To set up SSO:

  1. Configure SSO for PingCentral
  2. Configure the resource server
  3. Configure the OpenID provider
Note: When SSO access to PingCentral is configured, administrators cannot assign applications to application owners before they access PingCentral. After application owners sign on to PingCentral, administrators can access their account information and assign applications to them.

Auto-provisioned users

For each SSO user, a local PingCentral user is auto-provisioned the first time they sign on with information obtained from the subject (sub) claim provided by the OpenID provider.

The user’s first name, last name, and role are also recorded. PingCentral derives the user's name from the given_name and family_name claims defined by the profile scope.

If first-time access to PingCentral is with API access using a bearer token, auto-provisioning occurs if the user's name and role are available. For performance reasons, subsequent bearer token access doesn't update the local user information, such as first name and last name.

Although PingCentral administrators can modify or delete auto-provisioned users, doing so results in the SSO user being auto-provisioned again. Because the provisioning process generates a new PingCentral user ID, any application associations with the previous user ID will be lost.