---
title: Configuring PingDirectory to use an OIDC identity provider
description: Learn how to configure PingDirectory to use the OIDC provider as the identity provider for Delegated Admin.
component: pingdirectory
version: 11.0
page_id: pingdirectory:delegated_admin_application_guide:pd_da_config_oidc_pd
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/delegated_admin_application_guide/pd_da_config_oidc_pd.html
section_ids:
  steps: Steps
---

# Configuring PingDirectory to use an OIDC identity provider

To configure PingDirectory to use a non-PingFederate OpenID Connect (OIDC) *(tooltip: \<div class="paragraph">
\<p>An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\</p>
\</div>)* provider as the identity provider for Delegated Admin, you must do the following:

1. Add any new attributes to be mapped from the OIDC provider to the PingDirectory schema and the appropriate user entries.

2. Create an identity mapper that maps OIDC users to PingDirectory entries.

3. Create an access token validator that uses the identity mapper to match claims in the access token to PingDirectory entry attributes. Learn more in [Handling signed tokens](../managing_access_control/pd_ds_handle_signed_tokens.html).

The following steps provide a sample configuration for completing these tasks. The configuration assumes that:

* You create an `externalIDPID` attribute in the PingDirectory schema and add it to user entries.

  * The attribute contains the unique ID for the PingDirectory user in the OIDC provider.

* The OIDC provider generates a JSON Web Token (JWT) *(tooltip: \<div class="paragraph">
  \<p>An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. You can find the industry standard in \<a href="https\://datatracker.ietf.org/doc/html/rfc7519">RFC 7519\</a>.\</p>
  \</div>)* with a `sub` claim.

* The `sub` claim gets mapped to the `externalIDPID` attribute in the PingDirectory user entry.

|   |                                                                              |
| - | ---------------------------------------------------------------------------- |
|   | Update any values to match your environment and OIDC provider configuration. |

## Steps

1. Import the following LDIF file to create an auxiliary object class named `externalIDPUser` with the `externalIDPID` attribute:

   ```ldif
   objectClass: top
   objectClass: ldapSubentry
   objectClass: subschema
   cn: schema
   attributeTypes: ( externalIDPID-OID NAME 'externalIDPID' USAGE userApplications X-SCHEMA-FILE '99-user.ldif' )
   objectClasses: ( externalIDPUser-OID NAME 'externalIDPUser' AUXILIARY MUST externalIDPID X-SCHEMA-FILE '99-user.ldif' )
   ```

2. Add the `externalIDPUser` object class and `externalIDPID` attribute to any Delegated Admin user entries. The attribute value should be the ID of the user on the OIDC provider.

   ```
   bin/ldapmodify <<+
   dn: uid=externalIDPUser,ou=People,dc=example,dc=com
   changetype: modify
   add: objectClass
   objectClass: externalIDPUser
   -
   add: externalIDPID
   externalIDPID: 078ec98d-9dc2-4cc3-9a7e-db0e65d75fe6
   +
   ```

3. Create an identity mapper that matches users based on the `externalIDPID` attribute:

   ```
   dsconfig create-identity-mapper \
     --mapper-name "External IDP User Mapper" \
     --type exact-match \
     --set "description:Used to match the identifier to the externalIDPID attribute" \
     --set enabled:true \
     --set match-attribute:externalIDPID
   ```

4. Create an HTTP external server for the OIDC provider. Replace *\<OIDC-authority-URL>* with the base URL of the OIDC client's Discovery endpoint.

   ```
   dsconfig create-external-server \
     --server-name "External IDP HTTP Server" \
     --type http \
     --set base-url:<OIDC-authority-URL>
   ```

5. Create a JWT access token validator using the identity mapper and external server created in the previous steps. Replace *\<IdP-JWKS-endpoint>* with the URL of the JSON Web Key Set (JWKS) endpoint for the OIDC client.

   ```
   dsconfig create-access-token-validator \
     --validator-name "External IDP Access Token Validator" \
     --type jwt \
     --set "identity-mapper:External IDP User Mapper" \
     --set enabled:true \
     --set "authorization-server:External IDP HTTP Server" \
     --set jwks-endpoint-path:<IdP-JWKS-endpoint>
   ```