Important: These instructions apply only to Flow on-premises.
Overview
Below is a step-by-step guide for connecting your PingOne account to Flow with SSO.
Configuring Your PingOne Integration
Step 1: Sign into your PingOne Admin Account.
Step 2: In your Dashboard go to Applications.
Step 3: On the Applications page go to Add Application, then select New SAML Application.
Step 4: On this page you fill out the following fields then click Continue to Next Step.
- Application Name: Pluralsight Flow
- Application Description: Flow
- Category: Engineering
Step 5: After clicking Continue to Next Step leave this tab open and open Flow in a new tab. Navigate to Settings > SSO.

Step 6: Select New SAML Integration.

Step 7: In the Configure SAML integration modal, fill out these four field:
- Metadata ADFS has a metadata URL (generally formatted as: https://<base_url>/FederationMetadata/2007-06/FederationMetadata.xml). Copy/paste the URL or the raw XML into this field. We will get the metadata in the following step.
- Login URL this is the entity ID which also doubles as your login URL, you can use your company name or division or team of the company in the field, whatever is most relevant. Make note of this URL as it will be re-used in PingOne.
- Attributes we can map the various details of a user from PingOne into these field templates. They can be anything you'd like, but the capitalization/format must match perfectly.

Step 8: Navigate back to your PingOne tab, you should still be on Configure SAML Connection page. You will be using the Login URL you just created in Flow in three different fields:
- Assertion Consumer Service (ACS URLs)
- Entity ID
- Target Application URL
Depending on the version you are using of PingOne there may be some additional settings:
- If the option to select SAML v 2.0 is available make this is enabled.
- You may be required to input the Assertion Validity Duration (in seconds)
Everything else on this page can remain as is. Go to bottom of page and hit Save and continue.
Step 9: On this page you will need to add Attributes. FirstName, LastName, Email and Roles (if you are planning on handling Roles in PingOne).
Step 10: Roles: Hit Advanced and select GetLocalPartFromEmail then Save (this may not be available in every version of PingOne)
Step 11: Make sure you select the "Required" checkboxes for all the attributes except for Roles. Click Save and Continue.
Step 12: On the next page you will find the SAML Metadata. Download and Copy.
Step 13: Return to your Flow SSO tab you have open and paste that Metadata in the top box.

Optional Settings
- Embed Link: This setting should only be used if the main Entity ID does not work directly.
- Role Key: User roles will be mapped from the attribute value assertion via this key.
- Manage Roles within Flow: Check this box if you want Flow to manage your user’s role. New users will be give a default role upon logging in.
- Merge New Users on Email: Check this box if you already have Users invited into your Flow account using non-SSO logins. This will automatically delete the previous logins and force all existing Users to login via your SSO platform.

Step 14: Users should now be able to successfully login. If users see nothing upon initial login, then it is likely none of the users roles mapped properly to a role in Flow.
If you need help, please contact Pluralsight Support.