PingOne

Adding an external identity provider sign-on step

If you configure an external identity provider (IdP) as part of a sign-on policy, end users can access your applications by authenticating with the IdP.

About this task

There are several ways an external IdP can be invoked to authenticate users. The external IdP sign-on step does so as a result of administrator declared policy, and the user is not given a choice. Learn more in External IdPs.

Depending on the sign-on policy, end users might bypass the PingOne sign-on prompt and be redirected to an external IdP to authenticate. A different sign-on policy could have end users use the PingOne sign-on prompt and then be redirected to an external IdP for second-factor authentication. The user must exist in PingOne, but the IdP manages authentication.

When using Microsoft as the external IdP, you must choose whether the policy is intended to authenticate users through the OpenID Connect (OIDC) protocol or to support an external authentication method (EAM) in Microsoft Entra ID.

Before you begin

Steps

  1. Go to Authentication > Authentication.

  2. Click Add policy to create a new policy, or click the Pencil icon to edit an existing one.

  3. Click Add step.

  4. In the Step type list, select External identity provider.

  5. In the External identity provider list, select the IdP that will handle user authentication.

  6. If Microsoft is selected for External identity provider, for Policy Purpose, select a method for users to authenticate:

    • OIDC Authentication: Select this option if you want users to authenticate with Microsoft using the OIDC protocol.

    • Entra ID External Authentication Method: Select this option if you want users to authenticate first with Microsoft Entra ID and then with PingOne as the external provider for multi-factor authentication (MFA). If you choose this option, skip to step 10.

  7. Enter or edit the registration settings:

    • Enable registration: Users can register their own accounts if a user record already exists.

    • Population: Specify which population will contain the newly registered users.

    • Require confirmation of user information: If enabled, this option requires end users to confirm the data that is linked with the third-party IdP. The end user will have an opportunity to edit the information that the third-party IdP shares with PingOne, such as user name, email address, first name, and last name.

  8. Enter or edit the requirement condition: If this condition is met, the user will be required to sign on.

    • Last sign-on older than: Requires users to sign on again if their previous sign on is older than the configured value.

  9. Enter or edit the IdP settings.

    These options are available only if you have an IdP sign-on step as a secondary step after a sign-on step that includes an IdP.
    • Required authentication level: For SAML and OIDC identity providers, PingOne sends the RequestedAuthnContext or acr_values parameter to the specified IdP to indicate how the IdP should authenticate the user. This is commonly used to tell the IdP to use MFA, for example, to ensure the right level of authentication depending on the sensitivity of the target application.

    • Pass user context to provider: For SAML and OIDC identity providers, PingOne can be configured to include some user information in the authentication request. The information to include is determined as follows:

      • If the user is linked to the IdP, pass the external id for the user.

      • If the user is not linked to the IdP, and is identified in a previous sign-on step or existing session, pass the PingOne username for the user.

      • If the user does not have an existing session, either from a previous transaction, or from completing a sign-on step before the external IdP step in the sign-on policy, pass the loginHint if it was received from the downstream application.

  10. If the Entra ID External Authentication Method option is selected for Policy Purpose, click Add step and select PingID Authentication from the Step type list.

  11. Click Save.

Next steps

If you’re configuring an EAM in Microsoft Entra ID, add an OIDC application in PingOne and assign your authentication policy to your application. Learn more in Editing an application for the Microsoft Entra ID external authentication method.