Make sure you have the following in place:
- A valid signing certificate. See Manage digital signing certificates and decryption keys.
- An openID and a profile scope. See Defining scopes.
- A policy contract with at least the following attributes:
memberOf. See Managing policy contracts.
- An identity provider (IdP) connection in your PingFederate instance with the following attributes:
memberOf– fulfilled by the policy contract authentication source. See Managing IdP connections.
- An service provider (SP) connection in your external IdP with the following
memberOf– fulfilled by whichever authentication source is appropriate and using whatever authentication flows you require (for example, username/password and multi-factor authentication (MFA)). See Accessing SP connections.
Configuring OIDC SSO for the PingFederate administrative console allows you to use an external IdP to authenticate administrative users. You can also use OIDC SSO to enable MFA because the administrative users are taken through an authentication policy flow that invokes an MFA adapter. Other console authentication types don't use authentication policies.