--- title: Adding an external identity provider sign-on step description: Allow end users to authenticate with an external IdP by configuring the IdP as part of an authentication policy in PingOne. component: pingone page_id: pingone:authentication:p1_add_idp_signon_step canonical_url: https://docs.pingidentity.com/pingone/authentication/p1_add_idp_signon_step.html revdate: January 6, 2025 section_ids: before-you-begin: Before you begin steps: Steps next-steps: Next steps related-links: Related links --- # Adding an external identity provider sign-on step If you configure an external identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)* as part of a sign-on policy, end users can access your applications by authenticating with the IdP. An external IdP can be invoked in several ways to authenticate users. The external IdP sign-on step in an authentication policy invokes the external IdP through an administrator declared policy, and the user isn't given a choice. Learn more in [External IdPs](../integrations/p1_external_idps.html). Depending on the sign-on policy, end users might bypass the PingOne sign-on prompt and be redirected to an external IdP to authenticate. A different sign-on policy could have end users use the PingOne sign-on prompt and then be redirected to an external IdP for second-factor authentication. The user must exist in PingOne, but the IdP manages authentication. When using Microsoft as the external IdP, you must choose whether the policy is intended to authenticate users through the OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* protocol or to support external multi-factor authentication (MFA), formerly known as external authentication methods (EAMs), in Microsoft Entra ID. ## Before you begin * [Set up a connection to your IdP](../integrations/p1_external_idps.html). * To support external MFA in Microsoft Entra ID, [set up a connection to Microsoft](../integrations/p1_add_idp_microsoft_entra.html). ## Steps 1. In the PingOne admin console, go to **Authentication > Authentication**. 2. Click **[icon: plus, set=fa]Add Policy** to create a new policy, or click the **Pencil** icon ([icon: pencil, set=fa]) to edit an existing one. 3. Click **[icon: plus, set=fa]Add Step**. 4. In the **Step type** list, select **External identity provider**. 5. In the **External Identity Provider** list, select the IdP that will handle user authentication. 6. If Microsoft is selected for **External Identity Provider**, for **Policy Purpose**, select a method for users to authenticate: * **OIDC Authentication**: Select this option if you want users to authenticate with Microsoft using the OIDC protocol. * **Entra ID External Authentication Method**: Select this option if you want users to authenticate first with Microsoft Entra ID and then with PingOne as the external provider for MFA. If you choose this option, skip to step 10. 7. Enter or edit the registration settings: | Setting | Description | | -------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Enable registration** | Users can register their own accounts whether or not a user record already exists. | | **Population** | Specify which population will contain the newly registered users. | | **Require confirmation of user information** | If registration is enabled, requires end users to confirm the data that is linked with the third-party IdP *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)*. The end user will have an opportunity to edit the information that the third-party IdP shares with PingOne, such as username, email address, first name, and last name. | 8. Enter or edit the requirement condition. If this condition is met, the user will be required to sign on. * **Last sign-on older than**: Requires users to sign on again if their previous sign on is older than the configured value. 9. Enter or edit the IdP settings. | | | | - | ------------------------------------------------------------------------------------------------------------------------------- | | | These options are available only if you have an IdP sign-on step as a secondary step after a sign-on step that includes an IdP. | | Setting | Description | | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Required authentication level** | For SAML and OIDC identity providers, PingOne sends the `RequestedAuthnContext` or `acr_values` parameter to the specified IdP to indicate how the IdP should authenticate the user. This is commonly used to tell the IdP to use MFA, for example, to ensure the right level of authentication depending on the sensitivity of the target application. | | **Pass user context to provider** | For SAML and OIDC identity providers, PingOne can be configured to include some user information in the authentication request. The information to include is determined as follows:- If the user is linked to the IdP, pass the `external id` for the user. - If the user isn't linked to the IdP and is identified in a previous sign-on step or existing session, pass the PingOne `username` for the user. - If the user doesn't have an existing session, either from a previous transaction or from completing a sign-on step before the external IdP step in the sign-on policy, pass the `loginHint` if it was received from the downstream application. | 10. If the **Entra ID External Authentication Method** option is selected for **Policy Purpose**, click **[icon: plus, set=fa]Add Step** and select **PingID Authentication** in the **Step Type** list. 11. Click **Save**. ## Next steps If you're configuring external MFA in Microsoft Entra ID, add an OIDC application in PingOne and assign your authentication policy to your application. Learn more in [Editing an application for Microsoft Entra ID external MFA](../applications/p1_configure_oidc_application_microsoft_entra_eam.html). ## Related links * [Adding a login authentication step](p1_add_login_auth_step.html) * [Adding a multi-factor authentication or PingID step](p1_add_mfa_step.html) * [Adding an identifier first authentication step](p1_add_identifier_first_auth.html)