Single Sign-On
PingOne
How to set up PingOne with Unblocked
Centralize your team’s access to Unblocked by connecting it to PingOne.
Once the domain is verified, any user who enters an email address matching that domain on the Unblocked sign-in page will see the SSO login option for your SAML provider.
Verifying a domain only controls the visibility of the SSO login option and does not automatically grant access to
your Unblocked team. Access to Unblocked is still managed through user and group assignments in your identity provider (IdP).
Configure Single Sign-On
Follow the steps below to configure single sign-on for PingOne.1
Go to the Unblocked SSO Settings
Navigate to the Settings section of the Unblocked web app.
Under Team Settings, select Security.
Locate the Single Sign-On section and click Configure.
2
Create a SAML Application
From your PingOne console, navigate to the Applications tab.
Click the plus (+) button to add an Application.Enter Unblocked as the application name, enter a description, and upload the Unblocked icon.Select SAML Application as the application type.Click Configure.
3
SAML Configuration
Copy the following two values provided from your Unblocked web app into the SAML Configuration section:
ACS URLEntity ID
4
Copy SAML metadata into Unblocked
From the Overview tab of your SAML application,
copy the following three values from your new PingOne application into the Configure PingOne form in Unblocked:
Issuer IDInitiate Single Sign-On URLSigning Certificate(X509 PEM)
5
Configure Attribute Mappings
From the Attribute Mappings tab of your SAML application,
ensure that the following three attribute mappings are configured:
| Attributes | PingOne Mappings |
|---|---|
saml_subject | Email Address |
firstName | Given Name |
lastName | Family Name |
6
Click Save
Click Next to proceed to the final step,
then click the toggle to enable the application.
User and Group Provisioning
Once you’ve configured SSO, you can enable user and group provisioning to automatically manage user access to Unblocked. This feature allows you to automatically create, update, and deactivate users in Unblocked based on changes in PingOne. To configure SCIM provisioning from PingOne to Unblocked, you’ll need to create a new SCIM connection and a new provisioning rule in PingOne.1
Generate SCIM API Token
In the Unblocked web app, navigate to the Settings section.
Under Team Settings, select Security.
Locate the SCIM User and Group Provisioning section and click Configure.
Click Add Token to generate a new API token for SCIM provisioning. Copy both the new API token and the Base URL.
Click Add Token to generate a new API token for SCIM provisioning. Copy both the new API token and the Base URL.2
Create a new Provisioning Connection
From your PingOne console, navigate to the Provisioning tab.
Click New Connection.
Select the Identity Store connection type.
Select the SCIM Outbound identity store and click Next.
Enter Unblocked SCIM as the connection name,
optionally enter a description,
and upload the Unblocked icon icon.
To configure authentication, enter the following values:
To configure preferences, ensure that the following values are set:
Finally, toggle the switch for the Unblocked SCIM connection to On.
Select the Identity Store connection type.Select the SCIM Outbound identity store and click Next.Enter Unblocked SCIM as the connection name,
optionally enter a description,
and upload the Unblocked icon icon.To configure authentication, enter the following values:- SCIM Base URL: enter the Base URL that you copied earlier from Unblocked.
- Authentication Method: select the
OAuth 2 Bearer Tokenoption - OAuth Access Token: enter the API Token that you copied earlier from Unblocked.
- Auth Type Header: enter
Bearer
To configure preferences, ensure that the following values are set:- User Filter Expression:
username Eq "%s" - User Identifier:
workEmailThen click Save.
Finally, toggle the switch for the Unblocked SCIM connection to On.3
Create a new Provisioning Rule
From your PingOne console, navigate to the Provisioning tab.
Click New Rule.
Enter “Sync to Unblocked” as the rule name, and optionally enter a description.
Choose the Unblocked SCIM connection that you created earlier as the Target.
On the User Filter tab, click the edit icon to select the users you want to sync to Unblocked.
In this example, we’re syncing all users in the default population in the PingOne directory.
On the Attribute Mapping tab, click the edit icon and ensure that the following mappings are configured:
On the Group Provisioning tab, click the edit icon and select the groups you want to sync to Unblocked.
Click Save to complete the setup for SCIM provisioning from PingOne to Unblocked.
Finally, toggle the switch for the Sync to Unblocked rule to On.
Users and groups will now begin to sync from PingOne to Unblocked.
Enter “Sync to Unblocked” as the rule name, and optionally enter a description.Choose the Unblocked SCIM connection that you created earlier as the Target.On the User Filter tab, click the edit icon to select the users you want to sync to Unblocked.In this example, we’re syncing all users in the default population in the PingOne directory.On the Attribute Mapping tab, click the edit icon and ensure that the following mappings are configured:| PingOne Directory | Unblocked SCIM |
|---|---|
Enabled | active |
User ID | externalId |
Family Name | familyName |
Given Name | givenName |
Email Address | userName |
Email Address | workEmail |
On the Group Provisioning tab, click the edit icon and select the groups you want to sync to Unblocked.Click Save to complete the setup for SCIM provisioning from PingOne to Unblocked.
Finally, toggle the switch for the Sync to Unblocked rule to On.
Users and groups will now begin to sync from PingOne to Unblocked.Enforce SSO
Once SSO is configured, you can enforce its use for your team. This means all team members will be required to sign in using your SSO provider. There are two enforcement options:- SSO Only: Users will be required to sign in to Unblocked using SSO. You may need to sign in with SSO before enabling this option.
- SSO, a Source Code System, or Slack: Users can sign in using either SSO, their source code system (e.g., GitHub, Bitbucket, or GitLab), or Slack.
Allowed Email Domains
Verifying a domain ensures that users who enter an email address from that domain on the Unblocked sign-in page are automatically directed to your SSO login. This creates a seamless login experience and routes users through the correct authentication flow. You can add multiple domains to enable SSO login detection for users with different email addresses. To verify a domain:1
Add Domain
Click Add Domain and enter the domain name you want to verify.
2
Verify Domain
Unblocked will prompt you to add a TXT record to your DNS settings to complete the verification.
Download Unblocked Logo
To help your users easily recognize Unblocked in their identity provider dashboard, download the Unblocked logo for use in your SSO application.