Create an OpenID Connect policy, and then map the policy to the specific OAuth client.
In PingFederate, before creating a policy, make sure an Open ID Connect (OIDC)
scope is defined:
In PingFederate, go to Scope Management:
- PingFederate 10.1 or later: Go to Scope Management. and then click
- PingFederate 10 or earlier: On the OAuth Server tab, in the Authorization Server section, click Scope Management.
Create an OpenID Connect scope:
The new scope is added to the Common Scopes list, and the entry is saved.
- In the Scope Value field, type openid.
- In the Scope Description field, type OpenID Connect login.
- Click Add, and then click Save.
- In PingFederate, go to Scope Management:
In PingFederate, create an OpenID connect policy:
Go to OpenID Connect Policy Management:
- PingFederate 10.1 or later: Go to OpenID Connect Policy Management. and then click
- PingFederate 10 or earlier: On the OAuth Server tab, in the Token Mapping section, click OpenID Connect Policy Management.
- Click Add Policy.
In the Manage Policy tab, enter the
- Policy ID: Enter a unique ID for the policy.
- Name: Enter a name for the policy.
- Access Token Manager: Select the access token manager that you created earlier from the drop-down list.
- Select the Include User Info in ID Token check box.
- Click Next.
- On the Attribute Contract tab, in the Extend the Contract section, for each attribute listed, click Delete in the relevant row, until all attributes are deleted.
In a new row, enter
winlogin.auth.response, and click Add.The new attribute is added to the Extend the Contract list.
- Click Next.
In the Attribute Scopes tab, make an association
between the OpenID scope, and the
- In the Scope column, select Open ID from the drop-down list.
- In the Attributes column, select the
winlogin.auth.responsecheck box and then click Add.
- Click Next, and then on the Attribute Sources & User Lookup tab, click Next.
In the Contract Fulfillment tab:
subattribute: From the Source list, select Access Token. From the Value list, select subject.
winlogin.auth.responseattribute: From the Source list select Access Token. From the Value list, select
- Click Next, and on the Issuance Criteria tab, click Next.
On the Summary tab click
The new OpenID Connect policy is listed in the OpenID Connect Policy Management window.
- Go to OpenID Connect Policy Management:
- If more than one policy exists, click Default to make this policy your default policy.