1. Go to Connections > External IDPs.
  2. Click + Add Provider.
  3. Click OpenID Connect.
  4. On the Create Profile page, enter the following:
    • Name: A unique identifier for the identity provider.
    • Description: (Optional). A brief characterization of the identity provider.
    • Icon: (Optional). An image to represent the identity provider. Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.
    • Login button: (Optional). An image to be used for the login button that the end user will see. Use a 300 X 42 pixel image.
  5. Click Continue.
  6. Enter the Connection details:
    • Client ID: The application ID that is generated by the external identity provider to which you are connecting.
    • Client secret: The application secret that is generated by the external identity provider to which you are connecting.
    • Callback URL: The URL to which the user will be redirected after authenticating, also known as the Redirect URI. This value is read-only. You might need to provide this value to the identity provider.
  7. Enter the Discovery details:
    • Discovery document URI: (Optional). The discovery endpoint from the external identity provider, which populates the following values for you. Enter the URL and then click Use Discovery document. For more information, see Discovery document URI.
    • Authorization endpoint: A string that specifies the authorization endpoint for the external identity provider. The client requests an authorization grant from the authorization endpoint. This value must be a URL that uses https.
    • Token endpoint: A string that specifies the token endpoint for the external identity provider. The client presents its authorization grant to the token endpoint to obtain an access token and a refresh token when needed.
    • JWKS endpoint: A string that specifies the JSON web key set (JWKS) endpoint for the external identity provider. The JWKS endpoint includes public keys that can be used to verify JSON web keys (JWKs) from the IdP. This value must be a URL that uses https.
    • Issuer: The issuer to which the authentication is sent for the external identity provider. This value must be a URL that uses https.
    • User information endpoint: (Optional). A string that specifies the userInfo endpoint for the external identity provider. The client can present an access token to the User information endpoint to retrieve additional information about the user, including attributes. Clients can use this endpoint to retrieve profile information, preferences, and other user-specific information.
    • Requested scopes: The scopes to include in the authentication request to the external identity provider.
    • Token endpoint authentication method: The authentication method to use for authenticating the external identity provider. Select None, client secret basic, or client secret post.
  8. Click Save and Continue.
  9. On the Map Attributes page, define how the PingOne user attributes are mapped to identity provider attributes. For more information, see Mapping attributes.
    • Enter the PingOne user profile attribute and the external IdP attribute. For more information about attribute syntax, see Identity provider attributes.
    • To add an attribute, click + Add attribute.
    • To use the expression builder, click Build and test or Advanced Expression. See Using the expression builder.
    • Select the update condition, which determines how PingOne updates its user directory with the values from the identity provider. The options are:
      • Empty only: Update the PingOne attribute only if the existing attribute is empty.
      • Always: Always update the PingOne directory attribute.
  10. Click Save and Finish.