--- title: PingGateway with PingOne as an OIDC provider description: Configure PingGateway as a relying party using PingOne as an OpenID Connect provider, including application setup, route configuration, and validation component: pinggateway version: 2026 page_id: pinggateway:pingone:oidc-ping canonical_url: https://docs.pingidentity.com/pinggateway/2026/pingone/oidc-ping.html revdate: 2025-07-03T16:53:36Z keywords: ["Single sign-on (SSO)", "Security", "Authenticate", "OAuth 2.0", "OpenID Connect (OIDC)"] page_aliases: ["identity-cloud-guide:oidc-ping.adoc"] section_ids: prepare_pingone: Prepare PingOne prepare_pinggateway: Prepare PingGateway validation: Validation --- # PingGateway with PingOne as an OIDC provider This example sets up PingOne as an OIDC provider with PingGateway as a relying party. ## Prepare PingOne After you [prepare the PingOne environment and test user](preface.html), follow these steps to [create a PingOne OIDC web application](https://docs.pingidentity.com/pingone/applications/p1_mfa_creating_a_web_application.html): 1. In the environment, create a web application with the following values: * Application Name: `oidc_client` * Description: `OIDC client` * Application Type: `OIDC Web App` 2. In the application, select the Overview panel and click Protocol OpenID Connect. 3. In the Redirect URIs field, add `https://ig.example.com:8443/home/id_token/callback` and save the application. 4. In the Overview panel, click Resource Access, select the `email` and `profile` scopes in addition to the default `openid` scope, and click Save. Learn more from the PingOne documentation on [Editing an application - OIDC](https://docs.pingidentity.com/pingone/applications/p1_edit_application_oidc.html). 5. At the top-right of the page, click the slider to enable the application. 6. Go to the Configuration panel and make a note of the following values in the URLs drop-down list: * OIDC Discovery Endpoint * Client ID * Client Secret You need the values to set up PingGateway. ## Prepare PingGateway 1. Add the following basic PingGateway configuration if you have not already done so: 1. Set up PingGateway for HTTPS, as described in [Configure PingGateway for TLS (server-side)](../installation-guide/securing-connections.html#server-side-tls). 2. Add the following route to PingGateway to serve the sample application .css and other static resources: * Linux `$HOME/.openig/config/routes/00-static-resources.json` * Windows `%appdata%\OpenIG\config\routes\00-static-resources.json` ```json { "name" : "00-static-resources", "baseURI" : "https://app.example.com:8444", "condition": "${find(request.uri.path,'^/css') or matchesWithRegex(request.uri.path, '^/.*\\\\.ico$') or matchesWithRegex(request.uri.path, '^/.*\\\\.gif$')}", "handler": "ReverseProxyHandler" } ``` Source: [00-static-resources.json](../_attachments/config/routes/00-static-resources.json) 2. Base64-encode the OIDC application's Client Secret and set the value as an environment variable: ```console $ export OIDC_SECRET_ID='' ``` 3. Add the following route to PingGateway, replacing the following property values with those of the OIDC application: * OIDC\_Discovery\_Endpoint: The OIDC discovery endpoint for the client application you registered. * Client\_ID: The client ID of the application. * Linux `$HOME/.openig/config/routes/oidc-ping.json` * Windows `%appdata%\OpenIG\config\routes\oidc-ping.json` ```json { "name": "oidc-ping", "condition": "${find(request.uri.path, '^/home/id_token')}", "properties": { "OIDC_Discovery_Endpoint": "OIDC Discovery endpoint of the web app", "Client_ID": "Client ID of the web app" }, "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AuthenticatedRegistrationHandler-1", "type": "Chain", "config": { "filters": [ { "name": "ClientSecretBasicAuthenticationFilter-1", "type": "ClientSecretBasicAuthenticationFilter", "config": { "clientId": "&{Client_ID}", "clientSecretId": "oidc.secret.id", "secretsProvider": "SystemAndEnvSecretStore-1" } } ], "handler": "ForgeRockClientHandler" } } ], "handler": { "type": "Chain", "config": { "filters": [ { "name": "AuthorizationCodeOAuth2ClientFilter-1", "type": "AuthorizationCodeOAuth2ClientFilter", "config": { "clientEndpoint": "/home/id_token", "failureHandler": { "type": "StaticResponseHandler", "config": { "status": 500, "headers": { "Content-Type": [ "text/html; charset=UTF-8" ] }, "entity": "Error in OAuth 2.0 setup.
${contexts.oauth2Failure.exception.message}" } }, "registrations": [ { "name": "oauth2-client", "type": "ClientRegistration", "config": { "clientId": "${Client_ID}", "issuer": { "name": "PingOne", "type": "Issuer", "config": { "wellKnownEndpoint": "&{OIDC_Discovery_Endpoint}" } }, "scopes": [ "openid", "profile", "email" ], "authenticatedRegistrationHandler": "AuthenticatedRegistrationHandler-1" } } ], "requireHttps": false, "cacheExpiration": "disabled" } } ], "handler": { "type": "StaticResponseHandler", "name": "HTMLResponse", "config": { "status": 200, "entity": "Authentication Success

Welcome, ${contexts.oauth2Info.userInfo.preferred_username}!

${contexts.oauth2Info.userInfo}", "headers": { "Content-Type": [ "text/html" ] } } } } } } ``` Source: [oidc-ping.json](../_attachments/config/routes/oidc-ping.json) 4. Restart PingGateway. ## Validation 1. In your browser's privacy or incognito mode, go to . PingOne displays the sign-on page. 2. Sign on to PingOne as the test user. The route displays a welcome page: ```none Welcome, wolkig! {sub=..., preferred_username=wolkig, given_name=Wilhelm, updated_at=..., family_name=Wolkig, email=wolkig@example.com, ...} ```