Centralize your team’s access to Unblocked by connecting it to PingOne.

Configure Single Sign-On

Follow the steps below to configure single sign-on for PingOne.

1

Go to the Unblocked SSO Settings

Navigate to the Settings section of the Unblocked web app. Under Team Settings, select Security. Locate the Single Sign-On section and click Configure.

SSO Configuration
2

Create a SAML Application

From your PingOne console, navigate to the Applications tab. Click the plus (+) button to add an Application.

Enter Unblocked as the application name, enter a description, and upload the Unblocked icon.

Select SAML Application as the application type.

Click Configure.

Create PingOne App
3

SAML Configuration

Copy the following two values provided from your Unblocked web app into the SAML Configuration section:

  • ACS URL
  • Entity ID
SAML Configuration
4

Copy SAML metadata into Unblocked

From the Overview tab of your SAML application, copy the following three values from your new PingOne application into the Configure PingOne form in Unblocked:

  • Issuer ID
  • Initiate Single Sign-On URL
  • Signing Certificate (X509 PEM)
Copy SAML metadata
5

Configure Attribute Mappings

From the Attribute Mappings tab of your SAML application, ensure that the following three attribute mappings are configured:

AttributesPingOne Mappings
saml_subjectEmail Address
firstNameGiven Name
lastNameFamily Name
Attribute Mappings
6

Click Save

Click Next to proceed to the final step, then click the toggle to enable the application.

User and Group Provisioning

Once you’ve configured SSO, you can enable user and group provisioning to automatically manage user access to Unblocked. This feature allows you to automatically create, update, and deactivate users in Unblocked based on changes in PingOne.

To configure SCIM provisioning from PingOne to Unblocked, you’ll need to create a new SCIM connection and a new provisioning rule in PingOne.

1

Generate SCIM API Token

In the Unblocked web app, navigate to the Settings section. Under Team Settings, select Security. Locate the SCIM User and Group Provisioning section and click Configure.

SCIM Configure

Click Add Token to generate a new API token for SCIM provisioning. Copy both the new API token and the Base URL.

Generate API Token
2

Create a new Provisioning Connection

From your PingOne console, navigate to the Provisioning tab. Click New Connection.

New Connection

Select the Identity Store connection type.

Select Identity Store

Select the SCIM Outbound identity store and click Next.

Select SCIM Outbound

Enter Unblocked SCIM as the connection name, optionally enter a description, and upload the Unblocked icon icon.

Connection Name

To configure authentication, enter the following values:

  • SCIM Base URL: enter the Base URL that you copied earlier from Unblocked.
  • Authentication Method: select the OAuth 2 Bearer Token option
  • OAuth Access Token: enter the API Token that you copied earlier from Unblocked.
  • Auth Type Header: enter Bearer

Click Test Connection to verify the connection, and then click Next.

Configure Authentication

To configure preferences, ensure that the following values are set:

  • User Filter Expression: username Eq "%s"
  • User Identifier: workEmail Then click Save.
Configure Preferences

Finally, toggle the switch for the Unblocked SCIM connection to On.

Enable Connection
3

Create a new Provisioning Rule

From your PingOne console, navigate to the Provisioning tab. Click New Rule.

New Rule

Enter “Sync to Unblocked” as the rule name, and optionally enter a description.

Rule Name

Choose the Unblocked SCIM connection that you created earlier as the Target.

Connection Target

On the User Filter tab, click the edit icon to select the users you want to sync to Unblocked.

User Filter Edit

In this example, we’re syncing all users in the default population in the PingOne directory.

User Filter Selection

On the Attribute Mapping tab, click the edit icon and ensure that the following mappings are configured:

PingOne DirectoryUnblocked SCIM
Enabledactive
User IDexternalId
Family NamefamilyName
Given NamegivenName
Email AddressuserName
Email AddressworkEmail
Attribute Mapping

On the Group Provisioning tab, click the edit icon and select the groups you want to sync to Unblocked.

Group Provisioning

Click Save to complete the setup for SCIM provisioning from PingOne to Unblocked. Finally, toggle the switch for the Sync to Unblocked rule to On. Users and groups will now begin to sync from PingOne to Unblocked.

Enable Rule

Enforce SSO

Once SSO is configured, you can enforce its use for your team. This means all team members will be required to sign in using your SSO provider.

There are two enforcement options:

  • SSO Only: Users will be required to sign in to Unblocked using SSO. You may need to sign in with SSO before enabling this option.

  • SSO, a Source Code System, or Slack: Users can sign in using either SSO, their source code system (e.g., GitHub, Bitbucket, or GitLab), or Slack.

SSO Enforcement Options

Allowed Email Domains

Verifying a domain ensures that users who enter an email address from that domain on the Unblocked sign-in page are automatically directed to your SSO login. This creates a seamless login experience and routes users through the correct authentication flow.

You can add multiple domains to enable SSO login detection for users with different email addresses. To verify a domain:

1

Add Domain

Click Add Domain and enter the domain name you want to verify.

2

Verify Domain

Unblocked will prompt you to add a TXT record to your DNS settings to complete the verification.

Once the domain is verified, any user who enters an email address matching that domain on the Unblocked sign-in page will see the SSO login option for your SAML provider.

Verifying a domain only controls the visibility of the SSO login option and does not automatically grant access to your Unblocked team. Access to Unblocked is still managed through user and group assignments in your identity provider (IdP).

To help your users easily recognize Unblocked in their identity provider dashboard, download the Unblocked logo for use in your SSO application.

Unblocked Logo