1. Go to Integrations > External IDPs.
  2. Click + Add Provider.
  3. Click OpenID Connect.
  4. On the Create Profile page, enter the following:
    • Name: A unique identifier for the IdP.
    • Description (optional): A brief description of the IdP.
    • Icon (optional): An image to represent the identity provider. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format. Use a 90 X 90 pixel image.
    • Login button (optional): An image to use for the login button displayed to the end user. Use a 300 X 42 pixel image.
  5. Click Continue.
  6. Enter the Connection Details:
    • Client ID: The application ID that is generated by the external IdP to which you are connecting.
    • Client secret: The application secret that is generated by the external IdP to which you are connecting.
    • Callback URL: The URL to which the user is redirected after authenticating, also known as the redirect URI. This value is read-only. Provide this value to the IdP.
  7. Enter the Discovery Details:
    • Discovery document URI (optional): The discovery endpoint from the external IdP. Enter the URL and then click Use Discovery document to populate the remaining settings in Discovery Details automatically. Learn more in Discovery document URI.
    • Authorization endpoint: The URL that specifies the authorization endpoint for the external IdP. The client requests an authorization grant from the authorization endpoint. This URL must use the https protocol.
    • Token endpoint: The URL that specifies the token endpoint for the external IdP. The client presents its authorization grant to the token endpoint to obtain an access token and a refresh token when needed. This URL must use the https protocol.
    • JWKS endpoint: The URL that specifies the JSON web key set (JWKS) endpoint for the external identity provider. The JWKS endpoint includes public keys that can be used to verify JSON web keys (JWKs) from the IdP. This URL must use the https protocol.
    • Issuer: The issuer to which the authentication is sent for the external IdP. This URL must use the https protocol.
    • User information endpoint (optional): The URL that specifies the userInfo endpoint for the external identity provider. The client can present an access token to the userInfo endpoint to retrieve additional information about the user, including attributes. Clients can use this endpoint to retrieve profile information, preferences, and other user-specific information. This URL must use the https protocol.
    • Requested scopes: The scopes to include in the authentication request to the external IdP. Scope values are case sensitive. You can provide multiple scopes by separating them with a space.
    • Token endpoint authentication method: The authentication method to use for authenticating the external IdP. Select None, Client Secret Basic, or Client Secret Post.
    • Enable Proof Key for Code Exchange (PKCE): Select to use PKCE (Proof Key for Code Exchange) to secure communication with the IdP and help prevent authorization code interception attacks.

      This option is selected by default if Discovery document URI is configured, and if the metadata from the provider includes the following:

      
      "code_challenge_methods_supported": [
      "plain",
      "S256"
      ]

      If Discovery document URI is not configured, or if the code_challenge_methods_supported metadata from the provider does not include S256, this option is cleared by default.

      Learn more about PKCE, in RFC7636: Proof Key for Code Exchange by OAuth Public Clients on the IETF website.

  8. Click Save and Continue.
  9. On the Map Attributes page, define how the PingOne user attributes are mapped to identity provider attributes.

    Learn more in Mapping attributes.

    1. Enter the PingOne user profile attribute and the external IdP attribute.

      Learn more about attribute syntax in Identity provider attributes.

    2. To add an attribute, click + Add attribute.
    3. To use the expression builder, click Build and test or Advanced Expression.
    4. Select the update condition, which determines how PingOne updates its user directory with the values from the identity provider:
      • Empty only: Update the PingOne attribute only if the existing attribute is empty.
      • Always: Always update the PingOne directory attribute.
  10. Click Save and Finish.