---
title: Setting up SSO to PingCentral
description: To set up single sign-on (SSO) access from the PingOne admin console to PingCentral, configure PingOne and PingCentral and test the sign-on experience.
component: pingone
page_id: pingone:getting_started_with_pingone:p1_set_up_sso_to_pingcentral
canonical_url: https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_set_up_sso_to_pingcentral.html
revdate: February 10, 2025
section_ids:
  before-you-begin: Before you begin
  configuring-pingone-for-sso-in-pingcentral: Configuring PingOne for SSO in PingCentral
  steps: Steps
  result: Result:
  result-2: Result:
  example: Example:
  configuring-pingcentral: Configuring PingCentral
  steps-2: Steps
  testing-sso-to-pingcentral: Testing SSO to PingCentral
  steps-3: Steps
  result-3: Result:
---

# Setting up SSO to PingCentral

To set up single sign-on (SSO) *(tooltip: \<div class="paragraph">
\<p>The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\</p>
\</div>)* access from the PingOne admin console to PingCentral, configure PingOne and PingCentral and test the sign-on experience.

## Before you begin

Ensure that you have:

* A licensed version of PingCentral

* A PingOne account

* A text editor or terminal

|   |                                                                                                                                                                                                                 |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | When SSO is enabled for PingCentral, auto-provisioning is also enabled, which currently causes sign-on issues. New users are created during this process even if those users already have PingCentral accounts. |

## Configuring PingOne for SSO in PingCentral

### Steps

1. In the PingOne admin console, add a new attribute to PingCentral administrator roles:

   1. Go to **Directory > User Attributes** and click **[icon: plus, set=fa]**.

      #### Result:

      The **Add Attribute** panel opens.

   2. In the **Add Attribute** panel, select **Declared** and click **Next**.

      Declared attributes maintain the values of the claims that authorize access to other products.

   3. Enter the following information:

      * **Name**: `PingCentral-Role` (this value is case sensitive)

      * **Display Name**: `PingCentral Role`

      * **Description** (optional): Enter a brief description of this attribute that distinguishes it from others.

   4. Click **Save**.

2. Create a new connection:

   1. Go to **Applications > Applications** and click **[icon: plus, set=fa]**.

      #### Result:

      The **Add Application** panel opens.

   2. Enter the following information:

      * **Application Name**: Enter a name that helps you recognize this connection, such as `PingOne administrator console SSO PingCentral`.

      * **Description** (optional): Enter a brief description of this application that distinguishes it from others.

   3. For **Application Type**, select **OIDC Web App** and click **Save**.

      ![A screen capture of the Add applications panel showing the application types, including the option for OIDC Web App.](_images/nrb1699296033346.png)

   4. In the application details panel, on the **Configuration** tab, click the **Pencil** icon.

   5. Locate the **Redirect URIs** field and enter the appropriate URL.

      #### Example:

      For example, `https://<FQDNofServer>:9022/login/oauth2/code/pingcentral`, where \<FQDNofServer> is either the machine name or fully qualified domain name of your PingCentral server, such as `https://localhost:9022/login/oauth2/code/pingcentral`.

   6. Click **Save**.

   7. On the **Resources** tab, click the **Pencil** icon.

   8. In the **Scopes** list, locate **Profile** scope and select the checkbox to add it to the **Allowed Scopes** section.

      |   |                                            |
      | - | ------------------------------------------ |
      |   | The `openid` scope is included by default. |

      ![A screen capture of the edit resources panel showing the profile scopes in the list of allowed scopes.](_images/wpg1699296194180.png)

   9. Click **Save**.

   10. On the **Attribute Mappings** tab, click the **Pencil** icon.

   11. Click **[icon: plus, set=fa]Add** and add the following attribute mapping:

       | Attributes         | PingOne Mapping      |
       | ------------------ | -------------------- |
       | `PingCentral Role` | **PingCentral Role** |

   12. Click the **Advanced Configurations** button.

   13. For the **PingCentral Role** attribute, select the **Required** checkbox.

   14. Click **Save**.

3. To enable the application, click the toggle at the top of the details panel to the right (blue).

   You can disable the application by clicking the toggle to the left (gray).

4. Add a new PingCentral administrator in PingOne and define their role and responsibilities.

   1. In the PingOne admin console, go to **Directory > Users** and click **[icon: plus, set=fa]**.

   2. On the **Add User** panel, enter the following information:

      * **Given Name** and **Family Name** (optional): Enter the user's name in these fields.

      * **Username**: Enter a username for the PingCentral administrator who has the **IAM Admin** role.

   3. Click **Save**.

   4. In the user details panel, on the **Roles** tab, click **Grant Roles**.

   5. In **Available Responsibilities**, click **Client Application Developer** and select the checkboxes for the organizations and environments where the administrator should have this role.

      ![A screen capture of the roles tab in the user details panel, which shows available and granted responsibilities.](_images/gio1699296385842.png)

   6. Click **Identity Data Admin** and select the checkboxes for the organizations and environments where the administrator should have this role.

   7. Click the **More Options** (⋮) icon and select **Reset Password**.

   8. Select **Force Password reset on next sign on**.

   9. Click **Save**.

5. Go to **Applications > Applications**, and locate the application you created earlier.

6. Click the application entry to open the details panel.

7. On the **Configuration** tab, review the configuration information.

   |   |                                                                                                                      |
   | - | -------------------------------------------------------------------------------------------------------------------- |
   |   | You need this configuration property information to configure PingCentral for SSO, so keep this browser window open. |

   ![A screen capture of the Applications page, which shows configuration information for the new connection.](_images/lxr1699296538963.png)

## Configuring PingCentral

After configuring PingOne for SSO, configure PingCentral.

### Steps

1. In a text editor, open the `<pc-path>conf/application.properties` file.

2. Use the configuration information on the **Applications** page in the PingOne admin console to update the following values in the `application.properties` file.

   |   |                                                                    |
   | - | ------------------------------------------------------------------ |
   |   | Watch for unwanted line breaks when pasting values into this file. |

   | PingOne attribute | `application.properties` file attribute | Attribute     | Example                                                                                               |
   | ----------------- | --------------------------------------- | ------------- | ----------------------------------------------------------------------------------------------------- |
   |                   | pingcentral.sso.oidc.enabled            | true          | `pingcentral.sso.oidc.enabled=true`                                                                   |
   | Issuer            | pingcentral.sso.oidc.issuer-uri         | Issuer        | `pingcentral.sso.oidc.issuer-uri=https://auth.pingone.com/3c2f30a3-7a92-406e-b8f2-6a181e56f46b/as`    |
   | Client ID         | pingcentral.sso.oidc.client-id          | Client ID     | `pingcentral.sso.oidc.client-id=5be9323a-e953-4aa6-8db3-5f4113a73f83`                                 |
   | Client Secret     | pingcentral.sso.oidc.client-secret      | Client Secret | `pingcentral.sso.oidc.client-secret=cigVeh5py8IC2~ViGMmM3sslpYyMLCWr5SnmjXwvHUG-r4CYjtoOMAlNSPqZ4bc9` |

3. Save and close the file.

4. Restart PingCentral.

## Testing SSO to PingCentral

After configuring PingOne and PingCentral, test the sign-on experience to PingCentral.

### Steps

1. In the PingOne admin console sidebar, click the Ping Identity logo to open the **Environments** page and browse or search for the applicable environment.

2. On the **Environments** page, click the environment to open the details panel.

3. Click **Manage Environment** to go to the **Overview** page for the environment.

4. In the **Services** section, click the **PingCentral** icon.

   #### Result:

   The PingCentral admin console opens.