Prepare for Single Sign-On (SSO) > Single Sign-on Post-installation Steps > Configure Access Tokens for Authorization and Public Access
  
Configure Access Tokens for Authorization and Public Access
* 
If you’re configuring SSO to use application keys, ignore this section.
This section describes how to configure the OAuth access tokens that theExperience Service will use to synchronize group memberships with ThingWorx and to allow public Experiences to access ThingWorx data.
Configure Access Token for Group Synchronization
The es-authorization user account is used to synchronize group memberships. Use the following step to configure the access token that will be used to synchronize group memberships:
1. From a standard web browser, navigate to the following URL where <es-base-url> should equal what is defined in SSO Configuration Parameters:
<es-base-url>/ExperienceService/username
2. When prompted, enter your OpenID provider credentials for the es-authorization user account.
* 
In Step 1, you may need to start a new browser session to ensure that you are prompted to login
3. When prompted to authorize scopes, authorize all requested scopes.
4. Once complete, the es-authorization username appears in the browser window.
Configure Access Token for Public Access
The es-public-access user account is used to enable public access to ThingWorx data. Use the following step to configure the access token used to enable public access to ThingWorx data:
1. From a standard web browser, navigate to the following URL where <es-base-url> should equal what is defined in SSO Configuration Parameters:
<es-base-url>/ExperienceService/username
2. When prompted, enter your OpenID provider credentials for the es-public-access user account.
* 
In Step 1, you may need to start a new browser session to ensure that you are prompted to login
3. When prompted, authorize all requested scopes.
4. Once complete, the es-public-access username appears in the browser window.