--- title: Adding or updating an OIDC application description: Create a new OpenID Connect (OIDC) application or modify an existing application in PingOne for Enterprise. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_add_update_oidc_application canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_add_update_oidc_application.html revdate: June 5, 2024 section_ids: before-you-begin: Before you begin steps: Steps choose-from: Choose from: choose-from-2: Choose from: result: Result next-steps: Next steps --- # Adding or updating an OIDC application Create a new OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* application or modify an existing application in PingOne for Enterprise. ## Before you begin Before you add an OIDC application, you must configure the access token that your account will use for OIDC applications. These account-level settings are inherited at the application level when you add or update an application. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Account-level OAuth settings apply only to your managed applications, not to applications supplied by a service provider (SP) *(tooltip: \
\

In SAML, an entity that receives and accepts an authentication assertion issued by an IdP, typically for the purpose of allowing access to a protected resource.\

\
)*. | PingOne for Enterprise returns OIDC user attributes in different ways depending on the `response_type` parameter. The contents of the ID token depend on whether or not the application also returns an access token: * For flows that return both an access token and an ID token (such as authorization code flow, or implicit flows where the `response_type` includes `token`) the ID token contains the `sub` and, if requested, `email` scopes. The `userinfo` endpoint contains all of the attributes for the requested scopes and attributes configured on the **User Info** tab for the application, if the `openid` scope was requested. * For flows that don't return an access token, the ID token contains all of the attributes for the requested scopes and any attributes configured on the **User Info** tab for the application, if the `openid` scope was requested. The `userinfo` endpoint is inaccessible in this case because no access token is issued. The access token contains attributes configured at **Applications > OAuth Settings > Access Token**. For more information, see [Configuring your OAuth settings](p14e_configure_oauth_settings.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | When you add an OIDC application, you must have access to the necessary configuration information for the application. For applications supplied by an SP, the SP will direct you to this information. | ## Steps 1. Go to **Applications > My Applications > OIDC**. 2. Add a new application or edit an existing application. ### Choose from: * To create a new application, click **Add Application**. See Step 3 for new application types. * To update an existing application, expand the application and click the **Pencil** icon. Skip to step 4. 3. Select the type of application that you want to add and click **Next**: ### Choose from: * To create an application that is accessed and used within a browser, click**Web App**. * To create an application that is stored locally and run on a desktop or device, click **Native App**. * To create an API-driven front-end application, such as applications using Node.js or Angular, click **Single Page App**. * If you want full control of all available configuration parameters, click **Advanced Configuration**. 4. In the **Application Name** field, enter an application name. 5. In the **Short Description** field, enter an application description. 6. In the **Category** list, select a category to assign the application to. 7. **Optional:** To add an icon for the application, click the **Image** icon and upload an icon image. The icon file can be up to 1 Mb in size. The supported graphics formats are JPEG/JPG, PNG and GIF. 8. Click **Next**. 9. **Optional:** To enable or disable a custom valid duration for the application access token, click the **Override Access Token Lifetime** toggle. 10. **Optional:** If you enabled the override, enter the number of minutes access token lifetime in the **Minutes** field. The valid range is 1 - 60 minutes. The default value is inherited from your account-level OAuth settings. For more information, see [Configuring your OAuth settings](p14e_configure_oauth_settings.html). 11. Select the allowed grant types for the application. Available grant types are determined by the application type. For more information, see [OIDC application grant types](p14e_oidc_app_grant_types.html). 12. **Optional:** If you selected **Refresh Token**, configure the token settings: 1. Click the **Override Refresh Idle Lifetime** toggle to override the global OAuth setting for the application. 2. In the **Refresh Token Idle Lifetime** field, enter the number of minutes that a refresh token can be idle before being used again. 3. Click the **Override Refresh Token Max Lifetime** toggle to override the global OAuth setting for this application. 4. In the **Refresh Token Max Lifetime** field, enter the maximum number of minutes that a refresh token can be valid. 13. **Optional:** For Web Apps and Advanced Configuration applications, click **Add Secret** to add a secret to pair with the application **Client ID**. If you want to change a client secret, you must generate a second secret before deleting the first. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For greater security with Web App applications, you can use PKCE in your authorization and token request. In this case, a client secret is not used. For more information, see [OAuth 2.0 RFC 7636](https://tools.ietf.org/html/rfc7636). | 14. Copy the **Discovery URL**, **Issuer**, and **IDPID** values to use later in integrating the application with PingOne for Enterprise. This information also displays on the summary page for the application after you've added the application to PingOne for Enterprise. For more information, see [Integrating an OIDC application](p14e_integrate_oidc_application.html). 15. Click **Next**. 16. In the **Start SSO URL** field, enter the URL to use for SSO to the application. This is the URL to which application users will redirect to initiate SSO to PingOne for Enterprise using OIDC. 17. In the **Redirect URIs** field, enter URIs forPingOne for Enterprise to send responses to for the application's authorization requests. | | | | - | --------------------------------------------------- | | | Click **Add URL** to define multiple redirect URIs. | 18. **Optional:** In the **Logout URI** field, enter the URI to which PingOne for Enterprise sends a user for single logout (SLO). 19. **Optional:** Select the authentication requirements. | Authentication Method | Description | | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Force authentication** | If selected, to establish a connection to this application, users having a current, active SSO session will be re-authenticated by the identity repository. | | **Force multi-factor authentication** | If selected, users are required to use multi-factor authentication (MFA) as defined by your authentication policy each time they access the application.You'll need to have an authentication policy in place to use this setting. See [Create or update an authentication policy](p14e_create_update_authentication_policy.html) for more information. | 20. Click **Next**. 21. To add attributes to the **Default User Profile Attribute Contract**, click **Add Attribute** and enter an attribute in the **Attribute Name** field. Select the **Required** checkbox to make the attribute required. The default user profile attribute contract is the user profile returned by the `userinfo` endpoint for this application when the `openid` scope is included in the authentication request. The (subject) `sub` attribute is required for all UserInfo requests. PingOne for Enterprise uses the `idpid` attribute to identify the identity provider (IdP) and is included in the attribute contract by default. If the application you're adding is a managed application, you can remove the `idpid` attribute from the contract. For managed applications,PingOne for Enterprise already has the `idpid` value for your account. 22. Click **Next**. 23. Click the \[.uicontrol]\*[icon: plus, set=fa]\*icon to add scopes to the allowed list, or click the **-** icon to remove them. These OAuth user scopes are the user resources to which the application will request access. The `openid` scope is expected to always be included in the authorization request. 24. Click **Next**. 1) Map identity repository attributes to claims made by the application. For each IdP attribute, enter or select the target attribute from the list. Click **Advanced** to display the advanced attribute mapping mode. For more information, see [Assign advanced attribute mappings](p14e_assign_advanced_attribute_mappings.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This is a mapping of your identity repository attributes to the OIDC scope claims available to the application. By default, the attribute mapping inherits the account-level attribute mapping that you specify when you [configure your OAuth settings](p14e_configure_oauth_settings.html).You can override the account-level attribute mappings for the application. If you update the attribute mappings, the inherited account-level mappings remain available as selections in the list.The OIDC claims listed here include all claims from the access token attribute contract, the `UserInfo` attribute contract for this application, and the claims for any scopes to which this application is permitted.The attributes listed are determined by the scopes that you added previously. The `sub` attribute is required for all applications. | 1. Click **Next**. 2. Make the new application available to your users by assigning the groups authorized to use the application. Click the **[icon: plus, set=fa]**icon for each group that you want to authorize. | | | | - | ----------------------------------------------------------- | | | All members of the selected groups can use the application. | 3. Click **Done**. ## Result The new OIDC application is added to your **My Applications** list for OIDC. You can edit the application configuration by clicking the **Edit** icon. ## Next steps [Integrate your OIDC application](p14e_integrate_oidc_application.html) with PingOne for Enterprise.