# Ping Identity (PingOne)
{% hint style="success" %}
Please complete the steps in the [Admin Console Configuration](https://docs.keeper.io/en/sso-connect-cloud/admin-console-configuration) section first.
{% endhint %}
### Ping Identity Configuration
Login to the Ping Identity portal.
In your existing Environment click **Manage Environment.**
On the left, click **Applications** > **Application Catalog** > Search "**Keeper**" and select "**Keeper Password Manager**"
On the Application Details page, add the following data:
* Keeper Security Domain: **keepersecurity.com**
* Keeper Security Identifier: Can be found in the admin console under Entity ID ****
* Log in to the **Keeper Admin Console** at .
* In the **left panel**, go to **Admin** and select a **sub-node** (not the root).
* Navigate to **Provisioning → Add Method → Single Sign-On with SSO Connect® Cloud**.
* Enter a configuration name, add your domain, and click **Save**.
* After the SSO configuration is created, click the **three-dot menu (⋮)** next to it and select **View** to display the **Entity ID**.
* Once that is complete we can save and move on to the next steps.
Next, we can add the **Groups** who will be accessing the Keeper Application and click **Save.**
Click **Download Metadata** as we will upload this to Keeper in the next step.
* In attribute 1, type “**First**” in the Application Attribute column, select **First Name** in the Identity Bridge Attribute or Literal Value column, and check the Required button. Select the **Add new attribute** button.
* In attribute 2, type "**Last"** in the Application Attribute column, select **Last Name** in the Identity Bridge Attribute or Literal Value column, and check the Required button. Select the **Add new attribute** button.
* In attribute 3, type "**Email"** in the Application Attribute column, select **Email** in the Identity Bridge Attribute or Literal Value column, and check the Required button. Application Attributes: First, Last, Email must begin with a capital letter.
{% hint style="warning" %}
Application attribute names are case-sensitive. Ensure all attribute names use uppercase as shown in the examples. Using lowercase values may cause parsing errors during SSO setup.
{% endhint %}
\
\
On the Edit screen of the Keeper SSO Connect Cloud provisioning select "Generic" as the IDP Type and upload the saml2-metadata-idp xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen:
The Keeper Application should be added and enabled.
Your Keeper SSO Connect setup is now complete!
#### Move existing users/initial admin to SSO authentication
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
{% hint style="warning" %}
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
{% endhint %}
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Initially select 'Enterprise SSO Login'
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation [can be found here](https://docs.keeper.io/enterprise-guide/domain-reservation).
