--- title: Adding or updating an OIDC application description: Create a new OpenID Connect (OIDC) application, or modify an existing application in PingOne SSO for SaaS Apps. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_sso_for_saas_apps:p14saas_add_update_oidc_app canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_sso_for_saas_apps/p14saas_add_update_oidc_app.html revdate: June 5, 2024 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps choose-from: Choose from: choose-from-2: Choose from: result: Result next-steps: Next steps --- # Adding or updating an OIDC application Create a new OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* application, or modify an existing application in PingOne SSO for SaaS Apps. ## Before you begin Before you initially add an OICD application, you need to configure the access token your account will use for OIDC applications. These are account-level settings that will be inherited at the application level when you add or update and application, as you are doing here. PingOne SSO for SaaS Apps returns OIDC user attributes in different ways depending on the `response_type` parameter. The contents of the ID token depend on whether or not the application also returns an access token: * For flows that return both an access token and an ID token (such as authorization code flow, or implicit flows where the `response_type` includes `token`) the ID token contains the `sub` and, if requested, `email` scopes. The `userinfo` endpoint contains all of the attributes for the requested scopes and attributes configured on the **User Info** tab for the application, if the `openid` scope was requested. * For flows that don't return an access token, the ID token contains all of the attributes for the requested scopes and any attributes configured on the **User Info** tab for the application, if the `openid` scope was requested. The `userinfo` endpoint is inaccessible in this case because no access token is issued. The access token contains attributes configured at **Applications > OAuth Settings > Access Token**. See [Manage OAuth settings](../pingone_for_enterprise/p14e_manage_oauth_settings.html) and [Configuring your OAuth settings](../pingone_for_enterprise/p14e_configure_oauth_settings.html). ## About this task When updating an application, any changes you make to the existing configuration parameters will be reflected in your customer's or partner's connection to the application. However, if your customer or partner has changed the parameter settings in their PingOne for Enterpriseaccount, their local settings will override your updated configuration. In other words, configuration updates made by a service provider at the application level will not override configuration updates made at the connection level. ## Steps 1. Go to **Applications > My Applications > OIDC**. 2. Add a new application or edit an existing application. ### Choose from: * To create a new application, click **Add Application**. See Step 3 for new application types. * To update an existing application, expand the application and click the **Pencil** icon. Skip to Step 4. 3. Select the type of application you want to add and click **Next**: ### Choose from: * To create an application that is accessed and used within a browser, click **Web App**. * To create an application that is stored locally and run on a desktop or device, click **Native App**. * To create an API-driven front-end application, such as applications using Node.js or Angular, click **Single Page App**. * If you want full control of all available configuration parameters, click **Advanced Configuration**. 4. In the **Application Name** field, enter a name for the application. 5. In the **Short Description** field, enter a description of the application. Customers will be able to see your description. 6. In the **Category** list, select a category for the application. 7. **Optional:** Click **Icon** to add an icon for this application. The icon file can be up to 1 Mb in size. The supported graphics formats are JPG, PNG and GIF. 8. Click **Next**. 9. **Optional:** To enable or disable a custom valid duration for the application access token, click the **Override Access Token Lifetime** toggle. When this control is enabled, a **Minutes** selector is displayed. The valid range is 1 - 60 minutes. The default value is inherited from your account-level OAuth settings. 10. If you enabled the override, enter the number of minutes access token lifetime in the **Minutes** field. The valid range is 1 - 60 minutes. The default value is inherited from your account-level OAuth settings. For more information, see [Configuring your OAuth settings](../pingone_for_enterprise/p14e_configure_oauth_settings.html). 11. Select the grant types allowed for the application. Available grant types are determined by the application type. For more information, see [OIDC application grant types](../pingone_for_enterprise/p14e_oidc_app_grant_types.html). 12. If you selected **Refresh Token**, configure the token settings: 1. Click the **Override Refresh Idle Lifetime** toggle to override the global OAuth setting for the application. 2. In the **Refresh Token Idle Lifetime** field, enter the number of minutes that a refresh token can be idle before being used again. 3. Click the **Override Refresh Token Max Lifetime** toggle to override the global OAuth setting for this application. 4. In the **Refresh Token Max Lifetime** field, enter the maximum number of minutes that a refresh token can be valid. 13. Copy the **Client ID**, **Discovery URL**, and **Issuer** values to use later in integrating the application with PingOne SSO for SaaS Apps. 14. **Optional:** For applications that use the Authorization Code grant type, you can click **Add Secret** to generate up to two client secrets to pair with the client ID. 15. Click **Next** 16. **Optional:** In the **Start SSO URL** field, enter the URL to use for SSO to the application. This is the URL to which application users will redirect to initiate SSO to PingOne for Enterprise using OIDC. 17. In the **Redirect URI** field, enter URIs for PingOne SSO for SaaS Apps to send responses to for the application's authorization requests. | | | | - | --------------------------------------------------- | | | Click **Add URL** to define multiple redirect URIs. | 18. **Optional:** In the **Logout URI** field, enter the URI to which PingOne for Enterprise sends a user for single logout (SLO) *(tooltip: \
\

The process of signing a user out of multiple sites where the user has started a SSO session.\

\
)*. 19. Click **Next** 20. Click **Add Attribute** to configure attributes returned by the `UserInfo` endpoint for this application when the `openid` scope is included in the authorization request. 1. In the **Attribute Name** field, enter a name for the attribute. 2. Select the **Required** checkbox to require the attribute mapping when a UserInfo request is made for this application. The `sub` (Subject) attribute is required for all UserInfo requests. The `idpid` attribute is used by PingOne for Enterprise to identify the identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)*, and is included in the attribute contract by default. 21. Click **Next**. 22. Click the **[icon: plus, set=fa]**icon to add scopes to the allowed list, or click the **-** icon to remove them. These OAuth user scopes are the user resources to which the application will request access. The `openid` scope is expected to always be included in the authorization request. 23. Click **Save**. ## Result The new OIDC application is added to your **My Applications** list for OIDC. You can edit the application configuration as needed by expanding the application and clicking the **Pencil** icon. Refer to this documentation when updating configuration values. ## Next steps Integrate the application with PingOne SSO for SaaS Apps. See [Integrating an OIDC application](p14saas_integrate_oidc_application.html) for instructions.