Page created: 15 Mar 2023
|
Page updated: 15 Mar 2023
| 4 min read
PingOne Cloud Platform PingOne Product Administrator Audience Application Developer Developer Product documentation Content Type IDaaS Deployment Method OpenID Connect Standards, specifications, and protocols
You can use the generic OpenID Connect (OIDC) configuration to add any external identity provider (IdP) that follows the OIDC standard.
- Go to Connections > External IDPs.
- Click + Add Provider.
- Click OpenID Connect.
-
On the Create Profile page, enter the following:
- Name: A unique identifier for the identity provider.
- Description: (Optional). A brief characterization of the identity provider.
- Icon: (Optional). An image to represent the identity provider. Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.
- Login button: (Optional). An image to be used for the login button that the end user will see. Use a 300 X 42 pixel image.
- Click Continue.
-
Enter the Connection details:
- Client ID: The application ID that is generated by the external identity provider to which you are connecting.
- Client secret: The application secret that is generated by the external identity provider to which you are connecting.
- Callback URL: The URL to which the user will be redirected after authenticating, also known as the Redirect URI. This value is read-only. You might need to provide this value to the identity provider.
-
Enter the Discovery details:
- Discovery document URI: (Optional). The discovery endpoint from the external identity provider, which populates the following values for you. Enter the URL and then click Use Discovery document. For more information, see Discovery document URI.
- Authorization endpoint: A string that specifies the authorization
endpoint for the external identity provider. The client requests an
authorization grant from the authorization endpoint. This value must be
a URL that uses
https
. - Token endpoint: A string that specifies the token endpoint for the external identity provider. The client presents its authorization grant to the token endpoint to obtain an access token and a refresh token when needed.
- JWKS endpoint: A string that specifies the JSON web key set (JWKS)
endpoint for the external identity provider. The JWKS endpoint includes
public keys that can be used to verify JSON web keys (JWKs) from the
IdP. This value must be a URL that uses
https
. - Issuer: The issuer to which the authentication is sent for the
external identity provider. This value must be a URL that uses
https
. - User information endpoint: (Optional). A string that specifies the
userInfo
endpoint for the external identity provider. The client can present an access token to the User information endpoint to retrieve additional information about the user, including attributes. Clients can use this endpoint to retrieve profile information, preferences, and other user-specific information. - Requested scopes: The scopes to include in the authentication request to the external identity provider.
- Token endpoint authentication method: The authentication method to use for authenticating the external identity provider. Select None, client secret basic, or client secret post.
- Click Save and Continue.
-
On the Map Attributes page, define how the PingOne user attributes are
mapped to identity provider attributes. For more information, see Mapping attributes.
- Enter the PingOne user profile attribute and the external IdP attribute. For more information about attribute syntax, see Identity provider attributes.
- To add an attribute, click + Add attribute.
- To use the expression builder, click Build and test or Advanced Expression. See Using the expression builder.
- Select the update condition, which determines how PingOne updates its user
directory with the values from the identity provider. The options
are:
- Empty only: Update the PingOne attribute only if the existing attribute is empty.
- Always: Always update the PingOne directory attribute.
- Click Save and Finish.
- Enable the external identity provider. See Enabling or disabling an identity provider.
- Add the identity provider to your authentication policy. See Editing an authentication policy.