Editing an application - OIDC - PingOne

Editing an application - OIDC - PingOne - PingOne Cloud Platform

PingOne Cloud Platform

bundle

pingone

ft:publication_title

PingOne Cloud Platform

Product_Version_ce

PingOne

PingOne Cloud Platform

category

Product

p1cloudplatform

ContentType_ce

Page created: 23 May 2023 |

Page updated: 23 May 2023

| 7 min read

PingOne Cloud Platform PingOne Product Administrator Audience Application Developer Developer Product documentation Content Type OpenID Connect Standards, specifications, and protocols IDaaS Deployment Method

Use the Applications page to edit existing OpenID Connect (OIDC) applications.

Go to Connections > Applications.
Browse or search for the application that you want to edit.
Click the application entry to open the details panel, and then click the tab that you want to edit, and then click the pencil icon.

For Overview, enter or edit the following information.

Field	Description
Application Name	A unique identifier for the application.
Description (optional)	A brief characterization of the application.
Icon (optional)	A pictorial representation of the application. Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.
Home page URL	The default home page for the application.
Signon URL	The URL to which the application requests that the end user be redirected to for sign-on. Important: To avoid issues with third-party cookies in some browsers, we recommend that you use a custom domain to give your PingOne environment the same parent domain as your authentication application. For more information, see Domains.

For Configuration, enter or edit the following.

Field	Description
Response type	Select code, token, or ID token for the response type. For more information, see Response types.
Grant type	Select authorization code, implicit, refresh token, or client credentials for the grant type. For more information, see Grant types.
PKCE enforcement	Select a value for PKCE code challenge enforcement. This value determines how the application creates the code challenge from the code verifier. For more information, see PKCE enforcement. Note: PKCE enforcement is available for Authorization Code grant type applications only.
Refresh token configuration	Select this option to enable the Refresh Token grant type. You can specify the following: Refresh token duration The lifetime of the refresh tokens. If a value is not provided, the default value is `2592000`, or 30 days. Valid values are between `60` and `2147483647`. Refresh token rolling duration How long the application can use the refresh token grant type to obtain a new access token (and a new refresh token) after the most recent user authentication event. If a value is not provided, the refresh token is valid forever. Valid values are between `60` and `2147483647`. Note: The refresh token rolling duration must be longer than the refresh token duration. Refresh token rolling grace period The amount of time that a rolled refresh token is still valid in the event that the client failed to receive an updated one during a roll. Valid values are between `0` and `86400` seconds. A value of zero means a refresh token becomes invalid after it’s rolled.
Redirect URIs	The address to which PingOne forwards the OIDC response after authentication. Note: The Redirect URI cannot contain a fragment component, such as `#somedata`. For more information, see Redirection endpoint in the IETF documentation.
Allow Redirect URI patterns	Use a wildcard for flexibility in managing redirect URIs. See Redirect URIs.
Token Endpoint Authentication Method	Select one of the following: None Client Secret Basic Client Secret Post
Initiate Login URI	The application's login initiation endpoint for third-parties to begin the sign-on process for the application. If provided, PingOne redirects users to this URI to initiate SSO to PingOne. The application is responsible for implementing the relevant OIDC flow when the Initiate Login URI is requested. For more information, see Initiating Login from a Third Party in the OIDC specification. This URI is required if you want the application to show in the PingOne Application Portal. For more information, see Application portal.
Target Link URI	The URI for the application. If provided, PingOne redirects application users to this URI after the user is authenticated. The target_link_uri parameter value in Initiate Single Sign-On URL, as shown as part of the application configuration in the PingOne console, is also updated with the value specified here.
Signoff URLs	The URLs to which the browser can be redirected after a logout has been performed. If you include a post_logout_redirect_uri query parameter in the /signoff request, with the same value that was set in the application, then the browser will redirect the user to the matching URL.
Allow unsigned JWT requests	Allow the optional request object on the authorization request to be unsigned.

For Resources, select the OAuth scopes for the application by selecting the check box for the appropriate scopes. Click the Selected scopes tab to see the scopes that are currently selected for the application.

The OAuth scopes determine the resources that the application can access. If you add OIDC scopes here, the application inherits the attributes associated with that scope.
For Policies, select the authentication policies for the application.

If you have a DaVinci license, you can select PingOne policies or DaVinci Flow policies, but not both. If you don’t have a DaVinci license, you’ll see PingOne policies only.

To use a PingOne policy, Click + Add policies and then select the policies that you want to apply to the application. Click Add. The policies are applied in the order in which they appear in the list. PingOne evaluates the first policy in the list first. If the requirements of the policy are not met, PingOne moves to the next policy in the list. For more information, see Authentication policies for applications.

To use a DaVinci Flow policy, you must clear all PingOne policies. Click the Deselect all PingOne policies button. In the confirmation message, click Continue. Click the DaVinci Policies tab, and then select the policies that you want to apply to the application. PingOne applies the first policy in the list. For OAuth-based applications, you can specify another policy in the acr_values parameter in the authorization request.
For Attribute mappings, select a PingOne user attribute and map it to an attribute in the application you are adding.

For more information, see Customizing OIDC attributes for an application.
1. Enter an application attribute and then select the corresponding PingOne attribute from the list.
2. Click the Gear icon to use the expression builder to build an attribute mapping.
  
  For more information, see Using the expression builder.
For Access, enter or edit the following:
- Application portal display: Determines whether an application icon appears in the application portal even if the user is allowed to access the application in the application portal based on the group membership policy. For more information, see Application access control.
- Admin only access: Specifies that a user with an administrator role is required to access the application. The user must have one of the following roles: Organization Admin, Environment Admin, Identity Data Admin, or Client Application Developer.
- Group membership policy. Select the group membership policy for the application. For more information, see Groups.
Click Save.