PingOne Advanced Services

Users are managed by another identity provider

In this configuration, users are managed in your PingOne environment that does not contain the OIDC application connection, as shown in the diagram.

Network diagram
Diagram of a network where users are managed by another identity provider.

If you have this type of configuration, you need to configure a connection:

  • From the external identity provider that manages your users

  • To the PingOne environment that contains the OIDC application that connects PingOne to PingOne Advanced Services.

In the external identity provider environment that contains your users

Steps

  1. Ensure that the custom user attributes are defined as described in Creating custom user attributes.

  2. Create a new OIDC application to connect these environments.

    1. Go to Applications → Applications.

    2. Complete the following fields:

      • Application Name: Enter the name of the application.

      • Description: Enter a meaningful description for the application.

      • Application Type: Select OIDC Web App.

    3. On the Configuration tab, click the Pencil icon, select the following options, and click Save.

      • In the Response Type field, select Code.

      • In the Grant Type field, select Authorization Code.

      • In the Token Auth Method field, select Client Secret Basic.

    4. Add a multi-factor authentication (MFA) policy to the application. Refer to your external identity provider documentation for instructions on adding an MFA policy.

    5. Click the Attribute Mappings tab and enter the following mappings:

      “sub” = “User ID”
      “email” = “Email Address”
      “familyName” = “Family Name”
      “givenName” = “Given Name”
      “username” = “Username”
      “p1asArgoCDRoles” = “P1AS ArgoCD Roles”
      “p1asGrafanaRoles” = “P1AS Grafana Roles”
      “p1asOpensearchRoles” = “P1AS Opensearch Roles”
      “p1asPingAccessRoles” = “P1AS PingAccess Roles”
      “p1asPingFederateRoles” = “P1AS PingFederate Roles”
      “p1asPrometheusRoles” = “P1AS Prometheus Roles”
      "p1asSelfServiceRoles" = "P1AS SelfService Roles"
    6. Click the toggle switch to enable the application.

    7. Copy and save the application client ID, client secret, and OIDC Discovery Endpoint URL, which you’ll need to provide in the next step.

In the PingOne environment that contains the OIDC application

Steps

  1. Access the appropriate PingOne environment.

  2. Create an external IdP to configure a connection to the user environment:

    1. Go to Integrations → External IDPs.

    2. Click Add Provider.

    3. Click OpenID Connect.

    4. On the Create Profile page, enter the following:

      • Name: A unique identifier for the IdP.

      • Description (optional): A brief description of the IdP.

      • Icon (optional): An image to represent the identity provider. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format. Use a 90 X 90 pixel image.

      • Login button (optional): An image to use for the login button displayed to the end user. Use a 300 X 42 pixel image.

    5. Click Continue.

    6. Enter the connection and discovery details you copied and saved in step 2 of the previous task:

      • Client ID: Enter the client ID for the OIDC application you just created.

      • Client secret: Enter the client secret generated for the OIDC application.

      • Discovery document URI: Enter the OIDC Discovery Endpoint URL from the OIDC application, and then click Use Discovery document to populate the remaining settings. Learn more in Discovery document URI in the PingOne documentation.

    7. Click Save and Continue.

    8. On the Map Attributes page enter the following mappings:

      “Username” = “providerAttributes.username”
      “External ID” = “providerAttributes.sub”
      “Email” = “providerAttributes.email”
      “Family Name” = “providerAttributes.familyName”
      “Given Name” = “providerAttributes.givenName”
      “P1AS ArgoCD Roles” = “providerAttributes.p1asArgoCDRoles
      “P1AS Grafana Roles” = “providerAttributes.p1asGrafanaRoles”
      “P1AS Opensearch Roles” = “providerAttributes.p1asOpensearchRoles”
      “P1AS PingAccess Roles” = “providerAttributes.p1asPingAccessRoles”
      “P1AS PingFederate Roles” = “providerAttributes.p1asPingFederateRoles”
      “P1AS Prometheus Roles” = “providerAttributes.p1asPrometheusRoles”
      "P1AS SelfService Roles" = "providerAttributes.p1asSelfServiceRoles"
    9. Click Save and Finish.

    10. Locate the new external IdP in the list, expand it, and click on the Connections tab.

    11. Copy and save the Callback URL to use in a later step

    12. Click the toggle switch to enable the application.

  3. Create an authentication policy for the external IdP:

    1. Go to Authentication → Authentication.

    2. Click Add Policy.

    3. Enter a policy name.

    4. From the Step Type list, select External identity provider.

    5. From the External identity provider list, select the external provider you just configured and click Save.

  4. Add an authentication policy to the OIDC application:

    1. Go to Applications → Applications, and select the OIDC application you created in the previous step.

    2. Select the Policies tab and click Add Policies.

    3. Select the authentication policy you created in the previous step and click Save.

In the external identity provider environment that contains your users

Steps

  1. Go to Applications → Applications and select the new OIDC application.

  2. Click the Configuration tab and then click the Pencil icon.

  3. In the Redirect URIs field, enter the Callback URL you copied and saved in the previous task and click Save.

  4. Submit a service request to the Support and Professional Services teams to provide them with details regarding the OIDC application and the name that should display when users sign on.

  5. Now, you can begin adding users to this environment and assigning roles. You can find a complete list of PingOne Advanced Services attribute mappings for each administrator role and the permissions each role is assigned in Administrative role mappings.