Configuring an OpenID Connect policy (Windows login)

Page created: 19 Oct 2020 |

Page updated: 13 Apr 2021

| 2 min read

PingId Product

Create an OpenID Connect policy, and then map the policy to the specific OAuth client.

In PingFederate, before creating a policy, make sure an Open ID Connect (OIDC) scope is defined:
1. In PingFederate, go to Scope Management:
  - PingFederate 10.1 or later: Go to System > OAuth Settings and then click Scope Management.
  - PingFederate 10 or earlier: On the OAuth Server tab, in the Authorization Server section, click Scope Management.
2. Create an OpenID Connect scope:
  1. In the Scope Value field, type openid.
  2. In the Scope Description field, type OpenID Connect login.
  3. Click Add, and then click Save.
  The new scope is added to the Common Scopes list, and the entry is saved.
In PingFederate, create an OpenID connect policy:
1. Go to OpenID Connect Policy Management:
  - PingFederate 10.1 or later: Go to Applications > OAuth and then click OpenID Connect Policy Management.
  - PingFederate 10 or earlier: On the OAuth Server tab, in the Token Mapping section, click OpenID Connect Policy Management.
2. Click Add Policy.
3. In the Manage Policy tab, enter the following:
  - Policy ID: Enter a unique ID for the policy.
  - Name: Enter a name for the policy.
  - Access Token Manager: Select the access token manager that you created earlier from the drop-down list.
  - Select the Include User Info in ID Token check box.
4. Click Next.
5. On the Attribute Contract tab, in the Extend the Contract section, for each attribute listed, click Delete in the relevant row, until all attributes are deleted.
6. In a new row, enter winlogin.auth.response, and click Add.
  The new attribute is added to the Extend the Contract list.
7. Click Next.
8. In the Attribute Scopes tab, make an association between the OpenID scope, and the winlogin.auth.response attribute:
  - In the Scope column, select Open ID from the drop-down list.
  - In the Attributes column, select the winlogin.auth.response check box and then click Add.
9. Click Next, and then on the Attribute Sources & User Lookup tab, click Next.
10. In the Contract Fulfillment tab:
  - sub attribute: From the Source list, select Access Token. From the Value list, select subject.
  - winlogin.auth.response attribute: From the Source list select Access Token. From the Value list, select winlogin.auth.response.
11. Click Next, and on the Issuance Criteria tab, click Next.
12. On the Summary tab click Save.
  The new OpenID Connect policy is listed in the OpenID Connect Policy Management window.
If more than one policy exists, click Default to make this policy your default policy.

Configuring an OpenID Connect policy (Windows login) - PingID

PingID Administration Guide