--- title: Set up PingOne OIDC clients and configure Advanced Identity Cloud services description: Set up PingOne OIDC clients and configure them as Advanced Identity Cloud services for PingOne product integration component: pingoneaic page_id: pingoneaic:integrations:pingone-set-up-oidc-clients canonical_url: https://docs.pingidentity.com/pingoneaic/integrations/pingone-set-up-oidc-clients.html page_aliases: ["integrations:pingone-set-up-workers.adoc"] section_ids: create-an-oidc-client-in-each-mapped-pingone-environment: "Task 1: Create an OIDC client in each mapped PingOne environment" create-esvs-for-the-oidc-credentials-in-each-tenant-environment: "Task 2: Create ESVs for the OIDC credentials in each tenant environment" create-a-service-in-your-development-environment: "Task 3: Create a service in your development environment" configure-the-service: Configure the service map-the-client-secret-label-identifier-to-an-esv-secret: Map the Secret Label Identifier of the service to an ESV secret insert-esv-placeholders-into-the-service-configuration: Insert ESV placeholders into the service configuration promote-the-integration-to-your-other-environments: "Task 4: Promote the integration to your other environments" --- # Set up PingOne OIDC clients and configure Advanced Identity Cloud services Integrate your Advanced Identity Cloud tenant environments with PingOne OpenID Connect (OIDC) clients so that you can configure PingOne services (such as PingOne Protect and PingOne Verify) in your Advanced Identity Cloud authentication journeys. You can set up OIDC clients in PingOne in two ways: * **PingOne product connections RAPID only *(tooltip: Currently available only in the rapid release channel.)***: These are preconfigured OIDC integrations designed for quick setup. They streamline the connection process by automatically providing the necessary client credentials and PingOne environment ID within a signed JWT for easier consumption by the target service. If you choose this option, use the JWT credential tabs in the following tasks. * **PingOne worker applications**: These are custom, userless service applications used to perform administrative functions. Like product connections, they provide OIDC client credentials to allow the target service to access PingOne's admin APIs. If you choose this option, use the OIDC credentials tabs in the following tasks. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You only need to set up a product connection or worker application once for each of your Advanced Identity Cloud tenant environments and their mapped PingOne environments. | ## Task 1: Create an OIDC client in each mapped PingOne environment * JWT credential RAPID only *(tooltip: Currently available only in the rapid release channel.)* * OIDC credentials Create a [product connection](https://docs.pingidentity.com/pingone/integrations/p1_creating_product_connection.html) in each of your mapped PingOne environments. These give access to the PingOne admin APIs using OIDC and provide a single JWT credential. In later tasks, you'll configure each of your Advanced Identity Cloud tenant environments with the JWT credential. In the PingOne admin console, perform the following steps for each of your mapped PingOne environments: 1. In the sidebar, click the Ping Identity logo to open the Environments page. 2. Select an environment in the list, then click Manage Environment. 3. Go to Integrations > Products, then click the add icon ([icon: circle-plus, set=fas, size=lg]). 4. In the Add Connection modal: 1. In the Target Product field, select Advanced Identity Cloud. 2. In the Name field, enter a unique name for the connection. For example, `PingOne Connection AIC`. 3. (Optional) Enter a Description for the connection. 4. Click Save. 5. In the New Credential Created modal: 1. Click the copy icon ([icon: copy, set=material, size=inline]) to copy the new JWT credential to your clipboard. Make a note of the JWT credential, as you won't be able to access it again after closing the modal. 2. Click Close. Create a [worker application](https://docs.pingidentity.com/pingone/applications/p1_application_types.html) in each of your mapped PingOne environments. These provide access to the PingOne admin APIs using OpenID Connect (OIDC) credentials. In later tasks, you'll configure each of your Advanced Identity Cloud tenant environments with these OIDC credentials. In the PingOne admin console, perform the following steps for each of your mapped PingOne environments: 1. In the sidebar, click the Ping Identity logo to open the Environments page. 2. Click an environment in the list, then click Manage Environment. 3. Go to Applications > Applications, then click the add icon ([icon: circle-plus, set=fas, size=lg]). 4. In the Add Application panel: 1. In Application name, enter a unique name for the worker application. For example, `PingOne Worker AIC`. 2. (Optional) Enter a Description for the application, select an Icon, or both. These don't affect the operation of the worker application but do help you identify it in the list. 3. In Application Type, select Worker. 4. Click Save. 5. In the application properties panel for the worker application you created: 1. On the Roles tab, click Grant Roles. 2. On the Available responsibilities tab, select the Identity Data Admin row, and ensure the environment is correct. 3. Click Save. 4. On the Overview tab, enable the worker application using the toggle switch in the top-right corner. Your worker application should now resemble the following image: ![Example worker application in PingOne](_images/pingone-worker-application.png) 5. Make a note of the following attributes in the Overview tab: | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Use the Secret Mask ([icon: eye-slash, set=far]) or Copy to Clipboard ([icon: copy, set=far, flip=vertical]) buttons to obtain the value of the client secret. | | Attribute name | Description | Example value | | -------------- | --------------------------------------------------------------------------- | ------------- | | Environment ID | Identifier of the PingOne environment that contains the worker application. | `219...43e` | | Client ID | OIDC client ID of the worker application. | `faa...3c0` | | Client Secret | OIDC client secret of the worker application. | `zcy...MEM` | ## Task 2: Create ESVs for the OIDC credentials in each tenant environment Create [Environment Secrets and Variables](../tenants/esvs.html) (ESVs) in each of your Advanced Identity Cloud tenant environments to hold the credentials of the OIDC clients you created in task 1. Creating ESVs lets you configure Advanced Identity Cloud in a way that's compatible with the promotion process. * JWT credential RAPID only *(tooltip: Currently available only in the rapid release channel.)* * OIDC credentials In each of your Advanced Identity Cloud tenant environments: 1. Create the following ESV using the JWT credential from the tenant environment's mapped PingOne environment: | ESV name | ESV type | Expression type | | ---------------------------- | -------- | --------------- | | `esv-pingone-connection-jwt` | Secret | String | 2. [Restart Advanced Identity Cloud services](../tenants/configuration-placeholders.html#restart-identity-cloud-services). In each of your Advanced Identity Cloud tenant environments: 1. Create the following [ESVs](../tenants/esvs.html) using the environment ID and client credentials from the tenant environment's mapped PingOne environment: | ESV name | ESV type | Expression type | PingOne attribute value | | ---------------------------------- | -------- | --------------- | ----------------------- | | `esv-pingone-environment-id` | Variable | String | Environment ID | | `esv-pingone-worker-client-id` | Variable | String | Client ID | | `esv-pingone-worker-client-secret` | Secret | String | Client Secret | 2. [Restart Advanced Identity Cloud services](../tenants/configuration-placeholders.html#restart-identity-cloud-services). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can create variables and secrets using the Advanced Identity Cloud admin console or the API.- [Create a variable](../tenants/esvs-manage-ui.html#create-variables) or [create a secret](../tenants/esvs-manage-ui.html#create-secrets) using the Advanced Identity Cloud admin console. - [Create a variable](https://docs.pingidentity.com/pingoneaic/_attachments/api/#operation/createVariables) or [create a secret](https://docs.pingidentity.com/pingoneaic/_attachments/api/#operation/createSecret) using the API. | ## Task 3: Create a service in your development environment Create a PingOne Worker Service in your Advanced Identity Cloud development environment and configure it with the credentials of the OIDC client in its mapped PingOne environment. The service is used in Advanced Identity Cloud authentication journey nodes to connect to the PingOne admin APIs. ### Configure the service Create a [PingOne Worker Service](../am-reference/services-configuration.html#realm-pingone-worker-service) in your development environment: 1. In the Advanced Identity Cloud admin console, go to Native Consoles > Access Management. 2. Click Services. 3. Choose one of the following options: 1. If the PingOne Worker Service is in the list of services, select it. 2. If not: 1. Click [icon: plus, set=fa]Add a Service. 2. In Choose a service type, select `PingOne Worker Service`, then click Create. 4. On the Secondary Configurations tab, click [icon: plus, set=fa]Add a Secondary Configuration. 5. On the New workers configuration page: 1. Enter a Name for the configuration. For example, `PingOne Worker AIC`. | | | | - | ------------------------------------------------------------------------------------------------------ | | | Make a note of this name. You'll use this value when configuring PingOne authentication journey nodes. | 2. Click Create 6. On the Workers Configuration page, configure the service: * JWT credential RAPID only *(tooltip: Currently available only in the rapid release channel.)* * OIDC credentials 1. Select Enable Connection via Credential. 2. In the Credential Secret Label Identifier field, enter an identifier to create a specific secret label to represent the PingOne credential JWT. For example, `pingoneworkeraicjwt`. This field can only contain characters `a - z`, `A - Z`, `0 - 9`, and `.` and can't start or end with a period. | | | | - | ------------------------------------------------------------------------------------------------------- | | | In later steps, you'll use this identifier to create a mapping to the `esv-pingone-connection-jwt` ESV. | 3. Confirm your configuration resembles the following image: ![Example worker service configuration using a credential JWT](_images/pingone-worker-configuration-jwt.png) 1) In the Client ID and Environment ID fields, enter the OIDC client ID and environment ID respectively of the worker application in the development environment's mapped PingOne environment. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Enter the literal values for these fields at this stage, not ESV placeholders. In later steps, you'll replace the literal values with placeholders for their respective ESVs (`esv-pingone-environment-id` and `esv-pingone-worker-client-id`). | 2) In the Client Secret Label Identifier field, enter an identifier to create a specific secret label to represent the OIDC client secret of the worker application. For example, `pingoneworkeraic`. This field can only contain characters `a-z`, `A-Z`, `0-9`, and `.` and can't start or end with a period. | | | | - | ------------------------------------------------------------------------------------------------------------- | | | In later steps, you'll use this identifier to create a mapping to the `esv-pingone-worker-client-secret` ESV. | 3) Ensure that the PingOne API Server URL and PingOne Authorization Server URL are correct for the region of your PingOne servers: | Region | Authorization URL | API URL | | ------------------------------- | --------------------------- | ----------------------------- | | North America(Excluding Canada) | `https://auth.pingone.com` | `https://api.pingone.com/v1` | | Canada | `https://auth.pingone.ca` | `https://api.pingone.ca/v1` | | Europe | `https://auth.pingone.eu` | `https://api.pingone.eu/v1` | | Asia-Pacific | `https://auth.pingone.asia` | `https://api.pingone.asia/v1` | 4) Confirm your configuration resembles the image below. ![Example worker service configuration](_images/pingone-worker-configuration.png) 7. Click Save and Test Connection. Advanced Identity Cloud attempts to get an access token from PingOne using your worker service configuration to verify the details. If the connection fails, check the worker service configuration: * Ensure that the ESVs contain the correct values from the worker in the mapped PingOne environment. * Ensure that the ESVs are correctly mapped in the Advanced Identity Cloud service. ### Map the Secret Label Identifier of the service to an ESV secret Make the ESV secret available to the PingOne Worker Service. To do this, map it using the respective secret label identifier you specified in the service. In your development environment: 1. In the Advanced Identity Cloud admin console, click Native Consoles > Access Management. 2. Go to Realm > Secret Stores. 3. Click the ESV secret store, then click Mappings. 4. Click + Add Mapping. * JWT credential RAPID only *(tooltip: Currently available only in the rapid release channel.)* * OIDC credentials 1. In Secret Label, select the label generated when you entered the Credential Secret Label Identifier value in the worker service configuration. For example, entering `pingoneworkeraicjwt` generates the secret label `am.services.pingone.worker.pingoneworkeraicjwt.credential`. 2. In aliases, enter the name of the corresponding ESV secret you created previously (`esv-pingone-connection-jwt`), then click Add. The result resembles the following: ![Example mapping of the Credential Secret Label Identifier value.](_images/pingone-worker-secret-label-mapping-jwt.png) 1) In Secret Label, select the label generated when you entered the Client Secret Label Identifier value in the worker service configuration. For example, entering `pingoneworkeraic` generates the secret label `am.services.pingone.worker.pingoneworkeraic.clientsecret`. 2) In aliases, enter the name of the corresponding ESV secret you created earlier (`esv-pingone-worker-client-secret`), then click Add. The result resembles the following: ![Example mapping of the Client Secret Label Identifier value.](_images/pingone-worker-secret-label-mapping.png) 5. Click Create. Learn more about mapping secrets and label identifiers for Advanced Identity Cloud in [Secret labels](../am-reference/secret-id-mappings.html). ### Insert ESV placeholders into the service configuration * JWT credential RAPID only *(tooltip: Currently available only in the rapid release channel.)* * OIDC credentials Skip this step. To make the `esv-pingone-environment` and `esv-pingone-worker-client-id` ESVs available to the PingOne Worker Service, you must replace the literal values in the worker service configuration with ESV placeholders. In your development environment, follow the instructions in [Insert ESV placeholders into the secondary configuration of a PingOne worker service](../tenants/configuration-placeholders-api.html#configure-pingone-worker-service). ## Task 4: Promote the integration to your other environments Once you have successfully tested the integration in your development environment, you can promote the worker service configuration to your other environments (UAT\[[1](#_footnotedef_1 "View footnote.")], staging, production) using the standard promotion process. 1. Determine the promotion order of your tenant environments. This will depend on whether you have a [standard promotion group of environments](../tenants/self-service-promotions.html#standard-promotion-group-of-environments) or whether you also have [additional UAT environments](../tenants/self-service-promotions.html#additional-uat-environments). 2. In promotion order, for each of the tenant environments in your promotion group, perform the following steps: 1. Ensure that the required ESVs are present and correctly set: * JWT credential RAPID only *(tooltip: Currently available only in the rapid release channel.)* * OIDC credentials - `esv-pingone-connection-jwt` * `esv-pingone-environment-id` * `esv-pingone-worker-client-id` * `esv-pingone-worker-client-secret` 2. Run a promotion to move the configuration changes to the tenant environment from its respective lower tenant environment. Learn more in: * [Manage self-service promotions using the admin console](../tenants/self-service-promotions-ui.html) * [Manage self-service promotions using the API](../tenants/self-service-promotions-api.html) 3. (Optional) If you have sandbox\[[2](#_footnotedef_2 "View footnote.")] environments, repeat task 3 for each of your sandbox environments to create a service. *** [1](#_footnoteref_1). A [user acceptance testing (UAT) environment](../tenants/environments-uat.html) is an [add-on capability](../product-information/add-on-capabilities.html).[2](#_footnoteref_2). A [sandbox environment](../tenants/environments-sandbox.html) is an [add-on capability](../product-information/add-on-capabilities.html).