1. On the OpenID Provider Info screen, provide the scopes, the endpoints, and the authentication scheme; for example:
    OpenID Provider Info
    Note:

    If you have chosen to load the metadata from the OP on the General Info screen, the Scopes field and all endpoints are pre-populated (provided that the metadata contains the information).

    Field Description
    Scopes The scopes to be included in the authentication and token requests to the OP. Multiple space-separated values are allowed.

    The default value (without loading metadata from the OP) is openid.

    Tip:

    For a list of OpenID Connect defined scopes, see the section about requesting claims using scope values in the OpenID Connection specification at openid.net/specs/openid-connect-core-1_0.html#ScopeClaims.

    Authorization Endpoint The authorization endpoint at the OP.

    You may enter a relative path (begin with a forward slash) if you have provided a base URL on the General Info screen.

    There is no default value (without loading metadata from the OP).

    OpenID Connect Login Type The OpenID Connect client profile of the client. This client represents PingFederate and is created and managed at the OP.
    • If the client is configured to support the Basic Client profile, select Code.

      The resulting value of the response_type parameter is code.

    • If the client is configured to support the Implicit Client profile, select Form POST.

      The resulting value of the response_type parameter is id_token.

    • If the client is configured to support the Implicit Client profile and the target application requires the associated access token, select Form POST with access token.

      The resulting values of the response_type parameter are id_token token.

    The default selection (without loading metadata from the OP) is Code.

    Authentication Scheme The client authentication method that PingFederate uses. Applicable and visible only to clients supporting the Basic Client profile.
    • Select Basic to submit credentials via HTTP Basic authentication.
    • Select POST to submit credentials via POST.
    • Select Private Key JWT to authenticate via the private_key_jwt Client Authentication method, see Client Authentication in the OpenID Connect specification (openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication).

    The default selection (without loading metadata from the OP) is Basic.

    Authentication Signing Algorithm Select the algorithm that PingFederate uses to sign the JWT.

    Applicable and visible only when Private Key JWT is the chosen authentication scheme.

    If PingFederate is either deployed to run in a Java 11 runtime environment or integrated with a hardware security module (HSM) and configured to use static keys for OAuth and OpenID Connect, additional RSASSA-PSS signing algorithms become available for selection. (For more information on HSM integration and static keys, see Supported hardware security modules and Managing keys for OAuth and OpenID Connect, respectively.)

    Note:

    If static keys for OAuth and OpenID Connect are enabled, EC algorithms that have not been configured with an active static keys are hidden.

    Changes made in the static-key configuration may affect runtime transactions and require additional changes here. For more information, see Managing keys for OAuth and OpenID Connect.

    Note:

    Based on the chosen signing algorithm, PingFederate selects the signing JSON Web Key (JWK) from its JWK Set (JWKS) at runtime.

    In order for the OP to validate the signed JWT, ensure that the OP can access your PingFederate JWKS endpoint, which returns the current set of JSON Web Keys. The PingFederate JWKS endpoint is located at <Base URL>/pf/JWKS, where Base URL is defined on the System > Protocol Settings > Federation Info screen. For example, if the Base URL field value is https://www.example.com, the PingFederate JWKS endpoint is https://www.example.com/pf/JWKS. You can pass the PingFederate JWKS endpoint directly to the OP or have the OP contact the PingFederate OpenID Provider configuration endpoint to obtain the information (see OpenID Provider configuration endpoint).

    Token Endpoint, UserInfo Endpoint, and JWKS URL Various OAuth 2.0 and OpenID Connect 1.0 endpoints at the OP. For more information, see openid.net/connect.
    Token Endpoint
    The Token Endpoint field is only visible and required for clients supporting the Basic Client profile. (In other words, the OpenID Connect Login Type field is set to Code.)
    UserInfo Endpoint
    The UserInfo Endpoint field is optional. If omitted, PingFederate only has access to the end-user claims from the ID tokens.
    JWKS URL
    The JWKS URL is required in order for PingFederate to validate the inbound ID tokens from the OP. If the OP signs its JWTs using an RSASSA-PSS signing algorithm, PingFederate must be deployed to run in a Java 11 runtime environment or integrated with a hardware security module (HSM) to process the digital signatures. (For more information on HSM integration, see Supported hardware security modules.)

    There are no default values (without loading metadata from the OP).

    Sign Request Select this check box to send request parameters as claims in a request object, a self-contained, signed JWT as one request query parameter to the OP.

    When this optional configuration is enabled, the OP can validate the integrity of the request parameters based on the digital signature found in the signed JWT. For more information, see the section explaining passing a request object by value in the OpenID Connect specification at openid.net/specs/openid-connect-core-1_0.html#RequestObject.

    This check box is not selected by default, in which case PingFederate sends request parameters via multiple query parameters, unsigned.

    Request Signing Algorithm Select the algorithm that PingFederate uses to sign the request object.

    Applicable and visible only when the Sign Request check box is selected.

    If PingFederate is either deployed to run in a Java 11 runtime environment or integrated with a hardware security module (HSM) and configured to use static keys for OAuth and OpenID Connect, additional RSASSA-PSS signing algorithms become available for selection. (For more information on HSM integration and static keys, see Supported hardware security modules and Managing keys for OAuth and OpenID Connect, respectively.)

    Note:

    If static keys for OAuth and OpenID Connect are enabled, EC algorithms that have not been configured with an active static keys are hidden.

    Changes made in the static-key configuration may affect runtime transactions and require additional changes here. For more information, see Managing keys for OAuth and OpenID Connect.

    Note:

    PingFederate automatically selects the signing JSON Web Key (JWK) based on the selected signing algorithm from its JWK Set (JWKS).

    In order for the OP to validate the signed request object, ensure that the OP can access your PingFederate's JWKS URL, which returns the current set of JSON Web Keys. The PingFederate JWKS URL is located at <Base URL>/pf/JWKS, where Base URL is defined on the System > Protocol Settings > Federation Info screen. For example, if the Base URL field value is https://www.example.com, the PingFederate JWKS URL is https://www.example.com/pf/JWKS. You can pass the JWKS URL directly to the OP or have the OP contact the PingFederate OpenID Provider configuration endpoint for it (see OpenID Provider configuration endpoint).

  2. Optional: Remain on the OpenID Provider Info screen and specify the request parameters that are allowed to be included in the authentication requests to the OP under Request Parameters (see Configuring request parameters and SSO URLs).