You can use the generic OpenID Connect (OIDC)
An authentication protocol built on top of OAuth that authenticates users and enables clients
(relying parties) of all types to request and receive information about authenticated
sessions and users. OIDC is extensible, allowing clients to use optional features such
as encryption of identity data, discovery of OpenID Providers (OAuth authorization
servers), and session management. configuration to add
any external identity provider (IdP)
A service that manages identity information and provides authentication services to relying clients or service providers (SPs) within a federated or distributed network. that follows the OIDC standard.
-
Go to .
-
Click + Add Provider.
-
Click OpenID Connect.
-
On the Create Profile page, enter the following:
- Name: A unique identifier for the identity provider.
- Description: (Optional). A brief characterization of the identity
provider.
- Icon: (Optional). An image to represent the identity provider. Use
a file up to 1 MB in JPG, JPEG, GIF, or PNG format.
- Login button: (Optional). An image to be used for the login button
that the end user will see. Use a 300 X 42 pixel image.
-
Click Continue.
-
Enter the Connection Details:
- Client ID: The application ID that is generated
by the external identity provider to which you are connecting.
- Client secret: The application secret that is
generated by the external identity provider to which you are
connecting.
- Callback URL: The URL to which the user will be
redirected after authenticating, also known as the Redirect URI. This
value is read-only. You might need to provide this value to the identity
provider.
-
Enter the Discovery Details:
- Discovery document URI: (Optional). The discovery
endpoint from the external identity provider, which populates the
following values for you. Enter the URL and then click Use
Discovery document. For more information, see Discovery document URI.
- Authorization endpoint: A string that specifies
the authorization endpoint for the external identity provider. The
client requests an authorization grant from the authorization endpoint.
This value must be a URL that uses
https
.
- Token endpoint: A string that specifies the token
endpoint for the external identity provider. The client presents its
authorization grant to the token endpoint to obtain an access token and
a refresh token when needed.
- JWKS endpoint: A string that specifies the JSON
web key set (JWKS) endpoint for the external identity provider. The JWKS
endpoint includes public keys that can be used to verify JSON web keys
(JWKs) from the IdP. This value must be a URL that uses
https
.
- Issuer: The issuer to which the authentication is
sent for the external identity provider. This value must be a URL that
uses
https
.
- User information endpoint: (Optional). A string
that specifies the
userInfo
endpoint for the external
identity provider. The client can present an access token to the User
information endpoint to retrieve additional information about the user,
including attributes. Clients can use this endpoint to retrieve profile
information, preferences, and other user-specific information.
- Requested scopes: The scopes to include in the
authentication request to the external identity provider.
- Token endpoint authentication method: The
authentication method to use for authenticating the external identity
provider. Select None, Client Secret
Basic, or Client Secret
Post.
-
Click Save and Continue.
-
On the Map Attributes page, define how the PingOne user attributes are
mapped to identity provider attributes. For more information, see Mapping attributes.
- Enter the PingOne
user profile attribute and the external IdP attribute. For more
information about attribute syntax, see Identity provider attributes.
- To add an attribute, click + Add attribute.
- To use the expression builder, click Build and
test or Advanced Expression. See
Using the expression builder.
- Select the update condition, which determines how PingOne updates its user
directory with the values from the identity provider. The options
are:
- Empty only: Update the PingOne
attribute only if the existing attribute is empty.
- Always: Always update the PingOne
directory attribute.
-
Click Save and Finish.