--- title: OpenID Connect and PingOne Advanced Identity Cloud description: Configure PingOne Advanced Identity Cloud as an OpenID Connect provider with PingGateway as a relying party component: pinggateway version: 2026 page_id: pinggateway:aic:oidc canonical_url: https://docs.pingidentity.com/pinggateway/2026/aic/oidc.html revdate: 2025-10-15T18:45:22Z keywords: ["Single sign-on (SSO)", "Security", "Authenticate", "OAuth 2.0", "OpenID Connect (OIDC)"] page_aliases: ["identity-cloud-guide:oidc.adoc"] --- # OpenID Connect and PingOne Advanced Identity Cloud This example sets up PingOne Advanced Identity Cloud as an OpenID Connect (OIDC) provider with PingGateway as a relying party. For more information about PingGateway and OIDC, refer to [OpenID Connect and PingAM](../gateway-guide/oidc.html). Before you start, prepare PingOne Advanced Identity Cloud, PingGateway, and the sample application as described in [Example installation for this guide](preface.html#preface-examples). 1. Set up PingOne Advanced Identity Cloud: 1. Log in to the Advanced Identity Cloud admin UI as an administrator. 2. Make sure you are managing the `alpha` realm. If not, click the current realm at the top of the screen, and switch realm. 3. Go to [icon: group, set=material, size=inline] Identities > Manage > [icon: settings_system_daydream, set=material, size=inline] Alpha realm - Users, and add a user with the following values: * Username: `demo` * First name: `demo` * Last name: `user` * Email Address: `demo@example.com` * Password: `Ch4ng3!t` 4. Go to [icon: th, set=fa]Custom Application > [icon: plus, set=fa]Custom Application > OIDC - OpenId Connect > Web and add a web application with the following values: * Name: `oidc_client` * Owners: `demo user` * Client Secret: `password` * (Optional) Use Secret Store for password: Select this to store the password in an ESV secret. If you select this option, enter a Secret Label Identifier. This value represents the `identifier` part of the secret label for the client. PingOne Advanced Identity Cloud uses the identifier to generate a secret label in the following format: `am.applications.oauth2.client.identifier.secret`. To complete the client profile, add an ESV secret for the password and map the ESV to the secret label. To learn more, read [Secret labels](https://docs.pingidentity.com/pingoneaic/tenants/esvs-signing-encryption.html#secret-labels) in the PingOne Advanced Identity Cloud documentation. * Sign On > Sign-in URLs: `https://ig.example.com:8443/home/id_token/callback` * Sign On > Grant Types: `Authorization Code` * Sign On > Scopes: `openid`, `profile`, `email` * Show advanced settings > Authentication > Implied Consent: `On` For more information, refer to PingOne Advanced Identity Cloud's [Application management](https://docs.pingidentity.com/pingoneaic/app-management/applications.html). 2. Set up PingGateway: 1. Set an environment variable for the `oidc_client` password, and then restart PingGateway: ```console $ export OIDC_SECRET_ID='cGFzc3dvcmQ=' ``` 2. Make sure PingGateway connects to the sample application over HTTPS with a route to access static resources. Learn more in [Using the sample application](../getting-started/start-sampleapp.html). 3. Add the following route to PingGateway, replacing the value for the property `amInstanceUrl`: * Linux `$HOME/.openig/config/routes/oidc-idc.json` * Windows `%appdata%\OpenIG\config\routes\oidc-idc.json` ```json { "name": "oidc-idc", "baseURI": "https://app.example.com:8444", "condition": "${find(request.uri.path, '^/home/id_token')}", "properties": { "amInstanceUrl": "https://myTenant.forgeblocks.com/am" }, "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AuthenticatedRegistrationHandler-1", "type": "Chain", "config": { "filters": [ { "name": "ClientSecretBasicAuthenticationFilter-1", "type": "ClientSecretBasicAuthenticationFilter", "config": { "clientId": "oidc_client", "clientSecretId": "oidc.secret.id", "secretsProvider": "SystemAndEnvSecretStore-1" } } ], "handler": "ForgeRockClientHandler" } } ], "handler": { "type": "Chain", "config": { "filters": [ { "name": "AuthorizationCodeOAuth2ClientFilter-1", "type": "AuthorizationCodeOAuth2ClientFilter", "config": { "clientEndpoint": "/home/id_token", "failureHandler": { "type": "StaticResponseHandler", "config": { "status": 500, "headers": { "Content-Type": [ "text/plain" ] }, "entity": "Error in OAuth 2.0 setup." } }, "registrations": [ { "name": "oauth2-client", "type": "ClientRegistration", "config": { "clientId": "oidc_client", "issuer": { "name": "Issuer", "type": "Issuer", "config": { "wellKnownEndpoint": "&{amInstanceUrl}/oauth2/realms/alpha/.well-known/openid-configuration" } }, "scopes": [ "openid", "profile", "email" ], "authenticatedRegistrationHandler": "AuthenticatedRegistrationHandler-1" } } ], "requireHttps": false, "cacheExpiration": "disabled" } } ], "handler": "ReverseProxyHandler" } } } ``` Source: [oidc-idc.json](../_attachments/config/routes/oidc-idc.json) Compared to `07-openid.json` in [AM as OIDC provider](../gateway-guide/oidc-am.html), where PingAM is running locally, the ClientRegistration `wellKnownEndpoint` points to PingOne Advanced Identity Cloud. 3. Test the setup: 1. In your browser's privacy or incognito mode, go to . The PingOne Advanced Identity Cloud login page is displayed. 2. Log in to PingOne Advanced Identity Cloud as user `demo`, password `Ch4ng3!t`. The home page of the sample application is displayed.