Basic SSO (password vaulting) uses the PingOne for Enterprise browser extension to relay credentials to the target cloud application. User credentials are encrypted (128 bit AES) with a user-specified privacy key and are stored in PingOne for Enterprise. The privacy key is stored in the local file system and is never sent to PingOne for Enterprise. PingOne for Enterprise uses stored encrypted credentials for single sign-on (SSO) to your cloud applications. The browser extension can access the encrypted credentials only after a user is authenticated to the identity repository.

To use Basic SSO, you must first enable it on the Setup > Dock > Configurations page. For more information, see Configuring the dock when using an identity bridge or Configure the dock when using PingOne for Enterprise Directory.


If you're using Basic SSO applications, there might be circumstances where you want to remove a prior version of the browser extension. You can remove the browser extension using the browser's standard extension or add-on removal process.

How Basic SSO works

Diagram of basic SSO with PingOne for Enterprise

What we log for every Basic SSO transaction

Whenever a Basic SSO user signs on with SSO to PingOne for Enterprise, we log the information in the following table. You can see the logging details displayed on your Reports page.

Parameter Description


The date and time of the SSO transaction.


The user ID we send to the service provider (SP).


The user ID returned by the identity bridge.


The user's IP address for this SSO transaction.


A unique ID for the connection we establish between the identity bridge and the application.


The ID assigned to the user application.


The PingOne for Enterprise account ID for the SP.


The name assigned to the SP account in PingOne for Enterprise.


The URL used for the SSO transaction.


Information about the client or agent used for SSO.


The name of the application used for SSO.


The identity bridge ID used by the SP to identify the identity bridge.


The unique account ID for the identity bridge in PingOne for Enterprise.


The name of the identity bridge in PingOne for Enterprise.


The user's first name as assigned by the identity provider (IdP).


The user's last name as assigned by the IdP.


The user's email address as assigned by the IdP.


The status of the SSO transaction.


Contains the error information if an error occurs.