configurations page, which displays configuration information for an application.](_images/ezi1668790714977.png)

## Configuring PingAccess

After configuring PingOne for SSO, configure PingAccess.

### Steps

1. In the PingAccess administrative console, go to **Settings > System > Token Provider**.

2. On the **Token Provider** page, select **PingOne SSO** as the token provider.

3. In the **Issuer** field, enter the **Issuer ID** for the connection you created in PingOne.

   You can find this URL on the **Overview** tab of the application in PingOne.

   ![A screen capture of the Token Provider page.](_images/pingaccess_pingone_token_provider.png)

   Learn more in [Configuring PingOne](https://docs.pingidentity.com/pingaccess/latest/pingaccess_user_interface_reference_guide/pa_configuring_p1.html) in the PingAccess documentatation.

4. Go to **Settings > Admin Authentication > UI Authentication**.

5. On the **Authentication Method** page, select **Single Sign-On** and enter or edit the following:

   1. For **OpenID Connect Login Type**, select **Code**.

   2. In the **Client ID** field, enter the **Client ID** for the connection you created in PingOne.

      You can find **Client ID** on the **Overview** tab of the application in PingOne.

   3. For **Client Credentials Type**, select **Secret** and enter the **Client Secret** for the connection you created in PingOne.

      You can find **Client Secret** on the **Overview** tab of the application in PingOne.

   4. Click **Save**.

      ![A screen capture of the Authentication Method page.](_images/hra1669058409339.png)

      Learn more in [Admin UI SSO authentication](https://docs.pingidentity.com/pingaccess/latest/pingaccess_user_interface_reference_guide/pa_configuring_admin_ui_sso_authn_lp.html) in the PingAccess documentation.

## Testing SSO to PingAccess

After configuring PingOne and PingAccess, test SSO to PingAccess.

### Steps

1. In the PingOne admin console, click the **Ping Identity** logo.

   #### Result:

   The admin console displays the environments to which you have access.

   ![A screen capture of the environment dashboard.](_images/vxj1676308916876.png)

2. On the **Environments** page, click the environment to open the details panel.

3. Click **Manage Environment** to go to the **Overview** page for the environment.

4. In the **Services** section, click the **PingAccess** icon.

   #### Result:

   The PingAccess administrative console opens.

   #### Troubleshooting:

   If the OpenID Connect (OIDC) *(tooltip: \<div class="paragraph">
   \<p>An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\</p>
   \</div>)* token provider is unreachable:

   1. Review the reason for the failure in the `pingaccess.log` file.

   2. Enable the default administrator authentication by setting the `admin.auth` property in the `<PA_HOME>/conf/run.properties` file.

      Learn more in [Editing `run.properties` to disable SSO](https://docs.pingidentity.com/pingaccess/latest/troubleshooting/pa_editing_run_properties_to_disable_sso.html) in the PingAccess documentation.

   3. In the PingAccess administrative console, edit the admin UI SSO or token provider settings to address the issue.

   4. In the `run.properties` file, set `admin.auth` back to `default`.

      ![A screen capture of the PingAccess \[.filepath\]\`\`run.properties\`\` file with the authentication method paramety highlighted.](_images/p1_pingaccess_troubleshooting.png)

   5. Restart PingAccess to test.