--- title: Configure SSO to the admin portal description: Grant administrative users single sign-on (SSO) access to the PingOne SSO for SaaS Apps admin portal. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_sso_for_saas_apps:p14saas_configure_sso_admin_portal canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_sso_for_saas_apps/p14saas_configure_sso_admin_portal.html revdate: March 30, 2023 section_ids: about-this-task: About this task steps: Steps choose-from: Choose from: result: Result next-steps: Next steps --- # Configure SSO to the admin portal Grant administrative users single sign-on (SSO) access to the PingOne SSO for SaaS Apps admin portal. ## About this task To permit service-provider (SP)-initiated SSO to the admin portal, you must configure the connection between the portal and your identity provider (IdP). ## Steps 1. In the admin portal, go to **Setup > Admin Portal SSO > IdP Configuration**. 2. **Optional:** Import the IdP metadata. ### Choose from: * To upload the metadata file, click **Select File**. * To enter the metadata URL, click **Or use URL**. 3. In the **Entity ID** field, enter the entity ID provided by the IdP. 4. In the **SSO Endpoint** field, enter the endpoint at the IdP to which PingOne sends AuthnRequests. 5. On the **Verification Certificate** line, click **Select File** to browse and upload the IdP's public signing certificate that PingOne will use to sign SAML assertions. 6. In the **Single Logout Endpoint** field, enter the IdP endpoint to which PingOne will send single logout (SLO) requests. 7. In the **Single Logout Response Endpoint** field, enter the IdP endpoint to which PingOne will send SLO responses. 8. On the **Single Logout Binding Type** line, click either the **Redirect** or **Post** button to determine which binding type PingOne will use to send SLO requests. 9. Select the **Sign the AuthnRequest** box to make PingOne sign AuthnRequests to the IdP. 10. To download the PingOne signing certificate for upload to your IdP, click **Download**. 11. From the **Signing Algorithm** list, select the algorithm PingOne will use to sign AuthnRequests to the IdP. 12. To download the PingOne metadata for upload to your IdP, click **Download PingOne Metadata**. 13. Click **Save Settings**. 14. Go to **Setup > Admin Portal SSO > Group Permissions**. 15. For each admin group you want to authorize to SSO, click **Add Group**. If you're using LDAP groups, this needs to be the full distinguished name (FDN) for the administrator group (`CN=admins,OU=example,…​`). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can assign groups to a read-only administrative role, which grants the administrator access to the areas of the admin portal normally allowed by that role, but not the ability to change settings. | 16. Click **Save**. ## Result Your administrative users can sign on from the **Initiate Single Sign-On (SSO) URL** displayed at **Setup > Admin Portal SSO > IdP Configuration** after you complete the form. ## Next steps If you also intend to initiate SSO from your IdP, you must configure your IdP to append one of the following parameters to PingOne's ACS URL: * `RelayState=https://pingone.com/1.0/8bfe0aeb-79ca-4fd4-a116-c3f7c7dbe6ca` * `saasid=8bfe0aeb-79ca-4fd4-a116-c3f7c7dbe6ca`