---
title: Setting up SSO to PingDirectory from a generic OpenID Connect provider
description: To set up single sign-on (SSO) access to the PingDirectory admin console from your OpenID Connect (OIDC) provider, configure the OIDC provider and PingDirectory and test the sign-on experience.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_sso_generic_oidc
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_sso_generic_oidc.html
revdate: September 13, 2023
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
  example: Example:
  example-2: Example:
  result: Result:
---

# Setting up SSO to PingDirectory from a generic OpenID Connect provider

To set up single sign-on (SSO) access to the PingDirectory admin console from your OpenID Connect (OIDC) provider, configure the OIDC provider and PingDirectory and test the sign-on experience.

## Before you begin

Ensure that you have:

* A PingDirectory server that accepts LDAPS connections

  This server will host the admin console that is being configured for SSO.

* An OIDC provider that supports OIDC discovery

## About this task

For more information on the configuration properties you are setting up with this task, see [Single sign-on with the admin console](pd_ds_sso_admin_console.html).

## Steps

1. Configure your OIDC provider to access the PingDirectory admin console:

   1. Set the redirect URL to `https://<hostname>:<port>/console/oidc/cb` where `<hostname>` and `<port>` are for the PingDirectory server.

   2. Set the JSON web token (JWT) signing algorithm.

   3. Record the client ID, client secret, and issuer URL for use in step 5.

2. Create a token validator on the PingDirectory server by running a command similar to the following.

   ### Example:

   ```
   dsconfig create-id-token-validator \
        --validator-name "OpenID Token Validator" \
        --type openid-connect \
        --set enabled:true \
        --set "identity-mapper:All Admin Users" \
        --set evaluation-order-index:1 \
        --set issuer-url:<OIDC_Provider_Issuer_URL>
        --set allowed-signing-algorithm:<JWT_signing_algorithm>
   ```

   Provide your own values for `<OIDC_Provider_Issuer_URL>` and `<JWT_signing_algorithm>`, where the algorithm is the one you set in the previous step.

   Although not shown in the example, the command must also set the properties in one of the rows in the following table.

   | Properties                                         | Descriptions                                                                                                     |
   | -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- |
   | `openid-connect-provider` and `jwks-endpoint-path` | An OpenID Connect provider, which refers to an HTTP External Server, and a JWKS (JSON web key set) endpoint path |
   | `signing-certificate`                              | A signing certificate                                                                                            |

3. To create an LDAP user in `cn=Root DNs,cn=config` that the OIDC provider can send an ID token for, use the following `dsconfig` command.

   If, in the previous step, you use the `All Admin Users` identity mapper and the ID token validator's `subject-claim-name` is `sub` (the default), then the `sub` value of the ID token that the OIDC provider sends must be the `cn` of an admin user on the PingDirectory server. For example, assume the OIDC provider sends an ID token with the claim `sub=admin-user`. Then, there must be an LDAP user in `cn=Root DNs,cn=config` or in `cn=Topology Admin Users,cn=topology,cn=config` who has `cn=admin-user`.

   ```
   dsconfig create-root-dn-user --user-name admin-user
   ```

4. Create a SASL mechanism handler on the PingDirectory server to use the validator you just created by running a command similar to the following.

   ### Example:

   ```
   dsconfig create-sasl-mechanism-handler \
        --handler-name OAUTHBEARER \
        --type oauth-bearer \
        --set enabled:true \
        --set "id-token-validator:OpenID Token Validator" \
        --set require-both-access-token-and-id-token:false
   ```

5. Run the following command, substituting values for the ID, secret, and issuer URL.

   ```
   dsconfig set-web-application-extension-prop \
        --extension-name Console \
        --set sso-enabled:true \
        --set oidc-client-id:<OIDC_Client_ID>  \
        --set oidc-client-secret:<OIDC_Client_Secret>  \
        --set oidc-issuer-url:<OIDC_Provider_Issuer_URL>
   ```

6. To finalize your changes, disable and re-enable the HTTPS Connection Handlers with the following commands.

   ```
   dsconfig set-connection-handler-prop \
        --handler-name "HTTPS Connection Handler" \
        --set enabled:false

   dsconfig set-connection-handler-prop \
        --handler-name "HTTPS Connection Handler" \
        --set enabled:true
   ```

7. Test the sign on.

   ### Result:

   The admin console should open.