SSO Configuration for Vendor Access
How-to Guide
Authors:
Yulia Andreyanova, Alexey Kaminskiy
Changed on:
7 Oct 2025
Key Points
- Enables single sign-on access to Fluent OMS for multiple organizations.
- PingOne automatically routes users to the correct IdP by email domain.
- Requires connecting all relevant IdPs (e.g., Google Workspace, Azure AD).
- Uses an Authentication Policy in PingOne to define domain-based rules.
- Each user is linked to an Authoritative IdP that manages authentication.
- Provides a unified, secure, and streamlined login experience for all users.
Prerequisites
Steps
Create an Authentication Policy
- In the PingOne Admin Console, navigate to Authentication → Authentication Policies.
- Click + Add Policy.
- Enter a descriptive Policy Name (e.g., Fluent SSO Routing Policy).
- On the Create Policy screen, select Identifier First as the Step Type.
Add Discovery Rules
- Within your newly created policy, click + Add Rule under the Discovery Rules section.
- A Discovery Rules dialog opens. Click + Add Rule again to start adding your first rule.
- In the rule configuration:
- Username contains: Enter the domain pattern (for example,
`@vendor.com`or`@google.com`). Users who do not match any rule will authenticate directly against PingOne.
- Username contains: Enter the domain pattern (for example,
- Identity Provider: Select the IdP responsible for authenticating users matching this domain pattern.
- Repeat these steps for all vendor or external domains that require separate IdPs.
- When all rules are defined, click Save to finalize the policy.
- Finally, review the policy overview page and click Save again to apply the configuration to the policy.
Don’t Forget
- After saving, go to Applications → [Fluent App] → Authentication Policy.
- Select your new Authentication Policy from the list.
- Click Save to apply changes.
