PingOne for Enterprise

Connect to OpenID Connect

About this task

The OpenID Connect identity bridge uses OpenID Connect and OAuth to connect to your OpenID Connect provider (OP) to authenticate your users and access user information. In OpenID terms, PingOne is the Relying Party (RP) that sends authentication and information requests to the OpenID Connect provider.

You will need to supply the OAuth Client ID and Client Secret values registered for your OpenID Connect provider.

OpenID Connect supports a discovery mechanism whereby an OpenID Connect host publishes metadata using a well-known URL, by convention of the form: https://host.com/.well-known/openid-configuration. The URL returns OpenID Connect and OAuth endpoints, supported scopes and claims, public keys used to sign tokens, and other metadata. We use this metadata to complete your authentication requests and requests for user information.

If your OpenID Connect provider doesn’t have a discovery endpoint (URL) that we can use to query your IdP for the metadata, we will display the information we need and you will supply these values. See the configuration or documentation for your OpenID Connect provider to find the necessary values.

Steps

  1. Go to Setup → Identity Repository, click Connect to an Identity Repository, and select OpenID Connect. Click Next.

  2. Enter the OAuth Client ID and Client Secret values registered with your OpenID Connect provider.

  3. We need to be able to query your OpenID provider for the necessary metadata. Choose:

    Choose from:

    • Discovery Endpoint if your OpenID Connect provider supplies an endpoint set up for this purpose, then enter the URL.

    • All Endpoints if your OpenID Connect provider doesn’t have an endpoint set up for such queries. In this case, you will need to enter the necessary metadata:

      Issuer

      The URL referencing the location of your OpenID Connect provider.

      Authorization Endpoint

      The URL for your OpenID Connect provider’s OAuth authorization endpoint.

      Token Endpoint

      The URL for your OpenID Connect provider’s OAuth token endpoint.

      Userinfo Endpoint

      The URL for your OpenID Connect provider’s userinfo endpoint.

      JWKS URI

      The URI for your OpenID Connect provider’s JSON Web Key Set (JWKS) document. This contains the signing key or keys we will use to validate signatures from your OpenID provider.

      End Session Endpoint

      The URL to which the OpenID Connect provider is redirected for single logout (SLO) of a PingOne session.

      PingOne uses a single logout (SLO) process to log out all participants of a PingOne session. In the PingOne context, the session participants are the identity repository, PingOne, and any applications to which a user has signed on (SSO) for the session. Any one of the session participants can initiate SLO. PingOne acts as the session authority, mediating the SLO request and response messages so that all participants are notified. In this way, when a user logs off, the PingOne session is ended for all participants.

      When Discovery Endpoint is used, if end_session_endpoint is defined in the discovery document returned, PingOne will use the end_session_endpoint value.

  4. Click Verify.

PingOne will verify that it can query the endpoint or endpoints you’ve specified. If verification isn’t successful, check that the endpoint or endpoints appear exactly as they do on your OpenID Connect provider.

  1. For Scope, either select or specify the OAuth scopes that you’d like us to include in authentication requests.

    The available scopes of authorization for your OpenID Connect provider are displayed based on the response from your supplied Discovery Endpoint. The scopes indicate the access privileges you’re requesting for the access token returned by the OpenID Connect provider. We use the access token to request additional claims from the userinfo endpoint.

    1. You can use the Additional Scopes entry box to specify other scopes you’d like us to include in the authentication requests.

  2. Optional: If your OpenID Connect provider requires additional parameters for the authorization request, you can supply these by adding Query Parameters.

The query parameters are name/value pairs specifying the necessary parameter name and value.

  1. Click Add Query Parameter and enter the parameter name and value for each parameter needed.

  2. Click Next to continue to the next section.

    1. The PingOne Redirect URI is the URI assigned by PingOne to which the OpenID Connect provider sends OAuth authorization codes indicating whether or not a user was authenticated.

    To ensure security, the PingOne redirect URI includes a verification code unique to your account. The redirect URI used by your OpenID Connect provider for PingOne must include the verification code for SSO to be successful.

  3. Copy the entire URI and see that it is entered at your OpenID Connect provider as the redirect URI for PingOne.

  4. Click Next to continue to the next section.

    1. Assign the OpenID Connect provider-to-PingOne attribute mapping.

    This assignment maps identity provider attributes to the default PingOne attributes (used by PingOne dock). This attribute mapping is not used by applications that you add to PingOne. You will configure those identity provider-to-service provider attribute mappings for each application.

  5. For any of the attribute mappings, you can choose to configure an advanced mapping. See Creating advanced attribute mappings for instructions.

  6. Click Done when you’re finished.

Result

Your OpenID Connect identity bridge is now set up.