---
title: Adding an identity provider - OIDC
description: Use the generic OIDC configuration to add an external identity provider in PingOne that follows the OIDC standard.
component: pingone
page_id: pingone:integrations:p1_add_idp_oidc
canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_add_idp_oidc.html
revdate: April 23, 2025
section_ids:
  steps: Steps
  next-steps: Next steps
---

# Adding an identity provider - OIDC

You can use the generic OpenID Connect (OIDC) *(tooltip: \<div class="paragraph">
\<p>An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\</p>
\</div>)* configuration to add any external identity provider (IdP) *(tooltip: \<div class="paragraph">
\<p>A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\</p>
\</div>)* that follows the OIDC standard.

## Steps

1. In the PingOne admin console, go to **Integrations > External IdPs** and click **[icon: plus, set=fa]**.

2. In the **Select Identity Provider Type** step, click **OpenID Connect** and click **Next**.

3. In the **Create Profile** step, enter the following information:

   * **Name**: A unique identifier for the IdP.

   * **Description** (optional): A brief description of the IdP.

   * **Population**: Select a population in the list that overrides the authentication policy's registration population and enables just-in-time (JIT) registration from the IdP.

   * **Sign-on Button** (optional): An image to use for the login button displayed to the end user. Use a 300 x 42 pixel image.

   * **Icon** (optional): An image to represent the IdP. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format. Use a 90 x 90 pixel image.

4. Click **Next**.

5. In the **Configure Connection** step:

   1. Enter the **Connection Details**:

      * **Client ID**: The application ID generated by the external IdP to which you're connecting.

      * **Client Secret**: The application secret generated by the external IdP to which you're connecting.

      * **Callback URL**: Copy the **Callback URL** to a secure location. You'll provide this value to the IdP later.

   2. Enter the **Discovery Details**:

      * **Discovery Document URI** (optional): The discovery endpoint from the external IdP. Enter the URL and then click **Use Discovery Document** to populate the remaining settings in **Discovery Details** automatically. Learn more in [Discovery document URI](p1_discovery_document_uri.html).

      * **Issuer**: The issuer to which the authentication is sent for the external IdP. This URL must use the `https` protocol.

      * **JWKS Endpoint**: The URL that specifies the JSON Web Key Set (JWKS) endpoint for the external IdP. The JWKS endpoint includes public keys that can be used to verify JSON Web Keys (JWKs) from the IdP. This URL must use the `https` protocol.

      * **Authorization Endpoint**: The URL that specifies the authorization endpoint for the external IdP. PingOne requests an authorization grant from the authorization endpoint. This URL must use the `https` protocol.

      * **Token Endpoint**: The URL that specifies the token endpoint for the external IdP. PingOne presents its authorization grant to the token endpoint to obtain an access token and a refresh token when needed. This URL must use the `https` protocol.

      * **User Information Endpoint** (optional): The URL that specifies the `userInfo` endpoint for the external IdP. When defined for the IdP, PingOne always sends a request to the `userInfo` endpoint to retrieve additional information about the user after successful authentication. This URL must use the `https` protocol.

        To obtain claims about the authenticated user:

        1. PingOne sends a token request to the IdP.

        2. The IdP returns a token response to PingOne containing an access token and ID token.

        3. PingOne then presents the access token returned in the IdP token response to the `userInfo` endpoint to retrieve user attributes, profile information, preferences, and other user-specific information, such as `name`, `email`, and `sub`.

        4. The external IdP returns a JSON object containing user claims. PingOne can only receive claims in the `userInfo` endpoint that correspond to scopes configured in the **Requested Scopes** field.

        5. Before applying any attribute mappings, PingOne merges the ID token claims with any results from the `userInfo` endpoint.

           If the same claim exists in both places, such as both containing the `email` attribute, PingOne gives precedence to the ID token claim over the `userInfo` endpoint response.

        6. PingOne then applies any defined attribute mappings.

      * **Token Endpoint Authentication Method**: The authentication method to use for authenticating the external IdP. Select **None**, **Client Secret Basic**, or **Client Secret Post**.

      * **Requested Scopes**: The scopes to include in the authentication request to the `userInfo` endpoint for the external IdP to return specific data. Scope values are case sensitive. You can provide multiple scopes by separating them with a space.

      * **Proof Key for Code Exchange (PKCE)**: Select the **Enable** checkbox to use PKCE to secure communication with the IdP and help prevent authorization code interception attacks.

        This option is selected by default if **Discovery Document URI** is configured and if the metadata from the provider includes the following:

        ```
        "code_challenge_methods_supported": [
        "plain",
        "S256"
        ]
        ```

        If **Discovery Document URI** isn't configured or if the `code_challenge_methods_supported` metadata from the provider doesn't include `S256`, this option is cleared by default.

        Learn more about PKCE in [RFC7636: Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636) on the Internet Engineering Task Force (IETF) website.

   3. Click **Next**.

6. In the **Map Attributes** step, define how the PingOne user attributes are mapped to IdP attributes. Learn more in [Mapping attributes](../directory/p1_editsamlattributemapping.html).

   * Enter the PingOne user profile attribute and the external IdP attribute. Learn more about attribute syntax in [Identity provider attributes](p1_idp_attributes.html).

   * To add an attribute, click **[icon: plus, set=fa]Add**.

   * To use the advanced expression builder, click the **Gear** icon ([icon: gear, set=fa]). Learn more in [Using the expression builder](../pingone_expression_language/p1_use_expression_builder.html).

   * Select the update condition, which determines how PingOne updates its user directory with the values from the IdP:

     * **Empty Only**: Update the PingOne attribute only if the existing attribute is empty.

     * **Always**: Always update the PingOne directory attribute.

7. Click **Save**.

8. To enable the IdP, click the toggle at the top of the details panel to the right (blue).

   |   |                                                                    |
   | - | ------------------------------------------------------------------ |
   |   | You can disable the IdP by clicking the toggle to the left (gray). |

## Next steps

[Add the IdP to your authentication policy](../authentication/p1_edit_auth_policy.html).