Create an OpenID Connect IdP connection

  1. If you have not already done so, enable the OpenID Connect protocol for IdP connections.

    1. Go to the Server ConfigurationServer SettingsRoles & Protocols screen.

    2. Ensure the SP role is selected.

    3. Select the OpenID Connect check box to activate the protocol for IdP connections.

  2. On the SP Configuration menu, create a new IdP connection.

  3. On the Connection Type screen, select the Browser SSO Profiles check box and select OpenID Connect from the Protocol list.

    Note that when OpenID Connect is the chosen protocol, the other types become unavailable.

  4. On the Connection Options screen, you may enable JIT provisioning, OAuth attribute mapping (which requires the OAuth 2.0 Authorization Server role), or both.

    For simplicity, this topic focuses only on managing OpenID Connect IdP connection settings.

  5. On the General Info screen:

    1. Provide the required information, which includes

      Issuer The Issuer Identifier of the OpenID Provider (OP).
      Connection Name A plain-language identifier for the connection; for example, a company or department name. This name is displayed in the connection list on the administrative console.
      Client ID and Client Secret The client ID and the client secret to communicate with the OP.

      This client represents PingFederate and is created and managed at the OP. For more information, please refer to the documentation provided by the OP.

    2. Click Load Metadata.

      TipLoading metadata from the OP expedites the connection setup. You may also update an existing connection by reloading metadata.
  6. On the Browser SSO screen, click Configure Browser SSO.

  7. On the User-Session Creation screen, click Configure User-Session Creation.

  8. On the Identity Mapping screen, you have three choices:

    • Select the No Mapping check box if you plan on passing end-user claims to the target application through an authentication policy contract in an SP authentication policy.
    • Select the Account Mapping check box if you plan on passing end-user claims to the target application through an SP adapter instance (or an authentication policy contract if your PingFederate server is a federation hub that bridges an OP to an SP).
    • Select the Account Linking check box if your target application requires account linking.
    TipEnd-user claims are basically user attributes found in ID tokens or obtained from the User Info endpoint at the OP.

    For illustration, this topic uses the Account Mapping configuration.

  9. On the Attribute Contract screen, extend the attribute contract.

    To mask the attribute values in the log, select the relevant check box for each applicable end-user claim.

    NoteIf you have chosen to load the metadata from the OP on the General Info screen, the attribute contract is populated automatically.
  10. On the Target Session Mapping screen, click Map New Adapter Instance to map end-user claims to the target application through an SP adapter instance.

    (You may also map an authentication policy contract if your PingFederate server is a federation hub that bridges an OP to an SP.)

    Follow the administrative console to fulfill the SP adapter contract (or the authentication policy contract). Like other IdP connections, you have the options to query additional attributes from a data store, to specify issuance criteria, or to do both. When mapping an attribute, select Provider Claims from the Source list to map the attribute to an end-user claim. If your target application requires the associated access token, select Context as the source and Access Token as the value.

    Note that the Target Session Mapping configuration does not apply when the No Mapping option is chosen on the Identity Mapping screen.

  11. On the Protocol Settings screen, click Configure Protocol Settings.

  12. On the OpenID Provider Info screen, provide the scopes, the endpoints, and the authentication scheme.

    Scopes The scopes to be included in the authorization and token requests to the OP. The default value is openid. Multiple space-separated values are allowed.
    Authorization Endpoint, Token Endpoint, User Info Endpoint, and JWKS URL Various OAuth 2.0 and OpenID Connect 1.0 endpoints at the OP. For more information, see openid.net/connect.

    The User Info Endpoint field is optional. If omitted, PingFederate only has access to the end-user claims from the ID tokens.

    NoteIf you have chosen to load the metadata from the OP on the General Info screen, the Scopes field and all endpoints are pre-populated (provided that the metadata contains the information).
    Authentication Scheme The authentication method that PingFederate uses. PingFederate supports POST (the default) and HTTP basic authentication.
  13. On the Overrides screen, specify a default target URL and authentication context overrides.

  14. On the Activation & Summary screen, review your connection settings.

    When you finish setting up a connection, you may choose to activate it immediately.

    ImportantRegardless of whether you choose to activate a new connection now or later, you must click Save on the Summary & Activation screen for a new connection if you want to keep the configuration.

    You can deactivate a connection at any time (for maintenance, for example). When a connection is inactive, all transactions to or from this partner are disabled.

    TipThe SSO Application Endpoint near the top of the Summary & Activation screen is an example URL that the developers of the target application might use to invoke SSO for the connection. Additional query parameters might also be sent to the /sp/startSSO.ping endpoint.

    Note that SSO Application Endpoint does not apply when the No Mapping option is chosen on the Identity Mapping screen.

    In this use case, because PingFederate is essentially an OAuth client, you are likely required by the authorization server at the OP to register the Redirect URI. This registration should be associated with the client that represents PingFederate, the client that you have provided on the General Info screen. For more information, please refer to the documentation provided by the OP.

Tags Capability > Credential Validation; Hosting Environment > On-Premises; Product > PingFederate > PingFederate 8.2; Product > PingFederate; Task Type > Configuration