--- title: PingFederate SSO Admin Permissions description: Admins can SSO from PingOne into PingFederate with the following roles: component: pingone-api page_id: pingone-api:platform:reference/roles-and-permissions-in-pingone/pingfederate-sso-admin-permissions canonical_url: https://developer.pingidentity.com/pingone-api/platform/reference/roles-and-permissions-in-pingone/pingfederate-sso-admin-permissions.html section_ids: pingfederate-system-admin: PingFederate System Admin pingfederate-auditor: PingFederate Auditor pingfederate-crypto-admin: PingFederate Crypto Admin pingfederate-expression-admin: PingFederate Expression Admin pingfederate-user-admin: PingFederate User Admin --- # PingFederate SSO Admin Permissions Admins can SSO from PingOne into PingFederate with the following roles: ## PingFederate System Admin PingFederate System admins have the following permissions: * Configure partner connections and most system settings, except the management of local accounts and the handling of local keys and certificates. * Access to PingOne administrator console. ## PingFederate Auditor PingFederate Auditors have the following permissions: * View-only permissions for all administrative functions. * Access to PingOne administrator console. ## PingFederate Crypto Admin PingFederate Crypto admins have the following permissions: * Manage local keys and certificates. * Access to PingOne administrator console. ## PingFederate Expression Admin PingFederate Expression admins have the following permissions: * Configure partner connections and most system settings, except the management of local accounts and the handling of local keys and certificates. * Map user attributes by using the expression language, Object-Graph Navigation Language (OGNL). * Access to PingOne administrator console. ## PingFederate User Admin PingFederate User admins have the following permissions: * Create users, deactivate users, change or reset passwords, and install replacement license keys. * View-only permissions for all administrative functions. * Access to PingOne administrator console.