Using an external identity provider allows linked users to authenticate using the credentials provided by the external identity provider. An external identity provider includes mapping PingOne user attributes to attributes from the identity provider.

Approaches for external identity providers

There are several important differences in the way that identity providers can be used in PingOne authentication policies.
Add an external identity provider as part of a login step. At the sign-on prompt, the end user can enter a username and password or choose an external identity provider to authenticate with, such as Google or Facebook. See Adding a login authentication step.
Identifier First
Add an identifier-first step to an authentication policy. The end user is prompted for an identifier, such as a user name. The policy can then send the end user to a particular identity provider based on rules evaluation of the identifier. See Identifier first authentication.
External Identity Provider
Add an external identity provider step to an authentication policy. The end user is forwarded to an external identity provider based on policy and without any interaction from the user. See Adding an external identity provider sign-on step.


You can encrypt SAML assertions for SAML identity providers. To do so, you’ll configure the external SAML IdP with the encryption certificate from PingOne.

The encryption certificate is included in the downloadable IdP metadata. You can then import the encryption certificate into the external identity provider's configuration. Download the metadata and then locate the encryption certificate. For more information, see Downloading metadata for SAML IdPs.

The following algorithms are supported:

  • AES_128
  • AES_256