PingOne

Adding an identity provider - OIDC

You can use the generic OpenID Connect (OIDC) configuration to add any external identity provider (IdP) that follows the OIDC standard.

Steps

  1. In the PingOne admin console, go to Integrations > External IdPs and click .

  2. In the Select Identity Provider Type step, click OpenID Connect and click Next.

  3. In the Create Profile step, enter the following information:

    • Name: A unique identifier for the IdP.

    • Description (optional): A brief description of the IdP.

    • Population: Select a population in the list that overrides the authentication policy’s registration population and enables just-in-time (JIT) registration from the IdP.

    • Sign-on Button (optional): An image to use for the login button displayed to the end user. Use a 300 x 42 pixel image.

    • Icon (optional): An image to represent the IdP. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format. Use a 90 x 90 pixel image.

  4. Click Next.

  5. In the Configure Connection step:

    1. Enter the Connection Details:

      • Client ID: The application ID generated by the external IdP to which you’re connecting.

      • Client Secret: The application secret generated by the external IdP to which you’re connecting.

      • Callback URL: Copy the Callback URL to a secure location. You’ll provide this value to the IdP later.

    2. Enter the Discovery Details:

      • Discovery Document URI (optional): The discovery endpoint from the external IdP. Enter the URL and then click Use Discovery Document to populate the remaining settings in Discovery Details automatically. Learn more in Discovery document URI.

      • Issuer: The issuer to which the authentication is sent for the external IdP. This URL must use the https protocol.

      • JWKS Endpoint: The URL that specifies the JSON Web Key Set (JWKS) endpoint for the external IdP. The JWKS endpoint includes public keys that can be used to verify JSON Web Keys (JWKs) from the IdP. This URL must use the https protocol.

      • Authorization Endpoint: The URL that specifies the authorization endpoint for the external IdP. PingOne requests an authorization grant from the authorization endpoint. This URL must use the https protocol.

      • Token Endpoint: The URL that specifies the token endpoint for the external IdP. PingOne presents its authorization grant to the token endpoint to obtain an access token and a refresh token when needed. This URL must use the https protocol.

      • User Information Endpoint (optional): The URL that specifies the userInfo endpoint for the external IdP. When defined for the IdP, PingOne always sends a request to the userInfo endpoint to retrieve additional information about the user after successful authentication. This URL must use the https protocol.

        To obtain claims about the authenticated user:

        1. PingOne sends a token request to the IdP.

        2. The IdP returns a token response to PingOne containing an access token and ID token.

        3. PingOne then presents the access token returned in the IdP token response to the userInfo endpoint to retrieve user attributes, profile information, preferences, and other user-specific information, such as name, email, and sub.

        4. The external IdP returns a JSON object containing user claims. PingOne can only receive claims in the userInfo endpoint that correspond to scopes configured in the Requested Scopes field.

        5. Before applying any attribute mappings, PingOne merges the ID token claims with any results from the userInfo endpoint.

          If the same claim exists in both places, such as both containing the email attribute, PingOne gives precedence to the ID token claim over the userInfo endpoint response.

        6. PingOne then applies any defined attribute mappings.

      • Token Endpoint Authentication Method: The authentication method to use for authenticating the external IdP. Select None, Client Secret Basic, or Client Secret Post.

      • Requested Scopes: The scopes to include in the authentication request to the userInfo endpoint for the external IdP to return specific data. Scope values are case sensitive. You can provide multiple scopes by separating them with a space.

      • Proof Key for Code Exchange (PKCE): Select the Enable checkbox to use PKCE to secure communication with the IdP and help prevent authorization code interception attacks.

        This option is selected by default if Discovery Document URI is configured and if the metadata from the provider includes the following:

        "code_challenge_methods_supported": [
"plain",
"S256"
]

        If Discovery Document URI isn’t configured or if the code_challenge_methods_supported metadata from the provider doesn’t include S256, this option is cleared by default.

        Learn more about PKCE in RFC7636: Proof Key for Code Exchange by OAuth Public Clients on the Internet Engineering Task Force (IETF) website.

    3. Click Next.

  6. In the Map Attributes step, define how the PingOne user attributes are mapped to IdP attributes. Learn more in Mapping attributes.

    • Enter the PingOne user profile attribute and the external IdP attribute. Learn more about attribute syntax in Identity provider attributes.

    • To add an attribute, click Add.

    • To use the advanced expression builder, click the Gear icon (). Learn more in Using the expression builder.

    • Select the update condition, which determines how PingOne updates its user directory with the values from the IdP:

      • Empty Only: Update the PingOne attribute only if the existing attribute is empty.

      • Always: Always update the PingOne directory attribute.

  7. Click Save.

  8. To enable the IdP, click the toggle at the top of the details panel to the right (blue).

    You can disable the IdP by clicking the toggle to the left (gray).

Next steps

Add the IdP to your authentication policy.