Create an OpenID Connect policy, and then map the policy to the specific OAuth client.
-
In PingFederate, before creating a policy, make sure an Open ID Connect (OIDC)
scope is defined:
-
In PingFederate, go to Scope Management:
- PingFederate 10.1 or later: Go to System > OAuth Settings and then click Scope Management.
- PingFederate 10 or earlier: On the OAuth Server tab, in the Authorization Server section, click Scope Management.
-
Create an OpenID Connect scope:
- In the Scope Value field, type openid.
- In the Scope Description field, type OpenID Connect login.
- Click Add, and then click Save.
The new scope is added to the Common Scopes list, and the entry is saved.
-
In PingFederate, go to Scope Management:
-
In PingFederate, create an OpenID connect policy:
-
Go to OpenID Connect Policy Management:
- PingFederate 10.1 or later: Go to Applications > OAuth and then click OpenID Connect Policy Management.
- PingFederate 10 or earlier: On the OAuth Server tab, in the Token Mapping section, click OpenID Connect Policy Management.
- Click Add Policy.
-
In the Manage Policy tab, enter the
following:
- Policy ID: Enter a unique ID for the policy.
- Name: Enter a name for the policy.
- Access Token Manager: Select the access token manager that you created earlier from the drop-down list.
- Select the Include User Info in ID Token check box.
- Click Next.
- On the Attribute Contract tab, in the Extend the Contract section, for each attribute listed, click Delete in the relevant row, until all attributes are deleted.
-
In a new row, enter
winlogin.auth.response
, and click Add.The new attribute is added to the Extend the Contract list. - Click Next.
-
In the Attribute Scopes tab, make an association
between the OpenID scope, and the
winlogin.auth.response
attribute:- In the Scope column, select Open ID from the drop-down list.
- In the Attributes column, select the
winlogin.auth.response
check box and then click Add.
- Click Next, and then on the Attribute Sources & User Lookup tab, click Next.
-
In the Contract Fulfillment tab:
sub
attribute: From the Source list, select Access Token. From the Value list, select subject.winlogin.auth.response
attribute: From the Source list select Access Token. From the Value list, selectwinlogin.auth.response
.
- Click Next, and on the Issuance Criteria tab, click Next.
-
On the Summary tab click
Save.
The new OpenID Connect policy is listed in the OpenID Connect Policy Management window.
-
Go to OpenID Connect Policy Management:
- If more than one policy exists, click Default to make this policy your default policy.