PingOne

Adding an external identity provider sign-on step

If you configure an external identity provider as part of a sign-on policy, end users can access your applications by authenticating with the identity provider.

About this task

There are several ways an external IdP can be invoked to authenticate users. The external IdP sign-on step does so as a result of administrator declared policy, and the user is not given a choice. Learn more in External IdPs.

Depending on the sign-on policy, end users might bypass the PingOne sign-on prompt and be redirected to an external IdP to authenticate. A different sign-on policy might have end users use the PingOne sign-on prompt and then be redirected to an external IdP for second-factor authentication. The user must exist in PingOne, but the IdP manages authentication.

Steps

  1. Go to Authentication → Authentication.

  2. Click Add policy to create a new policy, or click the Pencil icon to edit an existing one.

  3. Click Add step.

  4. In the Step type list, select External identity provider.

  5. In the External identity provider list, select the IdP that will handle user authentication. Learn more about adding an IdP in External IdPs.

  6. If Microsoft is selected for External identity provider, for Policy Purpose, select a method for users to authenticate:

    • OIDC Authentication: Select this option if you want users to authenticate with Microsoft using the OIDC protocol.

    • Entra ID External Authentication Method: Select this option if you want users to authenticate first with Microsoft Entra ID and then with PingOne as the external provider for multi-factor authentication (MFA). If you choose this option, skip to step 10.

      Learn more in Adding an identity provider - Microsoft.

  7. Enter or edit the registration settings:

    • Enable registration: Users can register their own accounts if a user record already exists.

    • Population: Specify which population will contain the newly registered users.

    • Require confirmation of user information: If enabled, this option requires end users to confirm the data that is linked with the third-party IdP. The end user will have an opportunity to edit the information that the third-party IdP shares with PingOne, such as user name, email address, first name, and last name.

  8. Enter or edit the requirement condition: If this condition is met, the user will be required to sign on.

    • Last sign-on older than: Requires users to sign on again if their previous sign on is older than the configured value.

  9. Enter or edit the IdP settings.

    These options are available only if you have an IdP sign-on step as a secondary step after a sign-on step that includes an IdP.

    • Required authentication level: For SAML and OIDC identity providers, PingOne sends the RequestedAuthnContext or acr_values parameter to the specified IdP to indicate how the IdP should authenticate the user. This is commonly used to tell the IdP to use MFA, for example, to ensure the right level of authentication depending on the sensitivity of the target application.

    • Pass user context to provider: For SAML and OIDC identity providers, PingOne can be configured to include some user information in the authentication request. The information to include is determined as follows:

      • If the user is linked to the IdP, pass the external id for the user.

      • If the user is not linked to the IdP, and is identified in a previous sign-on step or existing session, pass the PingOne username for the user.

      • If the user does not have an existing session, either from a previous transaction, or from completing a sign-on step before the external IdP step in the sign-on policy, pass the loginHint if it was received from the downstream application.

  10. If the Entra ID External Authentication Method option is selected for Policy Purpose, click Add step and select PingID Authentication from the Step type list.

  11. Click Save.