You can configure
Make sure you have the following in place:
- A valid signing certificate. See Manage digital signing certificates and decryption keys.
- An openID and a profile scope. See Defining scopes.
- A policy contract with at least the following attributes:
memberOf. See Managing policy contracts.
identity provider (IdP)connection in your PingFederate instance with the following attributes: identity provider (IdP) IdP A service that manages identity information and provides authentication services to relying clients or service providers (SPs) within a federated or distributed network.
memberOf– fulfilled by the policy contract authentication source. See Managing IdP connections.
service provider (SP)connection in your external IdP with the following attributes: service provider (SP) SP In SAML, an entity that receives and accepts an authentication assertion issued by an identity provider (IdP), typically for the purpose of allowing access to a protected resource.
memberOf– fulfilled by whichever authentication source is appropriate and using whatever authentication flows you require (for example, username/password and
multi-factor authentication (MFA)). See Accessing SP connections. multi-factor authentication (MFA) MFA An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.
Configuring OIDC SSO for the PingFederate administrative console allows you to use an external IdP to authenticate administrative users. You can also use OIDC SSO to enable MFA because the administrative users are taken through an authentication policy flow that invokes an MFA adapter. Other console authentication types don't use authentication policies.