Configuring an OpenID Connect policy (Windows login)
Create an OpenID Connect policy, and then map the policy to the specific OAuth client.
About this task
Steps
-
In PingFederate, before creating a policy, make sure an Open ID Connect (OIDC) scope is defined:
-
In PingFederate, go to Scope Management:
-
PingFederate 10.1 or later: Go to System → OAuth Settings and then click Scope Management.
-
PingFederate 10 or earlier: On the OAuth Server tab, in the Authorization Server section, click Scope Management.
-
-
Create an OpenID Connect scope:
-
In the Scope Value field, type
openid
. -
In the Scope Description field, type
OpenID Connect login
. -
Click Add, and then click Save.
Result:
The new scope is added to the Common Scopes list, and the entry is saved.
-
-
-
In PingFederate, create an OpenID connect policy:
-
Go to OpenID Connect Policy Management:
-
PingFederate 10.1 or later: Go to Applications → OAuth and then click OpenID Connect Policy Management.
-
PingFederate 10 or earlier: On the OAuth Server tab, in the Token Mapping section, click OpenID Connect Policy Management.
-
-
Click Add Policy.
-
In the Manage Policy tab, enter the following:
-
Policy ID: Enter a unique ID for the policy.
-
Name: Enter a name for the policy.
-
Access Token Manager: Select the access token manager that you created earlier from the drop-down list.
-
Select the Include User Info in ID Token check box.
-
-
Click Next.
-
On the Attribute Contracttab, in the Extend the Contract section, for each attribute listed, click Delete in the relevant row, until all attributes are deleted.
-
In a new row, enter
winlogin.auth.response
, and click Add.Result:
The new attribute is added to the Extend the Contractlist.
-
Click Next.
-
In the Attribute Scopes tab, make an association between the OpenID scope, and the
winlogin.auth.response
attribute:-
In the Scope column, select Open ID from the drop-down list.
-
In the Attributes column, select the
winlogin.auth.response
check box and then click Add.
-
-
Click Next, and then on the Attribute Sources & User Lookup tab, click Next.
-
In the Contract Fulfillment tab:
-
sub
attribute: From the Source list, select Access Token. From the Value list, select subject. -
winlogin.auth.response
attribute: From the Source list select Access Token. From the Value list, selectwinlogin.auth.response
.
-
-
Click Next, and on theIssuance Criteria tab, click Next.
-
On the Summary tab click Save.
Result:
The new OpenID Connect policy is listed in theOpenID Connect Policy Managementwindow.
-
-
If more than one policy exists, click Default to make this policy your default policy.