--- title: Configuring OpenID Provider information description: You must configure OpenID Provider (OP) settings and information when configuring service provider (SP) browser single sign-on (SSO). component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_idpprotocolsettingstasklet_openidprovidermetadatastate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_idpprotocolsettingstasklet_openidprovidermetadatastate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: May 15, 2025 section_ids: steps: Steps --- # Configuring OpenID Provider information You must configure OpenID Provider (OP) settings and information when configuring service provider (SP) browser single sign-on (SSO). ## Steps On the **OpenID Provider Info** tab, provide the scopes, the endpoints, and the authentication scheme. ![Screen capture of the OpenIDProvider Info tab. There are fields for Scopes, Authorization Endpoint, OpenID Connect Login Type, Authentication Scheme, Authentication Signing Algorithm, Enable Proof Key for Code Exchange. OpenID Connect Login has Code selected. Authentication Scheme has Client Secret JWT selected. The text field for Authentication Signing Algorithm is filled in with the value HMAC using SHA-256. There is a checkbox for Enable Proof Key for Code Exchange, which is selected.](_images/jil1678988834376.png) | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you clicked **Load Metadata** from the OpenID Provider (OP) on the **General Info** tab, the **Scopes** field and all endpoints are pre-populated, provided that the metadata contains the information. | | Field | Description | | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Scopes** | The scopes to be included in the OpenID Connect (OIDC) authentication and OAuth *(tooltip: \
\

A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\

\
)* token requests to the OP. Multiple space-separated values are allowed.The default value, without loading metadata from the OP, is `openid`. You can find a list of OIDC defined scopes in Requesting Claims using Scope Values in the OpenID Connect specification. | | **Authorization Endpoint** | The authorization endpoint at the OP.You can enter a relative path, starting with a forward slash, if you provide base URL on the **General Info** tab.There is no default value without loading metadata from the OP. | | **OpenID Connect Login Type** | The OIDC client profile of the client. This client represents PingFederate and is created and managed at the OP.- If the client is configured to support the Basic Client profile, select **Code**.The resulting value of the `response_type` parameter is `code`. \* If the client is configured to support the Implicit Client profile, select **Form POST**.The resulting value of the `response_type` parameter is `id_token`. \* If the client is configured to support the Implicit Client profile and the target application requires the associated access token, select **Form POST with access token**.The resulting values of the `response_type` parameter are `id_token token`.The default selection, without loading metadata from the OP, is **Code**. | | **JWT Secured Authorization Response Mode (JARM)** | JARM is supported when sending authorization requests as a relying party to the OpenID Provider using IdP Connections.These values map to:- **Disabled**: Authorization responses will not be encoded using JARM. This is the default value. - **Query JWT**: `query.jwt` - **Form Post JWT**: `form_post.jwt` You should only use Query JWT with OIDC Login Type Code unless the response JWT is encrypted to prevent token leakage in the URL. | | **Authentication Scheme** | The client authentication method that PingFederate uses. Applicable and visible only to clients supporting the Basic Client profile.- Select **Basic** to submit credentials with HTTP Basic authentication. - Select **POST** to submit credentials with POST. - Select **Private Key JWT** to authenticate with the `private_key_jwt` Client Authentication method. Learn more in [Client Authentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) in the OpenID Connect specification. - Select **Client Secret JWT** to authenticate with the `client_secret_jwt` Client Authentication method. Learn more in [Client Authentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) in the OpenID Connect specification.The default selection, without loading metadata from the OP, is **Basic**. | | **Authentication Signing Algorithm** | If **Private Key JWT** or **Client Secret JWT** is the chosen authentication scheme, select the algorithm that PingFederate uses to sign the JSON Web Token (JWT) *(tooltip: \
\

An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. You can find the industry standard in \RFC 7519\.\

\
)*. RSASSA-PSS signing algorithms require a Java 8 or Java 11 runtime environment, or an integration with a hardware security module (HSM) and a static-key configuration for OAuth and OIDC. You can find more information on HSM integration and static keys in Supported hardware security modules and Keys for OAuth and OpenID Connect, respectively. If static keys for OAuth and OpenID Connect are enabled, Elliptic-curve cryptography (EC) algorithms that have not been configured with an active static keys are hidden. Changes made in the static-key configuration might affect runtime transactions and require additional changes here. Learn more in Keys for OAuth and OpenID Connect. Based on the chosen signing algorithm, PingFederate selects the signing JSON Web Key (JWK) from its JWK Set (JWKS) at runtime. For the OP to validate the signed JWT, ensure that the OP can access the PingFederate JWKS endpoint, which returns the current JWKS. The PingFederate JWKS endpoint is located at \/pf/JWKS, where Base URL is defined on System > Server > Protocol Settings > Federation Info. For example, if the Base URL field value is https\://www\.example.com, the PingFederate JWKS endpoint is https\://www\.example.com/pf/JWKS. You can pass the PingFederate JWKS endpoint directly to the OP or have the OP contact the PingFederate OP configuration endpoint to obtain the information. For more information, see OpenID Provider configuration endpoint.If **Client Secret JWT** is the chosen authentication scheme, the signing algorithms are `HS256`, `HS384`, and `HS512`. | | **Type** | If **Private Key JWT** or **Client Secret JWT** is the chosen authentication scheme, specify the JWT type. The default is none, but it's recommended to use a preset value of `authorization-grant+jwt`. Learn more in [RFC 7523](https://www.ietf.org/archive/id/draft-ietf-oauth-rfc7523bis-00.html). | | **Lifetime (Minutes)** | If **Private Key JWT** or **Client Secret JWT** is the chosen authentication scheme, define the lifetime of the JWT in minutes. The default is 5 minutes and is modifiable. | | **Audience** | If **Private Key JWT** or **Client Secret JWT** is the chosen authentication scheme, determine the audience of the JWT. The default is the IdP's token endpoint, but a suggested preset value is the issuer. Learn more in [RFC 7523](https://www.ietf.org/archive/id/draft-ietf-oauth-rfc7523bis-00.html). | | **Include Not Before (NBF) Claim** | If **Private Key JWT** or **Client Secret JWT** is the chosen authentication scheme, the produced assertion will include an `nbf` claim with a five seconds skew to allow for clock skew. | | **Enable Proof Key for Code Exchange (PKCE)** | Select this checkbox to enable PingFederate to send a SHA256 code challenge and corresponding code verifier as a Proof Key for Code Exchange (PKCE) to the OP during the Code authentication flow\.This checkbox is applicable and visible only when the **OpenID Connect Login Type** is **Code**. When Load Metadata on the General Info tab is clicked, PingFederate displays the Enable PKCE checkbox if S256 is listed as a supported method in the code\_challenge\_methods\_supported by the OP. | | **Pushed Authorization Request Endpoint** | The Pushed Authorization Request (PAR) endpoint at the OP. When you configure a PAR endpoint, the IdP connection sends authorization requests directly to this endpoint. All parameters associated with an authorization request are transmitted to the PAR endpoint. You can find more information about the PAR protocol in [OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126) on the IETF website.You can enter the relative path, `/par`, starting with a forward slash if you provide the base URL on the **General Info** tab. If you clicked Load Metadata from the OP on the General Info tab, the Pushed Authorization Request Endpoint field is pre-populated, provided that the metadata contains the information. As such, PAR requests are the new default behavior. | | **Token Endpoint**, **UserInfo Endpoint**, and **JWKS URL** | OAuth 2.0 and OIDC 1.0 endpoints at the OP. Learn more in [OpenID Connect specifications](https://openid.net/developers/how-connect-works/).- Token Endpoint The **Token Endpoint** field is only visible and required for clients supporting the Basic Client profile. In other words, the **OpenID Connect Login Type** field is set to **Code**. - UserInfo Endpoint The **UserInfo Endpoint** field is optional. If omitted, PingFederate only has access to the end-user claims from the ID tokens. - JWKS URL The **JWKS URL** is required for PingFederate to validate the inbound ID tokens from the OP. If the OP signs its JWTs using an RSASSA-PSS signing algorithm, PingFederate must be deployed to run in a Java 8 or Java 11 runtime environment, or integrated with a hardware security module (HSM) and a static-key configuration for OAuth and OpenID Connect. Learn more in [Supported hardware security modules](../getting_started_with_pingfederate/pf_supported_hardware_security_modules.html) and [Keys for OAuth and OpenID Connect](help_jwksendpointtasklet_jwksendpointkeysstate.html), respectively. The JWKS URL is also required to validate the JARM response.There are no default values without loading metadata from the OP. | | **Sign Request** | Select this checkbox to send request parameters as claims in a request object, a self-contained, signed JWT as one `request` query parameter to the OP.When this optional configuration is enabled, the OP can validate the integrity of the request parameters based on the digital signature found in the signed JWT. Learn more in [Passing a Request Object by Value](https://openid.net/specs/openid-connect-core-1_0.html) in the OpenID Connect specification.When this optional configuration is enabled, the JWT signed request object includes the `jti` (JWT ID) value.This checkbox is not selected by default, in which case PingFederate sends request parameters with multiple query parameters, unsigned. | | **Request Signing Algorithm** | Select the algorithm that PingFederate uses to sign the request object.Applicable and visible only when the **Sign Request** checkbox is selected.If the client signs its JWTs using an RSASSA-PSS signing algorithm, PingFederate must be deployed to run in a Java 8 or Java 11 runtime environment or integrated with a hardware security module (HSM) and a static-key configuration for OAuth and OIDC. You can find more information on HSM integration and static keys in [Supported hardware security modules](../getting_started_with_pingfederate/pf_supported_hardware_security_modules.html) and [Keys for OAuth and OpenID Connect](help_jwksendpointtasklet_jwksendpointkeysstate.html), respectively. If static keys for OAuth and OIDC are enabled, Elliptic-curve cryptography (EC) algorithms that haven't been configured with an active static keys are hidden. Changes made in the static-key configuration might affect runtime transactions and require additional changes here. Learn more in Keys for OAuth and OpenID Connect. PingFederate automatically selects the signing JSON web key (JWK) based on the selected signing algorithm from its JWK Set (JWKS). In order for the OP to validate the signed request object, ensure that the OP can access your PingFederate's JWKS URL, which returns the current set of JSON web keys. The PingFederate JWKS URL is located at \/pf/JWKS, where Base URL is defined on System > Server > Protocol Settings > Federation Info. For example, if the Base URL field value is https\://www\.example.com, the PingFederate JWKS URL is https\://www\.example.com/pf/JWKS. You can pass the JWKS URL directly to the OP or have the OP contact the PingFederate OpenID Provider configuration endpoint for it. Learn more in OpenID Provider configuration endpoint. | | **Track User Sessions for Logout** | When selected, PingFederate tracks logout entries in the user session so that PingFederate can handle and initiate logout requests. Also, when selected, the **Logout Endpoint** field is displayed, and the **IdP Connection** page's **Activation & Summary** tab displays the connection's **Front-Channel Logout URI** and **Back-Channel Logout URI**. The checkbox is cleared by default. | | **Logout Endpoint** | The endpoint to which PingFederate will redirect the user in order to terminate their session at the OP. This field is only displayed if **Track User Sessions for Logout** is selected. When this field is populated, the**IdP Connection** page's **Activation & Summary** tab displays the connection's **Post-Logout Redirect URI**. | Remain on the **OpenID Provider Info** tab and specify the request parameters that are allowed to be included in the authentication requests to the OP under **Request Parameters**. Learn more in [Configuring request parameters and SSO URLs](pf_config_request_parameter_sso_url.html).