# Ping Identity {% hint style="info" %} This feature is available in the **Premium plan and higher**. {% endhint %} {% hint style="danger" %} **Remember to** [**grant your Ping Identity users access permissions**](#step-3-managing-user-access) **to GoodAccess. Users without them won't be able to log in.** {% endhint %} ## Step 1 - Adding a new identity provider [Log in to the GoodAccess **Control Panel**, and go to **Settings** > **SSO & Identity**.](https://app.goodaccess.com/sso-and-identity/) Click **+ Add provider**, enter the **Provider name**, choose your **Identity Provider**, and click **Continue**. ## Step 2 - Setting up Single Sign-On with SAML Log in to the Ping Identity Admin console, go to **Applications** > **Applications**, and click **(+)**. Give the application a name, select **SAML Application**, and click **Configure**. Select **Manually Enter**, and copy the details from GoodAccess - **(2) GoodAccess links**. * **ACS URLs** - Assertion Consumer Service URL * **Entity ID** - Entity ID Return to GoodAccess, and click **Continue**. Return to Ping Identity, and click **Save**.

Ping Identity Admin console with key steps to creating a new SAML application. — Creating a new SAML application

### 1. Attribute Mappings Go to **Attribute Mappings**, click the **Edit icon**, and add the following attributes: | Attributes | PingOne Mappings | | ------------------------ | ---------------- | | "email" (without quotes) | Email Address | | "name" (without quotes) | Username | Check the **Required** boxes, and click **Save**.

Ping Identity Admin console with key steps to setting up the "Attribute Mappings". — Setting up the Attribute Mappings

### 2. Configuration Go to **Configuration**, click **Download Metadata**, and open the file in a text editor (e.g. Notepad). Copy the details to GoodAccess - **(3) Identity Provider links**, and click **Continue**. * **Sign in URL** - Single Signon Service * **Entity ID** - Issuer ID * **X509 signing certificate** - Copy the certificate from the text editor Don't forget to **Enable** the application.

Ping Identity Admin console with key steps to setting up GoodAccess. — Setting up GoodAccess

Notepad with highlighted X509 signing certificate. — Copying the certificate from the Notepad

{% hint style="info" %} If you don't want to setup SCIM, skip the next step in GoodAccess, and click **Submit** to finish the configuration. {% endhint %} You have now successfully set up your Ping Identity SSO with GoodAccess. ## Step 3 - Managing user access {% hint style="danger" %} **Please note:** If no groups are selected, **all users will have access**. To prevent unauthorized access, ensure you add at least one group, even when setting up SCIM. {% endhint %} {% hint style="warning" %} If you are setting up SCIM, skip this section. User access for SCIM is managed separately—please refer to [#user-filter](#user-filter "mention") for details. {% endhint %} In the application, go to **Access**, and click the **Edit icon**. Choose who should have access, and click **Save**.

Ping Identity Admin console with key steps to managing user access. — Managing user access

## Step 4 (optional) - Setting up SCIM ### 1. Provisioning Connection Go to **Integrations** > **Provisioning**, click **(+)** to create a new connection, and select **Identity Store**. Select **SCIM Outbound**, and click **Next**. Give the connection a name, and click **Next**.

Ping Identity Admin console with key steps to creating a new provisioning connection. — Creating a new provisioning connection

#### Authentication Copy the **URL** and **Token** from GoodAccess - **(4) User provisioning (SCIM)**. * **SCIM BASE URL** - URL * **SCIM Version** - 2.0 * **Authentication Method** - OAuth 2 Bearer Token * **Oauth Access Token** - Token * **Auth Type Header** - Bearer Return to GoodAccess, and click **Submit**. Return to Ping Identity, click **Test Connection**, and **Next**.

Ping Identity Admin console with key steps to setting up the "Authentication". — Setting up the Authentication

#### Preferences Select actions to allow, and click **Save**. Don't forget to **Enable** the connection.

Ping Identity Admin console with key steps to setting up the "Preferences". — Setting up the Preferences

### 2. Provisioning Rule Go to **Integrations** > **Provisioning**, and click **(+)** to create a new rule. Give the rule a name, and click **Create Rule**. Click **(+)** to add your new connection as **Target**, and click **Save**.

Ping Identity Admin console with key steps to creating a new provisioning rule. — Creating a new provisioning rule

#### User Filter Click the **Edit icon** to modify the user provisioning criteria. For instance, you can use the **Group Names** attribute to provision users based on their membership in a specific group. | Attribute | Operator | Value | | ----------- | -------- | ------- | | Group Names | Contains | Group 1 | | Group Names | Contains | Group 2 | Click **Save**.

Ping Identity Admin console with key steps to setting up the "User Filter". — Setting up the User Filter

#### Attribute Mapping Click the **Edit icon**, and edit the existing mapping and add a new one as follows: | Identity Provider Directory | GoodAccess | | --------------------------- | ----------- | | Email Address | userName | | Username | displayName | Click **Save**.

Ping Identity Admin console with key steps to setting up the "Attribute Mapping". — Setting up the Attribute Mapping

#### (optional) Group Provisioning Click the **Edit icon**, and select groups you want to provision. Group memberships in GoodAccess are updated according to [#user-filter](#user-filter "mention") criteria. Click **Save**. Don't forget to **Enable** the rule.

Ping Identity Admin console with key steps to setting up the "Group Provisioning". — Setting up the Group Provisioning

{% hint style="info" %} The whole provisioning process will take around **20 minutes** to complete depending on the number of members and groups being added. {% endhint %} You have now successfully set up your Ping Identity SCIM with GoodAccess.