All Collections Basics and Security
How to Configure SSO via PingFederate
How to Configure SSO via PingFederate
Andy Kostenko avatar
Written by Andy Kostenko
Updated over a week ago supports Okta, AWS SSO, PingFederate, Onelogin, ADFS, and other SAML-compatible providers to configure SSO.

Note: SSO is available on the Enterprise Plan.

Follow the instruction on how to configure SSO via SSOCircle.

Before configuring your integration, you will need to create a brand new connection from within Ping Federate. To do so, follow these steps:

  1. Access your Ping Federate instance.

  2. Choose the Identity Provider tab from the left-hand menu.

  3. On the "Identity Provider" page, select the Create New icon.

You are then brought to the Connection Configuration UI. Follow these steps to properly configure and create your new connection:

  1. Select the Browser SSO Profiles connection template on the Connection Type tab and click Next.

2. Select Browser SSO on the Connection Options tab and click Next.

3. Review the information on the Metadata Summary tab and click Next.

4. In the General Info tab ensure that the Service Provider’s Entity ID, Connection Name, and Base URL fields pre-populate based on the metadata. Click Next.

5. Navigate to the Browser SSO tab and click on the Configure Browser SSO. You will be redirected to Browser SSO Setup wizard.

6. Select the IdP-Initiated SSO and SP-Initiated SSO options on the SAML Profiles tab and click Next.

7. Enter your desired assertion validity time from on the Assertion Lifetime tab and click Next. By default, it is configured 5 minutes for both.

8. Navigate to the Assertion Creation and click on the Configure Assertion Creation. You will be redirected to the assertion creation setup wizard.

I. In the Identity Mapping tab select STANDARD and click Next.

II. Select a Subject Name Format for the SAML_SUBJECT on the Attribute Contract tab and click Next.

III. Click Map New Adapter Instance on the Authentication Source Mapping.

IV. Select an Adapter Instance and click Next. The adapter must include the user’s email address.

V. Select the Use only the adapter contract values in the SAML assertion option on the Mapping Method tab and click Next.

VI. Select your adapter instance as the Source and the email as the Value on the Attribute Contract Fulfilment tab and click Next.

VII. Skip the Issuance Criteria by selecting Next.

VIII. Click Done on the Summary.

IX. Click Next on the Authentication Source Mapping tab.

X. Click Done on the Summary tab.

XI. Click Next on the Assertion Creation.

Configure Protocol Settings

You will then have to configure your Protocol Settings. Follow these steps:

  1. Review your Protocol Settings. Select Next.

2. Navigate to the Protocol Settings tab of the Browser SSO wizard and click on the Configure Protocol settings.

3. Select POST for Binding and specify the single sign-on endpoint URL in the Endpoint URL field on the Assertion Consumer Service URL. Click Next.

4. Select POST on the Allowable SAML Bindings tab and click Next.

5. Select your desired signature policies for assertions on the Signature Policy tab and click Next.

6. Select your desired encryption policy for assertions on the Encryption Policy tab and click Next.

7. Click Done on the Protocol Settings Summary tab.

8. Click Done on the Browser SSO Summary.

Define your Credentials

Next, you will need to define your Credentials. Follow the steps as outlined below:

  1. In the Credentials tab, choose the Configure Credentials icon.

2. Select the Signing Certificate to use with the Single Sign-On service and select Include the certificate in the signature element in the Digital Signature Settings tab. Click Done.

3. Click Done on the Summary.

4. Click Next on the Credentials.

Metadata Export

Now that you have configured your integration, you can export your Metadata to To do so, follow the steps as outlined below:

  1. Access your System Settings and choose Metadata Export.

2. Within the Metadata Role tab, select I am the IDP. Select Next.

3. Select Use a connection for Metadata Generation. Select Next.

4. In the Connection Metadata tab, Select the SP connection you create with Select Next.

5. Select Signing Certificate. Select Next.

6. Review and Export Metadata file from Ping.

Adding data to

  1. Go to

  2. Open User Menu > Teams.

3. Click Setup SSO.

4. Choose PingFederate as an SSO provider => Create integration

5. Edit your SSO connection.

Now you need to get SSO data: Connection Identifier, Identity Provider URL, Identity Provider Issuer, and X509 Certificate. For this:

6. Open the downloaded SAML metadata file, and copy the URL located in the EntityDescriptor node > EntityID attribute and paste it to to the "Identity Provider Issuer" field.

7. Next, copy the URL from the SingleSignOnService node > Location attribute field and paste it to to the field "Identity Provider SSO URL".

8. Finally, copy the content of the X509Certificate node and paste it to to the X509 Signing Certificate field.

9. When all the fields are filled on in > Create integration.

10. Within next 24 hours, SSO integration will be active. If not, contact support.

Did this answer your question?