1. In PingOne, add a new attribute to PingFederate administrative roles:
    1. Go to Directory > User Attributes, and click the Add Attribute button.

      The Select Attribute Type page opens.

    2. On the Select Attribute Type page, select Declared, and then click Next.

      Declared attributes maintain the values of the claims that authorize access to other products.

    3. On the Set Attribute Properties page, enter the following information:
      • Name: PingCentral-Role (this value is case sensitive)
      • Display name: PingCentral Role
      • Description (Optional): Enter a brief description of this attribute that distinguishes it from others.
    4. Click Save and Close.
  2. Create a new connection:
    1. Go to Applications > Applications, and click the + icon.

      The Add Application panel opens.

    2. In the Name and Describe Application section, enter the following information:
      • Application name: the PingOne administration console SSO PingCentral (or another name that helps you recognize this connection).
      • Description (Optional): Enter a brief description of this application that distinguishes it from others.
    3. In the Choose Application Type section, select OIDC Web App, and then click Save.
      A screen capture of the Add applications panel showing the application types, including the option for OIDC Web App.
    4. In the application details panel, click the Configuration tab, and then click the pencil icon.
    5. Locate the Redirect URIs field and enter the appropriate URL .

      For example, https://<FQDNofServer>:9022/login/oauth2/code/pingcentral, where <FQDNofServer> is either the machine name or fully qualified domain name of your PingCentral server, such as https://localhost:9022/login/oauth2/code/pingcentral.

    6. Click Save.
    7. Click the Resources tab, and then click the pencil icon.
    8. In the Scopes list, locate Profile scope. Click the + icon to add it to the Allowed Scopes section .
      Note:

      The openid scope is included by default.

      A screen capture of the edit resources panel showing the profile scopes in the list of allowed scopes.
    9. Click Save.
    10. Click the Attribute Mapping tab, and then click the pencil icon.
    11. Click the + Add button and add the following attribute mappings.
      Attributes PingOne Mapping

      PingCentral Role

      PingCentral-Role(this option is case sensitive)

    12. Click the Advanced Configurations button.
    13. For the PingCentral Role attribute, select the Required check box.
    14. Click Save.
  3. To enable the application, click the toggle switch to the on (blue) position.
  4. Add a new PingCentral administrator and define their role and responsibilities.
    1. Go to Directory > Users, and click the + icon.
    2. On the Add User panel, enter the following information:
      • Given Name and Family Name: Enter the user's name in these fields.
      • Username: Enter a username for the PingCentral administrator who has the IAM-Admin role.
      Note:

      Username is the only required field.

    3. Click Save.
    4. In the user details panel, click the Roles tab and click the Grant Roles button.
    5. In the Available Responsibilities list, select Identity Data Admin and Client Application Developer
      A screen capture of the roles tab in the user details panel, which shows available and granted responsibilities.
    6. In the More Options menu (three dots), click Reset Password.
    7. Select Force Password reset on next sign on.
    8. Click Save.
  5. Select Applications > Applications, and locate the application you created earlier.
  6. Click the application entry to open the details panel.
  7. Click the Configuration tab and review the configuration information.

    You need this configuration property information to configure PingCentral for SSO, so keep this browser window open.

    A screen capture of the Applications page, which shows configuration information for the new connection.

To continue the configuration, see Configuring PingCentral.