# Ping Identity {% hint style="info" %} This feature is available in the **Premium plan and higher**. {% endhint %} {% hint style="danger" %} **Remember to** [**grant your Ping Identity users access permissions**](#step-3-managing-user-access) **to GoodAccess. Users without them won't be able to log in.** {% endhint %} ## Step 1 - Adding a new identity provider [Log in to the GoodAccess **Control Panel**, and go to **Settings** > **SSO & Identity**.](https://app.goodaccess.com/sso-and-identity/) Click **+ Add provider**, enter the **Provider name**, choose your **Identity Provider**, and click **Continue**. ## Step 2 - Setting up Single Sign-On with SAML Log in to the Ping Identity Admin console, go to **Applications** > **Applications**, and click **(+)**. Give the application a name, select **SAML Application**, and click **Configure**. Select **Manually Enter**, and copy the details from GoodAccess - **(2) GoodAccess links**. * **ACS URLs** - Assertion Consumer Service URL * **Entity ID** - Entity ID Return to GoodAccess, and click **Continue**. Return to Ping Identity, and click **Save**.

Ping Identity Admin console with key steps to creating a new SAML application. — Creating a new SAML application

### 1. Attribute Mappings Go to **Attribute Mappings**, click the **Edit icon**, and add the following attributes: | Attributes | PingOne Mappings | | ------------------------ | ---------------- | | "email" (without quotes) | Email Address | | "name" (without quotes) | Username | Check the **Required** boxes, and click **Save**.

Ping Identity Admin console with key steps to setting up the "Attribute Mappings". — Setting up the Attribute Mappings

### 2. Configuration Go to **Configuration**, click **Download Metadata**, and open the file in a text editor (e.g. Notepad). Copy the details to GoodAccess - **(3) Identity Provider links**, and click **Continue**. * **Sign in URL** - Single Signon Service * **Entity ID** - Issuer ID * **X509 signing certificate** - Copy the certificate from the text editor Don't forget to **Enable** the application.

Ping Identity Admin console with key steps to setting up GoodAccess. — Setting up GoodAccess

Notepad with highlighted X509 signing certificate. — Copying the certificate from the Notepad

{% hint style="info" %} If you don't want to setup SCIM, skip the next step in GoodAccess, and click **Submit** to finish the configuration. {% endhint %} You have now successfully set up your Ping Identity SSO with GoodAccess. ## Step 3 - Managing user access {% hint style="danger" %} **Please note:** If no groups are selected, **all users will have access**. To prevent unauthorized access, ensure you add at least one group, even when setting up SCIM. {% endhint %} {% hint style="warning" %} If you are setting up SCIM, skip this section. User access for SCIM is managed separately—please refer to [#user-filter](#user-filter "mention") for details. {% endhint %} In the application, go to **Access**, and click the **Edit icon**. Choose who should have access, and click **Save**.

Ping Identity Admin console with key steps to managing user access. — Managing user access

## Step 4 (optional) - Setting up SCIM ### 1. Provisioning Connection Go to **Integrations** > **Provisioning**, click **(+)** to create a new connection, and select **Identity Store**. Select **SCIM Outbound**, and click **Next**. Give the connection a name, and click **Next**.

Ping Identity Admin console with key steps to creating a new provisioning connection. — Creating a new provisioning connection

#### Authentication Copy the **URL** and **Token** from GoodAccess - **(4) User provisioning (SCIM)**. * **SCIM BASE URL** - URL * **SCIM Version** - 2.0 * **Authentication Method** - OAuth 2 Bearer Token * **Oauth Access Token** - Token * **Auth Type Header** - Bearer Return to GoodAccess, and click **Submit**. Return to Ping Identity, click **Test Connection**, and **Next**.

Ping Identity Admin console with key steps to setting up the "Authentication". — Setting up the Authentication

#### Preferences Select actions to allow, and click **Save**. Don't forget to **Enable** the connection.

Ping Identity Admin console with key steps to setting up the "Preferences". — Setting up the Preferences

### 2. Provisioning Rule Go to **Integrations** > **Provisioning**, and click **(+)** to create a new rule. Give the rule a name, and click **Create Rule**. Click **(+)** to add your new connection as **Target**, and click **Save**.

Ping Identity Admin console with key steps to creating a new provisioning rule. — Creating a new provisioning rule

#### User Filter Click the **Edit icon** to modify the user provisioning criteria. For instance, you can use the **Group Names** attribute to provision users based on their membership in a specific group. | Attribute | Operator | Value | | ----------- | -------- | ------- | | Group Names | Contains | Group 1 | | Group Names | Contains | Group 2 | Click **Save**.

Ping Identity Admin console with key steps to setting up the "User Filter". — Setting up the User Filter

#### Attribute Mapping Click the **Edit icon**, and edit the existing mapping and add a new one as follows: | Identity Provider Directory | GoodAccess | | --------------------------- | ----------- | | Email Address | userName | | Username | displayName | Click **Save**.

Ping Identity Admin console with key steps to setting up the "Attribute Mapping". — Setting up the Attribute Mapping

#### (optional) Group Provisioning Click the **Edit icon**, and select groups you want to provision. Group memberships in GoodAccess are updated according to [#user-filter](#user-filter "mention") criteria. Click **Save**. Don't forget to **Enable** the rule.

Ping Identity Admin console with key steps to setting up the "Group Provisioning". — Setting up the Group Provisioning

{% hint style="info" %} The whole provisioning process will take around **20 minutes** to complete depending on the number of members and groups being added. {% endhint %} You have now successfully set up your Ping Identity SCIM with GoodAccess. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://support.goodaccess.com/configuration-guides/features/sso-scim/ping-identity.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.