# PingOne
{% hint style="success" %}
Please complete the steps in the [Admin Console Configuration](https://docs.keeper.io/en/sso-connect-cloud/admin-console-configuration) section first. Legacy Ping Identity users who are not on PingOne should view our [Ping Identity documentation](https://docs.keeper.io/en/sso-connect-cloud/identity-provider-setup/ping-identity-keeper).
{% endhint %}
### PingOne
Login to the PingOne portal at .
From the **PingOne** console menu, select **Applications >** **Application Catalog**
Search "**Keeper**" and click on the **"Keeper Password Manager - Cloud SSO"** link to add the **Keeper Password Manager** application
Click **Setup** to proceed to the next step
Click **"Continue to Next Step"**
From the **Keeper Admin Console**, view the PingOne SSO Connect Cloud entry and click **Export Metadata** and save it in a safe location for future use. Also click **Export SP Cert** and save it in a safe location for future use.
From the PingOne Admin Console, click **Select File** next to "Upload Metadata" and browse to the saved metadata file from the **Keeper Admin Console**. This should populate the "ACS URL" and "Entity ID" fields with the proper datapoints.
Click on **Choose File** next to "Primary Verification Certificate" and browse to the saved `.crt` file from the **Keeper Admin Console.** Click on the checkbox next to "Encrypt Assertion" and then click **Choose File** next to "Encryption Certificate". Browse to the same saved `.crt` file from the **Keeper Admin Console.**
Validate the certificate and click **"Continue to Next Step".**
Enter the appropriate values associated with each attribute (see below image) and click **Continue to Next Step**
Modify the **Name** to appropriately match the Configuration Name of the SSO node from the **Keeper Admin Console**. Click **Continue to Next Step**
You may choose to add PingOne user groups to your application. Click **Add** next to the group or groups you would like to add and click **Continue to Next Step**.
{% hint style="info" %}
PingOne users will have access to Keeper Password Manager by default. Assigning groups to Keeper Password Manager restricts access to only those groups.
{% endhint %}
Click **Download** next to "SAML Metadata" and save the `.xml` file to a safe location.
Click **Finish** to complete the application setup wizard.
On the **Edit Configuration** screen of the Keeper SSO Connect Cloud provisioning in the **Keeper Admin Console,** select **PingOne** as the **IDP Type.**
Upload the SAML Metadata file downloaded in the previous step into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the **SAML Metadata** section.
Upload PingOne Metadata to Keeper
The PingOne Keeper SSO Connect Cloud™ entry will now show as **Active**. \\
View Active Keeper SSO Connect Entry
Your PingOne Keeper SSO Connect Cloud™ setup is complete!
#### Move existing users/initial admin to SSO authentication
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
{% hint style="warning" %}
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
{% endhint %}
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Initially select 'Enterprise SSO Login'
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation [can be found here](https://app.gitbook.com/s/-LO5CAzpxoaEquZJBpYz/domain-reservation).
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.keeper.io/en/sso-connect-cloud/identity-provider-setup/pingone.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
