# PingOne Authentication

> :::note
The following steps are valid for PingOne SAML setup. Please note that the procedure is a broad description of a sample configuration. For a fully detailed how-to, visit the official [PingOne Documentation](https://docs.pingidentity.com/r/en-us/pingone/pingone_p1tutorial_add_a_saml_app).
:::

## Configure PingOne to Recognize a New Orchestrator Machine

:::note
The following steps are valid for PingOne SAML setup. Please note that the procedure is a broad description of a sample configuration. For a fully detailed how-to, visit the official [PingOne Documentation](https://docs.pingidentity.com/r/en-us/pingone/pingone_p1tutorial_add_a_saml_app).
:::

1. Log in to the PingOne Administrator Console.
2. On the **Applications** tab, select **+ Add Application**. A new window opens.

   !['PingOne Applications tab' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-pingone-applications-tab-image-232011-1c1ad96b.webp)
3. Select **WEB APP**, and select the **Configure** button in the **SAML** box.

   !['PingOne WEBAPP' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-pingone-webapp-image-226695-6e1c4b35.webp)
4. On the **Create App Profile** page, enter an application name in the dedicated field, and select the **Next** button.

   !['PingOne Create App Profile page' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-pingone-create-app-profile-page-image-227003-46b5092c.webp)
5. On the **Configure SAML** page, specify the ACS URL by filling in the URL of the Orchestrator instance plus the suffix `identity/Saml2/Acs`. For instance: `https://orchestratorURL/identity/Saml2/Acs`. Keep in mind that the ACS is case sensitive.
6. Scroll down the **Configure SAML** page, and set the **Entity ID** to `https://orchestratorURL`.
7. On the same page, select **HTTP Redirect** as your SLO binding.
8. In the **Assertion Validity Duration** field, enter the desired validity period in seconds, and press **Next**.

   !['Assertion Validity Duration field' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-assertion-validity-duration-field-image-226523-b11df4cf.webp)
9. On the **Map Attributes** page, map the following attribute: **Email Address** = `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`

   !['Map attributes page' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-map-attributes-page-image-227075-fb52d77b.webp)
10. Select **Save** and open the app from the **Applications** tab.

    !['Applications tab' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-applications-tab-image-226763-0cf0c619.webp)
11. In the newly opened window, copy the Single SignOn URL.

    !['Expanded app with details' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-expanded-app-with-details-image-231218-e173f00e.webp)

## Set Orchestrator/Identity Server to Use PingOne Authentication

1. Define a user in Orchestrator and have a valid email address set on the **Users** page.
2. [Import the signing certificate](https://docs.uipath.com/orchestrator/standalone/2025.10/user-guide/setting-orchestrator-to-use-a-private-key-certificate#private-key-certificates) provided by the Identity Provider to the Windows certificate store using Microsoft Management Console.
3. Log in to the [Management portal](https://docs.uipath.com/orchestrator/standalone/2025.10/user-guide/about-the-host-level#host-management-portal) as a system administrator.
4. Select **Security**.
5. Select **Configure** under **SAML SSO**:

   The **SAML SSO configuration** page opens.

6. Set it up as follows:
   * Optionally select the **Force automatic login using this provider** checkbox if, after the integration is enabled, you want your users to only sign in through the SAML integration.
   * Set the **Service Provider Entity ID** parameter to `https://orchestratorURL`.
   * Set the **Identity Provider Entity ID** parameter to the value obtained by configuring PingOne authentication.
   * Set the **Single Sign-On Service URL** parameter to the value obtained by configuring PingOne authentication.
   * Select the **Allow unsolicited authentication response** checkbox.
   * Set the **Return URL** parameter to `https://orchestratorURL/identity/externalidentity/saml2redirectcallback`.
   * Set the **External user mapping strategy** parameter to `By user email`.
   * Set the **SAML binding type** parameter to `HTTP redirect`.
   * In the **Signing Certificate** section, from the **Store name** list, select **My**.
   * From the **Store location** list, select `LocalMachine`.
   * In the **Thumbprint** field, add the thumbprint value provided in the Windows certificate store. [Details](https://docs.uipath.com/orchestrator/standalone/2025.10/user-guide/setting-orchestrator-to-use-a-private-key-certificate#private-key-certificates).
     :::note
     Replace all occurrences of `https://orchestratorURL` with the URL of your Orchestrator instance. Make sure that the URL of the Orchestrator instance does not contain a trailing slash. Always fill it in as `https://orchestratorURL`, not `https://orchestratorURL/`.
     :::
7. Select **Save** to save the changes to the external identity provider settings.

   The page closes and you return to the **Security Settings** page.

8. Select the toggle to the left of **SAML SSO** to enable the integration.
9. Restart the IIS server.