Create a new OpenID Connect (OIDC) application or modify an
existing application in PingOne for Enterprise.
Before you add an OIDC application, you must configure the access token that your
account will use for OIDC applications. These account-level settings are inherited
at the application level when you add or update an application.
Note:
Account-level OAuth settings apply only to your managed applications, not to
applications supplied by a service provider (SP).
PingOne for Enterprise returns OIDC
user attributes in different ways depending on the
response_type parameter.
The contents of the ID token depend on whether or not the
application also returns an access token:
- For flows that return both an access token and an ID token (such as
authorization code flow, or implicit flows where the
response_type includes token) the ID
token contains the
sub
and, if requested,
email
scopes. The userinfo
endpoint
contains all of the attributes for the requested scopes and attributes
configured on the User Info tab for the application, if
the openid
scope was requested.
- For flows that don't return an access token, the ID token contains all of the
attributes for the requested scopes and any attributes configured on the
User Info tab for the application, if the
openid
scope was requested. The userinfo
endpoint is inaccessible in this case because no access token is issued.
The access token contains attributes configured at .
For more information, see Configuring your OAuth settings.
Note:
When you add an OIDC application, you must have access to the necessary
configuration information for the application. For applications supplied by an
SP, the SP will direct you to this information.
-
Go to .
-
Add a new application or edit an existing application.
- To create a new application, click Add
Application. See Step 3 for new application types.
- To update an existing application, expand the application and click the
Pencil icon. Skip to step 4.
Application Type
-
Select the type of application that you want to add and click
Next:
- To create an application that is accessed and used within a browser,
clickWeb App.
- To create an application that is stored locally and run on a desktop or
device, click Native App.
- To create an API-driven front-end application, such as applications
using Node.js or Angular, click Single Page
App.
- If you want full control of all available configuration parameters,
click Advanced Configuration.
Application Details
-
In the Application Name field, enter an application
name.
-
In the Short Description field, enter an application
description.
-
In the Category list, select a category to assign the
application to.
- Optional:
To add an icon for the application, click the Image icon
and upload an icon image.
The icon file can be up to 1 Mb in size. The supported graphics formats are
JPEG/JPG, PNG and GIF.
-
Click Next.
Authorization Settings
- Optional:
To enable or disable a custom valid duration for the application access token,
click the Override Access Token Lifetime toggle.
- Optional:
If you enabled the override, enter the number of minutes access token lifetime
in the Minutes field.
The valid range is 1 - 60 minutes. The default value is inherited from your
account-level OAuth settings. For more information, see Configuring your OAuth settings.
-
Select the allowed grant types for the application.
- Optional:
If you selected Refresh Token, configure the token
settings:
-
Click the Override Refresh Idle Lifetime toggle
to override the global OAuth setting for the application.
-
In the Refresh Token Idle Lifetime field, enter
the number of minutes that a refresh token can be idle before being used
again.
-
Click the Override Refresh Token Max Lifetime
toggle to override the global OAuth setting for this application.
-
In the Refresh Token Max Lifetime field, enter
the maximum number of minutes that a refresh token can be valid.
- Optional:
For Web Apps and Advanced Configuration applications, click Add
Secret to add a secret to pair with the application
Client ID.
If you want to change a client secret, you must generate a second secret
before deleting the first.
Tip:
For greater security with Web App applications, you can use PKCE in your
authorization and token request. In this case, a client secret is not
used. For more information, see OAuth 2.0 RFC
7636.
-
Copy the Discovery URL, Issuer,
and IDPID values to use later in integrating the
application with PingOne for Enterprise.
This information also displays on the summary page for the application after
you've added the application to PingOne for Enterprise.
For more information, see Integrating an OIDC application.
-
Click Next.
SSO Flow and Authentication Settings
-
In the Start SSO URL field, enter the URL to use for SSO
to the application.
This is the URL to which application users will redirect to initiate SSO to
PingOne for Enterprise
using OIDC.
-
In the Redirect URIs field, enter URIs forPingOne for Enterprise to send responses to for the application's
authorization requests.
Tip:
Click Add URL to define multiple redirect
URIs.
- Optional:
In the Logout URI field, enter the URI to which PingOne for Enterprise sends a user for single logout (SLO).
- Optional:
Select the authentication requirements.
Option | Description |
---|
Authentication Method |
Description |
Force authentication
|
If selected, to establish a connection to this application, users
having a current, active SSO session will be re-authenticated by the
identity repository.
|
Force multi-factor authentication
|
If selected, users are required to use multi-factor authentication
(MFA) as defined by your authentication policy each time they access
the application.
You'll need to have an authentication policy in place to use this
setting. See Create or update an authentication policy for more
information.
|
-
Click Next.
Default User Profile Attribute Contract
-
To add attributes to the Default User Profile
Attribute Contract, click Add Attribute
and enter an attribute in the Attribute Name field.
Select the Required check box to make the attribute
required.
The default user profile attribute contract is the user profile returned by
the userinfo
endpoint for this application when the
openid scope is included in the authentication
request.
The (subject) sub
attribute is required for all UserInfo
requests.
PingOne for Enterprise uses the idpid
attribute to identify the identity provider (IdP) and is included in the
attribute contract by default.
If the application you're adding is a managed application, you can remove the
idpid
attribute from the contract. For managed
applications,PingOne for Enterprise already has the
idpid
value for your account.
-
Click Next.
Connect Scopes
-
Click the +icon to add scopes to the allowed list, or
click the - icon to remove them.
These OAuth user scopes are the user resources to which the application will
request access. The openid
scope is expected to always be
included in the authorization request.
-
Click Next.
Attribute Mapping
-
Map identity repository attributes to claims made by the application.
For each IdP attribute, enter or select the target attribute from the
list.
Click Advanced to display the advanced attribute
mapping mode. For more information, see Assign advanced attribute mappings.
Note:
This is a mapping of your identity repository attributes to the OIDC
scope claims available to the application. By default, the attribute
mapping inherits the account-level attribute mapping that you specify
when you configure your OAuth
settings.
You can override the account-level attribute mappings for the
application. If you update the attribute mappings, the inherited
account-level mappings remain available as selections in the list.
The OIDC claims listed here include all claims from the access token
attribute contract, the UserInfo
attribute contract for
this application, and the claims for any scopes to which this
application is permitted.
The attributes listed are determined by the scopes that you added
previously. The sub
attribute is required for all
applications.
-
Click Next.
Group Access
-
Make the new application available to your users by assigning the groups
authorized to use the application.
Click the + icon for each group that you want to
authorize.
Note:
All members of the selected groups can use the application.
-
Click Done.
The new OIDC application is added to your My Applications list
for OIDC. You can edit the application configuration by clicking the
Edit icon.