--- title: Multiple OIDC providers using PingAM and PingOne Advanced Identity Cloud description: Configure PingGateway to present an identity provider chooser (Nascar page) for multiple OIDC providers using PingAM and PingOne Advanced Identity Cloud component: pinggateway version: 2026 page_id: pinggateway:gateway-guide:oidc-nascar canonical_url: https://docs.pingidentity.com/pinggateway/2026/gateway-guide/oidc-nascar.html revdate: 2025-10-15T18:45:22Z --- # Multiple OIDC providers using PingAM and PingOne Advanced Identity Cloud This page shows OIDC with two identity providers. Client registrations for an AM identity provider and PingOne Advanced Identity Cloud identity provider are declared in the heap. The Nascar page helps the user to choose an identity provider. 1. Set up AM as the first identity provider, as described in [AM as OIDC provider](oidc-am.html). 2. Set up PingOne Advanced Identity Cloud as a second identity provider, as described in [OpenID Connect and PingOne Advanced Identity Cloud](../aic/oidc.html). 3. Make sure PingGateway connects to the sample application over HTTPS with a route to access static resources. Learn more in [Using the sample application](../getting-started/start-sampleapp.html). 4. Add the following route to PingGateway, replacing the value for the property `amInstanceUrl`: * Linux `$HOME/.openig/config/routes/07-openid-nascar.json` * Windows `%appdata%\OpenIG\config\routes\07-openid-nascar.json` ```json { "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AuthenticatedRegistrationHandler-1", "type": "Chain", "config": { "filters": [ { "name": "ClientSecretBasicAuthenticationFilter-1", "type": "ClientSecretBasicAuthenticationFilter", "config": { "clientId": "oidc_client", "clientSecretId": "oidc.secret.id", "secretsProvider": "SystemAndEnvSecretStore-1" } } ], "handler": "ForgeRockClientHandler" } }, { "name": "openam", "type": "ClientRegistration", "config": { "clientId": "oidc_client", "issuer": { "name": "am_issuer", "type": "Issuer", "config": { "wellKnownEndpoint": "http://am.example.com:8088/openam/oauth2/.well-known/openid-configuration" } }, "scopes": [ "openid", "profile", "email" ], "authenticatedRegistrationHandler": "AuthenticatedRegistrationHandler-1" } }, { "name": "idcloud", "type": "ClientRegistration", "config": { "clientId": "oidc_client", "issuer": { "name": "idc_issuer", "type": "Issuer", "config": { "wellKnownEndpoint": "&{amInstanceUrl}/oauth2/realms/alpha/.well-known/openid-configuration" } }, "scopes": [ "openid", "profile", "email" ], "authenticatedRegistrationHandler": "AuthenticatedRegistrationHandler-1" } }, { "name": "NascarPage", "type": "StaticResponseHandler", "config": { "status": 200, "headers": { "Content-Type": [ "text/html; charset=UTF-8" ] }, "entity": [ "", " ", "

", "

", " ", "" ] } } ], "name": "07-openid-nascar", "baseURI": "https://app.example.com:8444", "condition": "${find(request.uri.path, '^/home/id_token')}", "properties": { "amInstanceUrl": "https://myTenant.forgeblocks.com/am" }, "handler": { "type": "Chain", "config": { "filters": [ { "type": "AuthorizationCodeOAuth2ClientFilter", "config": { "clientEndpoint": "/home/id_token", "failureHandler": { "type": "StaticResponseHandler", "config": { "comment": "Trivial failure handler for debugging only", "status": 500, "headers": { "Content-Type": [ "text/plain; charset=UTF-8" ] }, "entity": "${contexts.oauth2Failure.error}: ${contexts.oauth2Failure.description}" } }, "loginHandler": "NascarPage", "registrations": [ "openam", "idcloud" ], "requireHttps": false, "cacheExpiration": "disabled" } } ], "handler": "ReverseProxyHandler" } } } ``` Source: [07-openid-nascar.json](../_attachments/config/routes/07-openid-nascar.json) Consider the differences with `07-openid.json`: * The heap objects `openam` and `idcloud` define client registrations. * The StaticResponseHandler provides links to the client registrations. * The AuthorizationCodeOAuth2ClientFilter uses a `loginHandler` to allow users to choose a client registration and therefore an identity provider. 5. Test the setup: 1. In your browser's privacy or incognito mode, go to . The Nascar page offers the choice of identity provider. 2. Using the following credentials, select a provider, log in, and allow the application to access user information: * AM: user `demo`, password `Ch4ng31t`. * PingOne Advanced Identity Cloud: user `demo`, password `Ch4ng3!t` The home page of the sample application is displayed.