> ## Documentation Index > Fetch the complete documentation index at: https://docs.getunblocked.com/llms.txt > Use this file to discover all available pages before exploring further. # PingOne > How to set up PingOne with Unblocked Centralize your team's access to Unblocked by connecting it to PingOne. ## Configure Single Sign-On Follow the steps below to configure single sign-on for PingOne. Navigate to the **Settings** section of the Unblocked web app. Under Team Settings, select **Security**. Locate the Single Sign-On section and click **Configure**. SSO Configuration

From your PingOne console, navigate to the Applications tab. Click the plus (+) button to add an **Application**. Enter **Unblocked** as the application name, enter a description, and upload the [Unblocked icon](#download-unblocked-logo). Select **SAML Application** as the application type. Click **Configure**. Create PingOne App

Copy the following two values provided from your Unblocked web app into the **SAML Configuration** section: * `ACS URL` * `Entity ID`

From the **Overview** tab of your SAML application, copy the following three values from your new PingOne application into the **Configure PingOne** form in Unblocked: * `Issuer ID` * `Initiate Single Sign-On URL` * `Signing Certificate` (X509 PEM) Copy SAML metadata

Click **Next** to proceed to the final step, then click the toggle to enable the application. ## User and Group Provisioning Once you've configured SSO, you can enable user and group provisioning to automatically manage user access to Unblocked. This feature allows you to automatically create, update, and deactivate users in Unblocked based on changes in PingOne. To configure SCIM provisioning from PingOne to Unblocked, you'll need to create a new SCIM connection and a new provisioning rule in PingOne. In the Unblocked web app, navigate to the **Settings** section. Under Team Settings, select **Security**. Locate the SCIM User and Group Provisioning section and click **Configure**. SCIM Configure

Click **Add Token** to generate a new API token for SCIM provisioning. Copy both the new API token and the **Base URL**. Generate API Token

From your PingOne console, navigate to the **Provisioning** tab. Click **New Connection**.

Select the **Identity Store** connection type. Select Identity Store

Select the **SCIM Outbound** identity store and click **Next**. Select SCIM Outbound

Enter **Unblocked SCIM** as the connection name, optionally enter a description, and upload the [Unblocked icon icon](#download-unblocked-logo).

To configure authentication, enter the following values: * **SCIM Base URL**: enter the **Base URL** that you copied earlier from Unblocked. * **Authentication Method**: select the `OAuth 2 Bearer Token` option * **OAuth Access Token**: enter the API Token that you copied earlier from Unblocked. * **Auth Type Header**: enter `Bearer` Click **Test Connection** to verify the connection, and then click **Next**. Configure Authentication

To configure preferences, ensure that the following values are set: * User Filter Expression: `username Eq "%s"` * User Identifier: `workEmail` Then click **Save**.

Finally, toggle the switch for the **Unblocked SCIM** connection to **On**. Enable Connection

From your PingOne console, navigate to the **Provisioning** tab. Click **New Rule**.

Enter "Sync to Unblocked" as the rule name, and optionally enter a description.

Choose the **Unblocked SCIM** connection that you created earlier as the **Target**. Connection Target

On the **User Filter** tab, click the edit icon to select the users you want to sync to Unblocked. User Filter Edit

In this example, we're syncing all users in the default population in the PingOne directory. User Filter Selection

On the **Group Provisioning** tab, click the edit icon and select the groups you want to sync to Unblocked.

Click **Save** to complete the setup for SCIM provisioning from PingOne to Unblocked. Finally, toggle the switch for the **Sync to Unblocked** rule to **On**. Users and groups will now begin to sync from PingOne to Unblocked. Enable Rule

## Enforce SSO Once SSO is configured, you can enforce its use for your team. This means all team members will be required to sign in using your SSO provider. There are two enforcement options: * **SSO Only**: Users will be required to sign in to Unblocked using SSO. You may need to sign in with SSO before enabling this option. * **SSO, a Source Code System, or Slack**: Users can sign in using either SSO, their source code system (e.g., GitHub, Bitbucket, or GitLab), or Slack. SSO Enforcement Options

## Allowed Email Domains Verifying a domain ensures that users who enter an email address from that domain on the Unblocked sign-in page are automatically directed to your SSO login. This creates a seamless login experience and routes users through the correct authentication flow. You can add multiple domains to enable SSO login detection for users with different email addresses. To verify a domain: Click **Add Domain** and enter the domain name you want to verify. Unblocked will prompt you to add a TXT record to your DNS settings to complete the verification. Once the domain is verified, any user who enters an email address matching that domain on the Unblocked sign-in page will see the SSO login option for your SAML provider. Verifying a domain only controls the visibility of the SSO login option and does not automatically grant access to your Unblocked team. Access to Unblocked is still managed through user and group assignments in your identity provider (IdP). ## Download Unblocked Logo To help your users easily recognize Unblocked in their identity provider dashboard, download the Unblocked logo for use in your SSO application.