---
title: Set up an OIDC-compliant IdP as a federation IdP
description: To use an OIDC-compliant IdP as a federation IdP for a PingOne Advanced Identity Cloud tenant environment, you need to create a new OIDC client.
component: pingoneaic
page_id: pingoneaic:federation:set-up-federation-idp-oidc
canonical_url: https://docs.pingidentity.com/pingoneaic/federation/set-up-federation-idp-oidc.html
keywords: ["Federation", "Authentication", "Setup &amp; Configuration"]
page_aliases: ["federation:set-up-federation-provider-oidc.adoc"]
section_ids:
  configure-oidc-as-a-federation-idp: "Task 1: Configure OIDC-compliant IdP as a federation IdP"
  use-group-membership-to-enable-federation-in-oidc: "Task 2: Use group membership to enable federation in an OIDC-compliant IdP"
---

# Set up an OIDC-compliant IdP as a federation IdP

To use an OIDC-compliant IdP as a federation IdP for a PingOne Advanced Identity Cloud tenant environment, you need to create a new OIDC client.

## Task 1: Configure OIDC-compliant IdP as a federation IdP

1. Read your IdP vendor's documentation on configuring an OIDC client.

2. Configure an OIDC client profile:

   1. Choose a client ID or note the automatically generated client ID. Some OIDC IdPs let you choose the client ID while others autogenerate it for you.

      |   |                                                                                |
      | - | ------------------------------------------------------------------------------ |
      |   | In Advanced Identity Cloud, use this in an application's Application ID field. |

   2. Choose a client secret or note the automatically generated client secret. Some OIDC IdPs let you choose the client secret while others autogenerate it for you.

      |   |                                                                                                                                    |
      | - | ---------------------------------------------------------------------------------------------------------------------------------- |
      |   | In Advanced Identity Cloud, enter this value in an application's Application Secret field (or set in an ESV mapped to that field). |

   3. Configure the allowed scopes. Recommended scopes: `openid`, `profile`, and `email`.

   4. Configure the client authentication method. Supported authentication methods: `client_secret_post`, `client_secret_basic`, or `none`.

3. Obtain the well-known URL from the OIDC-compliant IdP. You will enter this URL when you enable the IdP in Advanced Identity Cloud.

   |   |                                                                                                                                     |
   | - | ----------------------------------------------------------------------------------------------------------------------------------- |
   |   | In Advanced Identity Cloud, enter this value in an application's Well-known Endpoint field (or set in an ESV mapped to that field). |

## Task 2: Use group membership to enable federation in an OIDC-compliant IdP

Groups let you add and remove sets of administrators based on their group membership in your IdP. You can also specify the level of administrator access (super administrator\[[1](#_footnotedef_1 "View footnote.")] or tenant administrator) for groups of users.

1. Read your IdP vendor's documentation on configuring groups in your OIDC client.

2. Obtain the name of the `groups` claim from the OIDC-compliant IdP.

   |   |                                                                                                                                  |
   | - | -------------------------------------------------------------------------------------------------------------------------------- |
   |   | In Advanced Identity Cloud, enter this value in an application's Group Claim Name field (or set in an ESV mapped to that field). |

3. (Optional) Set up super administrator\[[1](#_footnotedef_1 "View footnote.")] groups:

   1. Set up one or more groups for users that need to be super administrators\[[1](#_footnotedef_1 "View footnote.")] when they access the tenant using your IdP.

   2. Note the group ID (or group IDs).

      |   |                                                                                                                                                                                  |
      | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | In Advanced Identity Cloud, enter the group ID (or group IDs) in an application's Group Identifiers field to the left of `Super Admins` (or set in an ESV mapped to that field). |

4. (Optional) Set up tenant administrator groups:

   1. Set up one or more groups for users that need to be tenant administrators when they access the tenant using your IdP.

   2. Note the group ID (or group IDs).

      |   |                                                                                                                                                                                   |
      | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | In Advanced Identity Cloud, enter the group ID (or group IDs) in an application's Group Identifiers field to the left of `Tenant Admins` (or set in an ESV mapped to that field). |

5. (Optional) Set up tenant auditor\[[2](#_footnotedef_2 "View footnote.")] groups:

   1. Set up one or more groups for users that need to be tenant auditors when they access the tenant using your IdP.

   2. Note the group ID (or group IDs).

      |   |                                                                                                                                                                                    |
      | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | In Advanced Identity Cloud, enter the group ID (or group IDs) in an application's Group Identifiers field to the left of `Tenant Auditor` (or set in an ESV mapped to that field). |

6. (Optional) Set up brand administrator\[[3](#_footnotedef_3 "View footnote.")] groups:

   1. Set up one or more groups for users that need to be brand administrators when they access the tenant using your IdP.

   2. Note the group ID (or group IDs).

      |   |                                                                                                                                                                                 |
      | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | In Advanced Identity Cloud, enter the group ID (or group IDs) in an application's Group Identifiers field to the left of `Brand Admin` (or set in an ESV mapped to that field). |

***

[1](#_footnoteref_1). A super administrator is a tenant administrator with elevated permissions for configuring tenant administrators and federated tenant access. Learn more in [Tenant administrator groups](../tenants/tenant-administrator-settings.html#tenant-administrator-groups).[2](#_footnoteref_2). A tenant auditor is a tenant administrator with read-only permissions. Learn more in [Tenant administrator groups](../tenants/tenant-administrator-settings.html#tenant-administrator-groups).[3](#_footnoteref_3). A brand administrator is a tenant administrator with permissions to only manage hosted pages settings. Learn more in [Tenant administrator groups](../tenants/tenant-administrator-settings.html#tenant-administrator-groups).