Setting up SSO to PingFederate - PingOne SSO - PingOne Cloud Platform - PingOne Services - PingOne

PingOne Cloud Platform

PingOne Cloud Platform
PingOne Cloud Platform
Product documentation
Guide > Administrator Guide

To set up single sign-on (SSO)single sign-on (SSO)sso The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without re-authenticating. access for administrators from the admin console home page to the PingFederate administrative console, configure PingOne and PingFederate, and then test the sign-on experience.

Ensure that you have:

  • A licensed version of PingFederate 10.1.2 or later
  • A licensed version of PingOne
  • A text editor or terminal
  • The Environment Admin role in PingOne to set up SSO to PingFederate

For PingOne users to SSO to PingFederate, they must have one or more PingFederate-related roles in PingOne. You can assign roles in the PingOne admin console. For more information, see Roles and Assigning a user role.

  1. On the Overview page, locate the PingFederate tile and click Configure Administrator SSO.

    A screen capture of the Configure PingFederate SSO tile.
  2. Enter the URL for the PingFederate administrative console.


    A screen capture of PingFederate SSO step 1.
  3. Click Save and Continue.
  4. Copy the provided OpenID Connect (OIDC)OpenID Connect (OIDC)OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management. settings to the file on the PingFederate administrative server.
    A screen capture of the PingFederate SSO step 2.

    The following three unique parameters allow administrators to use SSO into PingFederate 11.2 or later from any PingOne environment if they have the proper admin roles assigned for the environment. For more information, see Roles.

    Request Parameter Value

    The request parameter's name. The value is iss.

    This field is required. Do not use URLURLURL (Uniform Resource Locator) Identifies a resource according to its Internet location. encoding for the name.


    The default value of the request parameter. The value is the authorization endpoint of the current environment if the admin identity resides in the current environment.

    • If this parameter is not included in the request, the default value will be included in the authorization request.
    • If this parameter is not included in the request, and no default value is specified, the parameter will not be included in the authorization request.
    • This field is optional when request.parameter.overridable.1 is set to true.


    Specifies whether the request parameter can be overridden at runtime. The value is set to true, which allows the admin identity’s home environment to override the value.

    This field is optional. Possible values are true or false. If not specified, the default is false.

    If this property is set to false, the request.parameter.default.value.1 will always be included in the authorization request and cannot be overridden.

  5. Click Next.
  6. Copy the provided file attribute value to the file on the PingFederate administrative server.

    A screen capture of PingFederate SSO step 3.
  7. Click Next.
  8. Click Close.

    A screen capture of PingFederate SSO step 4.
  9. Restart the PingFederate server.