--- title: OIDC provider configuration description: You can configure the Advanced Identity Cloud OAuth 2.0 provider service to act as an OpenID provider (OP). component: pingoneaic page_id: pingoneaic:am-oidc1:configure-openid-connect-provider canonical_url: https://docs.pingidentity.com/pingoneaic/am-oidc1/configure-openid-connect-provider.html keywords: ["OpenID Connect (OIDC)", "Standards", "Setup & Configuration"] page_aliases: ["oidc1-guide:configure-openid-connect-provider.adoc"] section_ids: oidc-configuration-options: OIDC-specific configuration --- # OIDC provider configuration You can configure the Advanced Identity Cloud OAuth 2.0 provider service to act as an OpenID provider (OP). To do so, [configure the OAuth 2.0 provider service](../am-oauth2/oauth2-configure-authz.html) then refer to [OIDC-specific configuration](#oidc-configuration-options). ## OIDC-specific configuration To set the OAuth 2.0 provider configuration, under Native Consoles > Access Management, go to Realms > *Realm Name* > Services > OAuth2 Provider. Refer to the [OAuth2 Provider](../am-reference/services-configuration.html#realm-oauth-oidc) reference section for details on each configuration property. **OIDC configuration options** | Task | Resources | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | | **Configure the public keys for the provider**OPs sign ID tokens so that clients can ensure their authenticity. Advanced Identity Cloud exposes the URI where clients can check the signing public keys to verify the ID token signatures. | N/A | | **Enable the OIDC Provider Discovery endpoint**The discovery endpoint is enabled by default. Enable the endpoint if your clients need to discover the URL of the OP for a given user. | [OIDC discovery](oidc-am-provider.html#configure-openid-connect-discovery) | | **Configure pairwise subject types for dynamic registration**To provide different values to the `sub` claim in the ID token for different clients (refer to [Subject Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes)), make sure that the Subject Types supported property on the Core tab of the OAuth 2.0 provider configuration includes `pairwise`. This is the default.Also, change the default value of the Subject Identifier Hash Salt field on the same tab. If you specify a pairwise subject type, check the value of the Sector Identifier URI in the OAuth 2.0 client configuration. The value of this field must be a URL (including the https scheme) that references a JSON file containing an array of redirect\_uri values. Advanced Identity Cloud uses the host component of this URL to compute pairwise subject identifiers. If you configure a single Post Logout Redirect URI, the Sector Identifier URI takes this value by default. If you configure several Post Logout Redirect URIs and specify a pairwise Subject Type, you must set a value for the Sector Identifier URI. | N/A | | **Specify whether Advanced Identity Cloud should return scope-derived claims in the ID token**Scope-derived claims, such as those returned when requesting the `profile` scope, aren't returned in the ID token by default. | [Claims](understanding-openid-connect-scopes-and-claims.html) | | **Configure how Advanced Identity Cloud maps scopes to claims and user profile attributes**Use scripts to map user profile attributes to claims and scopes. | [Claims](understanding-openid-connect-scopes-and-claims.html)[OIDC claims](../am-oauth2/plugins-user-info-claims.html) | | **Configure the OP for dynamic application registration and management**Advanced Identity Cloud supports several methods of dynamic application registration.You can also register applications [manually](../realms/applications.html). | [Dynamic client registration](oauth2-dynamic-client-registration.html) | | **Add authentication requirements to ID tokens**Require end users to satisfy specific authentication rules or conditions when authenticating to the OP, such as using a specific authentication journey. | [Authentication requirements](oidc-authentication-requirements.html) | | **Configure Advanced Identity Cloud for [GSMA Mobile Connect](https://www.gsma.com/identity/mobile-connect)**Configure the OAuth 2.0 authorization server to act as a Mobile Connect provider. | [Configure Mobile Connect](oidc-mobile-connect.html#mobile-connect-configure) | | **Configure the OP to encrypt ID tokens and logout tokens**By default, ID tokens and backchannel logout tokens are *signed*. If these tokens carry sensitive information about your end users, consider encrypting them. | [Encrypt ID tokens and backchannel logout tokens](encrypting-oidc-idtokens.html) |