Prepare for Single Sign-On (SSO) > PingFederate Configuration > SSO Configuration Parameters
  
SSO Configuration Parameters
After installing PingFederate, identify values for configuration parameters that will be used to configure PingFederate and the Experience Service. The following values must be provided to complete configuration.
Parameter
Value
<es-base-url>
The URL used to access your Experience Service.
This should be in the following format:
<es-protocol>://<es-host>:<es-port>
For example:
https://es.example.com:8443
If your Experience Service is using the protocol's default port (port 80 for HTTP or port 443 for HTTPS), do not specify the default port for your Experience Service base URL. In some cases, including the default port can cause PingFederate to consider the Vuforia Studio redirect URI invalid.
For example, if the server in the previous example used port 443 instead of port 8443, then the base URL would be:
https://es.example.com
<es-scope>
If your company does not support creating custom or new scopes, you’ll need to set this parameter to a predefined scope. Typically, you can check your OpenID configuration for supported scopes, or check with your PingFederate administrator.
If nothing is defined, es-scope will be set to: studio-es-<es-host>:<es-port>.
For example:
studio-es-es.example.com:8443
<es-client-id>
Choose a unique value to use as the client ID for the Experience Service. For example: studio-es.
* 
This value must match with what will be entered during Experience Service installation. If it does not match, SSO will not be configured properly.
<es-client-secret>
When configuring the Experience Service client, PingFederate gives you the option to generate a secret for the client. If you choose to generate a secret for the client, capture the value generated, as it will be required to complete other installation and configuration steps. Alternatively, you can choose your own client secret. In this case, ensure that the secret you choose is a strong password and cannot be easily guessed.
<es-redirect-uri>
<es-base-url>/ExperienceService/auth/oidc/callback
For example:
https://es.example.com:8443/ExperienceService/auth/oidc/callback
<studio-redirect-uri>
http://localhost:3000/authorization_code_redirect?audience=<es-base-url>
For example:
http://localhost:3000/authorization_code_redirect?audience=https://es.example.com:8443
<as-base-url>
The base URL for your PingFederate runtime engine service. For example:
https://pingfed.example.com:9031
<as-auth-endpoint>
The authorization endpoint URL of your PingFederate authorization server. This URL is used to initiate the authorization code flow that is used to authenticate users and obtain delegated authorization. Complete the following steps to obtain the value for this parameter:
1. In a web browser, navigate to the following URL:
<as-base-url>/.well-known/openid-configuration
This displays a JSON file containing OpenID and OAuth configuration information for your PingFederate server.
2. The value of the authorization_endpoint property is the authorization endpoint URL. For example:
https://pingfed.example.com/as/authorization.oauth2
* 
Remove any backslashes ("\") from the URL returned by PingFederate.
<as-token-endpoint>
The token endpoint URL for your PingFederate authorization server. Clients use this endpoint to retrieve access and refresh tokens. Complete the following steps to obtain the value for this parameter:
1. In a web browser, navigate to the following URL:
<as-base-url>/.well-known/openid-configuration
This displays a JSON file containing OpenID and OAuth configuration information for your PingFederate server.
2. The value of the token_endpoint property is the token endpoint URL. For example:
https://pingfed.example.com/as/token.oauth2
* 
Remove any backslashes ("\") from the URL returned by PingFederate.
Next, enable OpenID Connect.