Ping Identity SSO
In this guide, you’ll learn how to set up Ping Identity authentication in Coalesce.
You must be a Ping Administrator to complete this process.
Before You Begin
Check Your Subdomain
Your subdomain is the subdomain of your Coalesce instance. For example, if you login at https://testapp.app.coalescesoftware.io/. Your subdomain is testapp.
To check if already have a subdomain, go your organizations single sign-on settings.
If you don't have a subdomain, you can add one to the subdomain box. Coalesce will automatically configure your subdomain based on the name entered. Check with your IT team before adding it to your organizations settings.
Create a Ping Identity Application
-
In Ping go to the Applications page, and create a new application.
-
Give the application a name.
-
Select Single-Page as the Application Type.
-
Click Save.
-
After saving, you’ll be taken to the Application overview screen.
-
Click on Configuration, then edit.
-
Set the following confirmation options:
- Select all options under Response Type:
- Code
- Token
- ID
- Grant Type:
- Click Authorization Code
- PKCE Enforcement is Optional
- Click Implicit
- Under Redirect URIs enter your Coalesce instance URL with login/callback added.
https://<your Coalesce app domain>/login/callback- For example:
https://testapp.app.coalescesoftware.io/login/callback
- The other configuration options can be left as default.
- Select all options under Response Type:
-
Click Save.
-
After saving, you’ll be taken to the Application overview screen.
-
Next, you’ll make sure your allowed scopes are set. Click on Resources, then edit.
-
Make sure the following scopes are set:
openidemailprofile
-
Make sure your application is turned on by toggling the switch near the X.
Gather Your Ping SSO Information
You are gathering your subdomain, Authorization Server, and OIDC clientID.
-
On the Application overview screen, click URLs to open a drop-down.
-
Copy the Authorization URL. You only need up to the
/as. Leave off the trailing slash.- For example:
https://auth.pingone.com/8d472703-1eaf-491b-a425-91aff175d01f/as.
- For example:
Get your OIDC Client ID
- On the Application overview screen, copy the Client ID.
Configure Coalesce Ping Settings
-
Open a new window.
-
Sign in to your Coalesce application using username and password.
-
Go to Organization Settings > Single Sign-On.
-
Enter in the following information:
Field Description Authority The system being used for Single Sign On. Choose Other. Subdomain This will be the same as Subdomain. Not the entire URL. Authorization Server https://auth.pingone.com/8d472703-1eaf-491b-a425-91aff175d01f/asServer-Side Authorization (Optional) Toggle on to add an authorization URL. Use this when the authorization server blocks access to the OpenID configuration or token endpoints. Authorization Endpoint (Available with Server-Side Authorization ) The authorization URL to redirect to. 
-
Go to your SSO URL, which will be formatted like -
https://mySubdomain.<app_domain>- and click on the Use Single Sign-On button to log in using SSO.
If instead of a button you see an error message, check to make sure you correctly entered all the fields in your Coalesce SSO settings. If the problem persists please reach out to our Support Team.
Duplicate Accounts After SSO Setup
The creation of a separate SSO account is expected behavior and does not affect your existing basic auth account's permissions.
When you first authenticate using SSO in Coalesce, the system creates a new SSO account separate from your existing basic authentication account. This new SSO account is automatically assigned Org Member permissions by default.
If you previously had admin permissions through your basic auth account, you'll need to update the permissions for your new SSO account. To do this:
- Log in using your basic authentication credentials.
- Update the permissions for your SSO account.
- If you don't have admin access, contact your organization's admin to update the permissions.