Before you add an OIDC application, you must configure the access token that your account will use for OIDC applications. These account-level settings are inherited at the application level when you add or update an application.


Account-level OAuth settings apply only to your managed applications, not to applications supplied by a service provider (SP).

PingOne for Enterprise returns OIDC user attributes in different ways depending on the response_type parameter.

The contents of the ID token depend on whether or not the application also returns an access token:

  • For flows that return both an access token and an ID token (such as authorization code flow, or implicit flows where the response_type includes token) the ID token contains the sub and, if requested, email scopes. The userinfo endpoint contains all of the attributes for the requested scopes and attributes configured on the User Info tab for the application, if the openid scope was requested.
  • For flows that don't return an access token, the ID token contains all of the attributes for the requested scopes and any attributes configured on the User Info tab for the application, if the openid scope was requested. The userinfo endpoint is inaccessible in this case because no access token is issued.

The access token contains attributes configured at Applications > OAuth Settings > Access Token.

For more information, see Configuring your OAuth settings.


When you add an OIDC application, you must have access to the necessary configuration information for the application. For applications supplied by an SP, the SP will direct you to this information.

  1. Go to Applications > My Applications > OIDC.
  2. Add a new application or edit an existing application.
    • To create a new application, click Add Application. See Step 3 for new application types.
    • To update an existing application, expand the application and click the Pencil icon. Skip to step 4.
  3. Select the type of application that you want to add and click Next:
    • To create an application that is accessed and used within a browser, clickWeb App.
    • To create an application that is stored locally and run on a desktop or device, click Native App.
    • To create an API-driven front-end application, such as applications using Node.js or Angular, click Single Page App.
    • If you want full control of all available configuration parameters, click Advanced Configuration.
  4. In the Application Name field, enter an application name.
  5. In the Short Description field, enter an application description.
  6. In the Category list, select a category to assign the application to.
  7. Optional: To add an icon for the application, click the Image icon and upload an icon image.

    The icon file can be up to 1 Mb in size. The supported graphics formats are JPEG/JPG, PNG and GIF.

  8. Click Next.
  9. Optional: To enable or disable a custom valid duration for the application access token, click the Override Access Token Lifetime toggle.
  10. Optional: If you enabled the override, enter the number of minutes access token lifetime in the Minutes field.

    The valid range is 1 - 60 minutes. The default value is inherited from your account-level OAuth settings. For more information, see Configuring your OAuth settings.

  11. Select the allowed grant types for the application.

    Available grant types are determined by the application type. For more information, see OIDC application grant types.

  12. Optional: If you selected Refresh Token, configure the token settings:
    1. Click the Override Refresh Idle Lifetime toggle to override the global OAuth setting for the application.
    2. In the Refresh Token Idle Lifetime field, enter the number of minutes that a refresh token can be idle before being used again.
    3. Click the Override Refresh Token Max Lifetime toggle to override the global OAuth setting for this application.
    4. In the Refresh Token Max Lifetime field, enter the maximum number of minutes that a refresh token can be valid.
  13. Optional: For Web Apps and Advanced Configuration applications, click Add Secret to add a secret to pair with the application Client ID.

    If you want to change a client secret, you must generate a second secret before deleting the first.


    For greater security with Web App applications, you can use PKCE in your authorization and token request. In this case, a client secret is not used. For more information, see OAuth 2.0 RFC 7636.

  14. Copy the Discovery URL, Issuer, and IDPID values to use later in integrating the application with PingOne for Enterprise.

    This information also displays on the summary page for the application after you've added the application to PingOne for Enterprise.

    For more information, see Integrating an OIDC application.

  15. Click Next.
  16. In the Start SSO URL field, enter the URL to use for SSO to the application.

    This is the URL to which application users will redirect to initiate SSO to PingOne for Enterprise using OIDC.

  17. In the Redirect URIs field, enter URIs forPingOne for Enterprise to send responses to for the application's authorization requests.

    Click Add URL to define multiple redirect URIs.

  18. Optional: In the Logout URI field, enter the URI to which PingOne for Enterprise sends a user for single logout (SLO).
  19. Optional: Select the authentication requirements.
    Authentication Method Description

    Force authentication

    If selected, to establish a connection to this application, users having a current, active SSO session will be re-authenticated by the identity repository.

    Force multi-factor authentication

    If selected, users are required to use multi-factor authentication (MFA) as defined by your authentication policy each time they access the application.

    You'll need to have an authentication policy in place to use this setting. See Create or update an authentication policy for more information.

  20. Click Next.
  21. To add attributes to the Default User Profile Attribute Contract, click Add Attribute and enter an attribute in the Attribute Name field.

    Select the Required check box to make the attribute required.

    The default user profile attribute contract is the user profile returned by the userinfo endpoint for this application when the openid scope is included in the authentication request.

    The (subject) sub attribute is required for all UserInfo requests.

    PingOne for Enterprise uses the idpid attribute to identify the identity provider (IdP) and is included in the attribute contract by default.

    If the application you're adding is a managed application, you can remove the idpid attribute from the contract. For managed applications,PingOne for Enterprise already has the idpid value for your account.

  22. Click Next.
  23. Click the +icon to add scopes to the allowed list, or click the - icon to remove them.

    These OAuth user scopes are the user resources to which the application will request access. The openid scope is expected to always be included in the authorization request.

  24. Click Next.
  25. Map identity repository attributes to claims made by the application.

    For each IdP attribute, enter or select the target attribute from the list.

    Click Advanced to display the advanced attribute mapping mode. For more information, see Assign advanced attribute mappings.


    This is a mapping of your identity repository attributes to the OIDC scope claims available to the application. By default, the attribute mapping inherits the account-level attribute mapping that you specify when you configure your OAuth settings.

    You can override the account-level attribute mappings for the application. If you update the attribute mappings, the inherited account-level mappings remain available as selections in the list.

    The OIDC claims listed here include all claims from the access token attribute contract, the UserInfo attribute contract for this application, and the claims for any scopes to which this application is permitted.

    The attributes listed are determined by the scopes that you added previously. The sub attribute is required for all applications.

  26. Click Next.
  27. Make the new application available to your users by assigning the groups authorized to use the application.

    Click the + icon for each group that you want to authorize.


    All members of the selected groups can use the application.

  28. Click Done.

The new OIDC application is added to your My Applications list for OIDC. You can edit the application configuration by clicking the Edit icon.

Integrate your OIDC applicationwith PingOne for Enterprise.