PingGateway 2024.11

OpenID Connect

The following pages provide an overview of how PingGateway supports OpenID Connect 1.0 (OIDC), an authentication layer built on OAuth 2.0. The pages show how to set up PingGateway as an OIDC relying party in different deployment scenarios.

About PingGateway with OIDC

PingGateway supports OIDC deployments where the identity provider holds the protected resource third-party applications want to access.

OIDC specifications refer to the following entities:

  • End user: An OAuth 2.0 resource owner whose user information the application needs to access.

    The end user wants to use an application through an existing identity provider account without signing up and creating credentials for another web service.

  • Relying Party (RP): An OAuth 2.0 client that needs access to the end user’s protected user information.

    For example, an online mail application needs to know which end user is accessing the application to present the correct inbox.

    As another example, an online shopping site needs to know which end user is accessing the site to present the right offerings, account, and shopping cart.

  • OpenID Provider (OP): An OAuth 2.0 Authorization Server and resource server that holds the user information and grants access.

    The OP requires the end user to give the RP permission to access to some of its user information. Because OIDC defines unique identification for an account (subject identifier + issuer identifier), the RP can use that identification to bind its own user profile to a remote identity.

    For the online mail application, this key could be used to access the mailboxes and related account information. For the online shopping site, this key could be used to access the offerings, account, shopping cart and others. The key makes it possible to serve users as if they had local accounts.

  • UserInfo: The protected resource that the third-party application wants to access. The information about the authenticated end user is expressed in a standard format. The user-info endpoint is hosted on the Authorization Server and is protected with OAuth 2.0.

When PingGateway acts as an RP, its role is to retrieve user information from the OP and to inject the information into the context for use by later filters and handlers.