Overview
This integration allows your users to sign in to Fiddler using their existing PingOne account, without needing a separate Fiddler password. Users are automatically provisioned on their first successful login — no manual invitations required.Prerequisites
Before starting, ensure you have:- PingOne Administrator Access: Permissions to create and configure applications in your PingOne environment.
- Fiddler AuthN Administrator Access: Org Owner role in Fiddler’s AuthN management console.
- Deployment Information: The hostname of your Fiddler deployment, e.g.
idpexample.dev.fiddler.ai.
Configuring PingOne and Fiddler for Integration
Fiddler AuthN Console Sign-in
The URL to the Fiddler AuthN management console is your Fiddler instance base URL prepended with
authn-. For example, if your Fiddler base URL is https://idpexample.dev.fiddler.ai then you will access the AuthN management console at https://authn-idpexample.dev.fiddler.ai.
Select Your Organization
Ensure your organization is selected in the dropdown. You may see the fiddler organization, but this is reserved for system use and should not be edited. Here we are using the idpexample organization.

Navigate to Identity Providers in Settings
Select Settings tab from the top menu and then select Identity Providers from the left navigation menu.

Add and Configure New SAML Provider
- Select the SAML option in the Add provider section, which brings up the Sign in with SAML form.
- Enter a name for the integration. This name is displayed on the SSO login button on the Fiddler sign-in page, so choose one your users will recognize.
- Paste the following placeholder value into the Metadata XML text area. AuthN needs it to generate the URLs used when you create the PingOne app integration; you will replace it in a later step.
Placeholder Metadata XML value
Save the SAML Provider
Select the Create button and then select the Save button. You will be returned to the Organization Settings page.

Copy the SAML URLs
Select your IdP from the list. Four URLs are displayed — copy the following three for the PingOne app integration steps:
- ZITADEL Metadata URL
- ZITADEL ACS Login Form URL
-
ZITADEL ACS Intent API URL

Create the PingOne App
- In the PingOne admin console, navigate to Applications and select the + icon.
-
Enter a name for your application, e.g.
Fiddler IdP Example, select SAML Application, then select Configure.
Configure the PingOne App
- Under Provide Application Metadata, select Manually Enter.
- Enter the ZITADEL ACS Login Form URL into the ACS URL text box.
- Add the ZITADEL ACS Intent API URL as a second ACS URL.
- Enter the ZITADEL Metadata URL into the Entity ID text box.
-
Select Save.

Configure the Application Settings
-
Open the created application and go to the Configuration section. Select the edit icon and ensure Sign Assertion and Response is selected, then select Save.

-
Go to the Attribute Mappings section. Select the edit icon and add the following mappings, then select Save:
- Name=
email, Value=Email Address - Name=
firstName, Value=Given Name - Name=
lastName, Value=Family Name - Name=
groups, Value=Group Names

- Name=
- At the top of the application, toggle it to Active.
-
Go to the Overview section, then under Connection Details, copy the IDP Metadata URL.

Replace the Placeholder Metadata XML
- Return to the identity provider form in the Fiddler AuthN console (where you left off in step 4 — Add and Configure New SAML Provider).
- Clear the Metadata XML text area.
-
Paste the IDP Metadata URL copied from PingOne into the Metadata URL text box.

Configure Additional Parameters
- Expand the optional section.
- Ensure the Automatic create and Automatic update checkboxes are selected.
-
Set the Determines whether an identity will be prompted to be linked to an existing account dropdown to Check for existing Username.

Save the Configuration Changes
Select the Save button. You will be returned to the Organization Settings page.

Activate the PingOne SAML IdP
-
Select your IdP from the list and select the Activate button on the identity provider page.

-
Close the settings and then select Login Behavior and Security from the left nav menu and ensure the External login allowed checkbox is selected.

-
Select the Save button.

Create a Custom Action
Select the Actions tab from the top menu.

- Select the New button in the Scripts section to create a new action script.
- Copy the PingOne SAML Action Script below and paste it into the script text area.
- Enter
setAttributesOnPingSAMLAuthin the Name text box. - Select the Add button.
PingOne SAML Action ScriptConfigure the Action Trigger
Scroll down to the Flows section.

- Select the External Authentication option for the Flow Type dropdown.
- Select the + Add trigger button.
- Select the Post Authentication option for the Trigger Type dropdown.
- Select the setAttributesOnPingSAMLAuth option for the Actions dropdown.
- Select the Save button.
Set the Organization SSO Authentication Type
Add an organization metadata key so Fiddler can correctly identify and process this SSO connection. Set this once during setup.
-
Go to the Metadata section and select Edit.

-
Select the Add button, then enter the key
fiddler_sso_authentication_typewith the valueSSO:PING:SAML.
- Select the Save button next to the new entry.
Validate the Integration
Before validating, ensure your PingOne user account is assigned to the new PingOne application you created.
-
Open your Fiddler URL (e.g.
https://idpexample.dev.fiddler.ai). -
Ensure you see the Fiddler sign-in page and that it displays an SSO login button labeled with the name you configured (e.g. PingOne SAML).

-
Select the button and confirm that the Fiddler application loads.

The first user to sign in to the Fiddler application is automatically assigned the Fiddler Org Admin role; subsequent members are Org Members by default.
Getting Help
If sign-in fails, check the PingOne Audit Log (Monitoring → Audit) for the failed attempt and its reason. For Fiddler-side issues, see the SSO Authentication Guide. If the issue persists, contact your Fiddler representative with the specific error message.Important Notes
- Data Storage: Fiddler stores the following profile attributes from PingOne: first name, last name, display name, email address, and group memberships (used to map users to Fiddler teams).
- API Access: For programmatic API access, users create an API key from the Credentials tab in Fiddler’s Settings page.
- Single Authentication Method: Users can only authenticate via either SSO or email authentication, not both.
Next Steps
After successful integration:- Train Users: Provide guidance on accessing Fiddler through PingOne SSO.
- Configure Teams: Map your identity provider groups to Fiddler teams — see Mapping AD Groups to Fiddler Teams.
- Test Group Sync: Verify automatic group synchronization is working as expected.
- Monitor Usage: Review authentication logs and user access patterns.