> ## Documentation Index
> Fetch the complete documentation index at: https://docs.firebolt.io/llms.txt
> Use this file to discover all available pages before exploring further.
## Submitting Feedback
If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:
POST https://docs.firebolt.io/feedback
```json
{
"path": "/guides/security/sso/pingfederate",
"feedback": "Description of the issue"
}
```
Only submit feedback when you have something specific and actionable to report.
> Learn how to configure PingFederate as your identity provider to work with SSO authentication for Firebolt.
# PingFederate
PingFederate is an identity and access management solution that enables secure single sign-on, identity federation, and authentication across multiple applications and platforms, supporting protocols like SAML, OAuth, and OpenID Connect. You can use PingFederate to enable secure single sign-on (SSO) and federated identity management for authentication across Firebolt.
To integrate PingFederate with Firebolt's platform, you need to configure both an [PingFederate application for Firebolt](#configure-pingfederate-application) and [Firebolt's SSO for PingFederate](#configure-firebolt-for-pingfederate). Detailed instructions can be found in the following sections:
#### Configure PingFederate application
1. Select **Applications** in the administration menu. Then on the **Applications** page, select **+** to create a new application.
2. Type in the application name (for instance, Firebolt) and description. Then select **SAML Application**, and select **Configure**.
3. Choose **Manually Enter** to provide application metadata.
* Fill the **ACS URLs** field with a URL in the following format:
`https://idp.app.firebolt.io/login/callback?connection=-&organization=`
For example: `https://idp.app.firebolt.io/login/callback?connection=acmeorg-pingfederate&organization=org_82u3nzTNQPA8RyoM`
> **``** represents the Organizational name used to create your Firebolt Account. The org name is referenced in your vanity URL.\
> **``** represents the provider we're configuring as our IdP.
> **``** is the unique identifier for your Organization. To retrieve your **``**, you can navigate to **Configure > SSO** in the Firebolt UI, and **Click Copy organization SSO identifier**.
* Fill in **Entity ID** with the value: `urn:auth0:app-firebolt-v2:-`,
where
* `` is the name of the organization in Firebolt, and
* `` is the provider value set in Firebolt configuration step
For example:
`urn:auth0:app-firebolt-v2:acmeorg-pingfederate`
4. Select **Save**.
5. From the **Configuration** tab:
* Download the signing certificate in X509 PEM format
* Save the value of Single SignOn Service
6. Open the **Attribute Mappings** tab, and edit the saml\_subject PingOne Mapping to map to Email Address. Then **Save**.
#### Configure Firebolt for PingFederate
Once your Identity Provider(IdP) is configured, you can now configure Firebolt to integrate with your IdP. This can be done either using the Firebolt UI, or using SQL.
##### UI
1. To configure the Firebolt SSO integration with PingFederate using the UI, Navigate to **Configure > SSO** in Firebolt.
2. Once there, enter your Sign-on URL, Issuer, Provider, Label, Certificate, and field-mappings, where
* `signOnUrl`: The sign-on URL, provided by the SAML identity provider, to which Firebolt sends the SAML requests. The URL is IdP-specific and is determined by the identity provider during configuration.
* `signoutUrl(optional)`: The sign-out URL, provided by the application owner, to be used when the user signs out of the application. In Pingfederate, you can retrieve this value by copying the `Single Logout Service` URL found in **Application > Configuration**.\`\`\`
* `issuer`: A unique value generated by the SAML identity provider specifying the issuer value.
* `provider`: The provider's name - for example: `PingFederate`.
* `label`: The label to use for the SSO login button. If not provided, the Provider field value is used.
* `certificate`: The certificate to verify the communication between the identity provider and Firebolt. The certificate needs to be in PEM or CER format, and can be uploaded from your computer by choosing **Import certificate** or entered in the text box.
* `field mapping`: Mapping to your identity provider's first and last name in key-value pairs. If additional fields are required, choose **Add another key-value pair**. Mapping is required for Firebolt to fill in the login’s given and last names the first time the user logs in using SSO.
Here’s an example of how to set up field mapping:
```json theme={"theme":{"light":"github-light","dark":"github-dark"}}
{
"given_name": "name",
"family_name": "surname"
}
```
In the previous code example, `given_name` is your first name, and is mapped to the "name" field from the IDP. The `family_name` is your last name, and is mapped from the "surname" field.
3. Choose **Update changes**
##### SQL
Values for SQL to create the SSO connection are as follows:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
ALTER ORGANIZATION acmeorg SET SSO = '{
"signOnUrl": "https://auth.pingone.eu/74d536da-4d98-4fdd-83ae-63af461eb826/saml20/idp/sso",
"issuer": "pingfederate",
"provider": "pingfederate",
"label": "PingFederate Company App",
"certificate": ""
}';
```
where
* `signOnURL` is the Single Sign On Service URL obtained during PingFederate configuration,
* `issuer` is the name of the issuer, 'pingfederate' in this case,
* `provider` is the IdP name, 'pingfederate' in this case,
* `label` is the text that will appear on the **Sign in** form (this defaults to `-