--- title: Configuring OpenID Connect token providers description: Configure OpenID Connect (OIDC) token provider settings in PingAccess. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_configuring_oidc canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_configuring_oidc.html revdate: June 1, 2023 section_ids: steps: Steps next-steps: Next steps --- # Configuring OpenID Connect token providers Configure OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* token provider settings in PingAccess. ## Steps 1. Click **Settings**, then go to **System > Token Provider > Common > OpenID Connect**. 1. Go to **Settings > System > Token Provider** and select **Common Token Provider**. 2. In the **Issuer** field, enter the OIDC provider's issuer identifier. 3. **Optional:** In the **Description** field, enter a description for the token provider. 4. To record requests to the OIDC provider to the audit store, select the **Audit** check box. 5. If required, click **[icon: plus, set=fa]Add Query Parameter** and enter custom query parameter name and value pairs used by the OIDC provider. 6. In the **Trusted Certificate Group** list, select the group of certificates to use when authenticating to the OIDC provider. PingAccess requires the certificate in use by the OIDC provider to anchor to a certificate in the associated Trusted Certificate Group. 7. To configure advanced settings, click **Show Advanced**. 1. To use a configured proxy, select the **Use Proxy** check box. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If the node is not configured with a proxy, requests are made directly to the token provider. See [Adding proxies](pa_adding_proxies.html) for more information about creating proxies. | 2. Select the **Use Single-Logout** check box to enable single logout (SLO) *(tooltip: \
\

The process of signing a user out of multiple sites where the user has started a SSO session.\

\
)* when the `/pa/oidc/logout/` endpoint receives a request to clear the cookie containing the PingAccess token. If you select this option, PingAccess sends a logout request to the token provider after receiving a request at the `/pa/oidc/logout/` endpoint. The token provider then completes a full SLO flow. | | | | - | ----------------------------------------------------------------- | | | To use this feature, you must configure SLO on the OIDC provider. | 3. Select the **Track id\_token** check box to track the `id_token` that the authorization server provides after authentication within the PingAccess session cookie. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Token providers can use the `id_token` attribute to identify and locate a user's session. Some token providers may require an `id_token_hint` parameter for SLO, but not all. For more information on this configuration, see the table entry **Include id\_token\_hint in SLO** in step 8 of [Configuring admin UI SSO authentication](pa_configuring_admin_ui_sso_authn_task.html). | You must select **Track id\_token** to use the `id_token` attribute when [Creating header identity mappings](pa_creating_header_identity_mappings.html). You can then use this header to pass along the `id_token` to other [Identity mappings](pa_identity_mappings.html) or [Rules](pa_rules.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Tracking the `id_token` attribute increases the PingAccess cookie's size. This could make the cookie exceed the browser's limit. For more information, see [Minimizing the PingAccess cookie size](../troubleshooting/pa_minimizing_the_pa_cookie_size.html). | 4. Select **Request Supported Scopes Only** to limit the requested scopes to those advertised in the OIDC metadata. 8. Click **Save**. ## Next steps After you have successfully configured the token provider, click **View Metadata** to display the metadata provided by the token provider. To update the metadata, click **View Metadata → Refresh Metadata**.