---
title: Setting up SSO to PingFederate
description: To set up single sign-on (SSO) access for administrators from the PingOne admin console to the PingFederate administrative console, configure PingOne and PingFederate and test the sign-on experience.
component: pingone
page_id: pingone:getting_started_with_pingone:p1_setup_sso_pf
canonical_url: https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_setup_sso_pf.html
revdate: February 10, 2025
section_ids:
  before-you-begin: Before you begin
  steps: Steps
  example: Example:
  testing-sso-to-pingfederate: Testing SSO to PingFederate
  before-you-begin-2: Before you begin
  steps-2: Steps
  result: Result:
---

# Setting up SSO to PingFederate

To set up single sign-on (SSO) *(tooltip: \<div class="paragraph">
\<p>The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\</p>
\</div>)* access for administrators from the PingOne admin console to the PingFederate administrative console, configure PingOne and PingFederate and test the sign-on experience.

## Before you begin

Ensure that you have:

* A licensed version of PingFederate 10.1.2 or later

* A PingOne account

* A text editor or terminal

* The Environment Admin role assigned in PingOne

|   |                                                                                                                                                                                                                                                                                                       |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For PingOne users to use SSO to PingFederate, they must have one or more PingFederate-related roles in PingOne. You can assign roles in the PingOne admin console. Learn more in [Administrator Roles](../directory/p1_roles.html) and [Managing user roles](../directory/p1_manage_user_roles.html). |

## Steps

1. In the PingOne admin console, go to the **Overview** page.

2. Locate the **PingFederate** tile and click **Configure Administrator SSO**.

   ![A screen capture of the Configure PingFederate SSO tile.](_images/knu1642444387407.png)

3. Enter the URL for the PingFederate administrative console.

   ### Example:

   `https://<pf_host>:<pf_port>/pingfederate/app`

   ![A screen capture of PingFederate SSO step 1.](_images/qkb1642444387877.png)

4. Click **Save and Continue**.

5. Copy the provided OpenID Connect (OIDC) *(tooltip: \<div class="paragraph">
   \<p>An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\</p>
   \</div>)* settings to the `oidc.properties` file on the PingFederate administrative server.

   ![A screen capture of the PingFederate SSO step 2.](_images/zhx1696265854006.png)

   The following three unique parameters allow administrators to use SSO into PingFederate 11.2 or later from any PingOne environment if they have the proper administrator roles assigned for the environment. Learn more in [Administrator Roles](../directory/p1_roles.html).

   |   |                                                                                                                                                                         |
   | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | For PingFederate 11.1 or earlier, the administrator's identity must exist in the same PingOne environment as the SSO configuration, and these parameters can't be used. |

   | Request Parameter                   | Value                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
   | ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | `request.parameter.name.1`          | The request parameter's name. The value is `iss`.This field is required. Do not use URL encoding for the name.                                                                                                                                                                                                                                                                                                                                                                                                                      |
   | `request.parameter.default.value.1` | The default value of the request parameter. The value is the authorization endpoint of the current environment if the administrator identity resides in the current environment.- If this parameter isn't included in the request, the default value is included in the authorization request.

   - If this parameter isn't included in the request, and no default value is specified, the parameter isn't included in the authorization request.

   - This field is optional when `request.parameter.overridable.1` is set to `true`. |
   | `request.parameter.overridable.1`   | Specifies whether the request parameter can be overridden at runtime. The value is set to `true`, which allows the administrator identity's home environment to override the value.This field is optional. Possible values are `true` or `false`. If not specified, the default is `false`.If this property is set to `false`, the `request.parameter.default.value.1` is always included in the authorization request and can't be overridden.                                                                                     |

6. Click **Next**.

7. Copy the provided `run.properties` file attribute value to the `run.properties` file on the PingFederate administrative server.

   ![A screen capture of PingFederate SSO step 3.](_images/vxm1642444382153.png)

8. Click **Next**.

9. Click **Close**.

   ![A screen capture of PingFederate SSO step 4.](_images/esh1642444389359.png)

10. Restart the PingFederate server.

## Testing SSO to PingFederate

After configuring PingOne and PingFederate, test the sign-on experience to PingFederate.

### Before you begin

You must have a PingFederate-related role to perform this task. Learn more in [Administrator Roles](../directory/p1_roles.html).

### Steps

* In the PingOne admin console, on the **Overview** page, locate the **PingFederate** tile and click the **PingFederate** icon.

  ![Launch PingFederate admin console](_images/zob1642446746661.png)

  #### Result:

  The PingFederate administrative console opens.