Create a new
Before you add an OIDC application, you must configure the access token that your account will use for OIDC applications. These account-level settings are inherited at the application level when you add or update an application.
Account-level OAuth settings apply only to your managed applications, not to
applications supplied by a
PingOne for Enterprise returns OIDC user attributes in different ways depending on the response_type parameter.
The contents of the ID token depend on whether or not the application also returns an access token:
- For flows that return both an access token and an ID token (such as
authorization code flow, or implicit flows where the
response_type includes token) the ID
token contains the
suband, if requested,
userinfoendpoint contains all of the attributes for the requested scopes and attributes configured on the User Info tab for the application, if the
openidscope was requested.
- For flows that don't return an access token, the ID token contains all of the
attributes for the requested scopes and any attributes configured on the
User Info tab for the application, if the
openidscope was requested. The
userinfoendpoint is inaccessible in this case because no access token is issued.
The access token contains attributes configured at.
For more information, see Configuring your OAuth settings.
When you add an OIDC application, you must have access to the necessary configuration information for the application. For applications supplied by an SP, the SP will direct you to this information.
- Go to .
Add a new application or edit an existing application.
- To create a new application, click Add Application. See Step 3 for new application types.
- To update an existing application, expand the application and click the Pencil icon. Skip to step 4.
Select the type of application that you want to add and click
- To create an application that is accessed and used within a browser, clickWeb App.
- To create an application that is stored locally and run on a desktop or device, click Native App.
- To create an API-driven front-end application, such as applications using Node.js or Angular, click Single Page App.
- If you want full control of all available configuration parameters, click Advanced Configuration.
- In the Application Name field, enter an application name.
- In the Short Description field, enter an application description.
- In the Category list, select a category to assign the application to.
To add an icon for the application, click the Image icon
and upload an icon image.
The icon file can be up to 1 Mb in size. The supported graphics formats are JPEG/JPG, PNG and GIF.
- Click Next.
- Optional: To enable or disable a custom valid duration for the application access token, click the Override Access Token Lifetime toggle.
If you enabled the override, enter the number of minutes access token lifetime
in the Minutes field.
The valid range is 1 - 60 minutes. The default value is inherited from your account-level OAuth settings. For more information, see Configuring your OAuth settings.
Select the allowed grant types for the application.
Available grant types are determined by the application type. For more information, see OIDC application grant types.
If you selected Refresh Token, configure the token
- Click the Override Refresh Idle Lifetime toggle to override the global OAuth setting for the application.
- In the Refresh Token Idle Lifetime field, enter the number of minutes that a refresh token can be idle before being used again.
- Click the Override Refresh Token Max Lifetime toggle to override the global OAuth setting for this application.
- In the Refresh Token Max Lifetime field, enter the maximum number of minutes that a refresh token can be valid.
For Web Apps and Advanced Configuration applications, click Add
Secret to add a secret to pair with the application
If you want to change a client secret, you must generate a second secret before deleting the first.Tip:
For greater security with Web App applications, you can use PKCE in your authorization and token request. In this case, a client secret is not used. For more information, see OAuth 2.0 RFC 7636.
Copy the Discovery URL, Issuer,
and IDPID values to use later in integrating the
application with PingOne for Enterprise.
This information also displays on the summary page for the application after you've added the application to PingOne for Enterprise.
For more information, see Integrating an OIDC application.
- Click Next.
In the Start SSO URL field, enter the URL to use for SSO
to the application.
This is the URL to which application users will redirect to initiate SSO to PingOne for Enterprise using OIDC.
In the Redirect URIs field, enter URIs forPingOne for Enterprise to send responses to for the application's
Click Add URL to define multiple redirect URIs.
- Optional: In the Logout URI field, enter the URI to which PingOne for Enterprise sends a user for single logout (SLO).
Select the authentication requirements.
Option Description Authentication Method Description
If selected, to establish a connection to this application, users having a current, active SSO session will be re-authenticated by the identity repository.
Force multi-factor authentication
If selected, users are required to use multi-factor authentication (MFA) as defined by your authentication policy each time they access the application.
You'll need to have an authentication policy in place to use this setting. See Create or update an authentication policy for more information.
- Click Next.
To add attributes to the Default User Profile
Attribute Contract, click Add Attribute
and enter an attribute in the Attribute Name field.
Select the Required check box to make the attribute required.
The default user profile attribute contract is the user profile returned by the
userinfoendpoint for this application when the openid scope is included in the authentication request.
subattribute is required for all UserInfo requests.
PingOne for Enterprise uses the idpid attribute to identify the identity provider (IdP) and is included in the attribute contract by default.
If the application you're adding is a managed application, you can remove the
idpidattribute from the contract. For managed applications,PingOne for Enterprise already has the
idpidvalue for your account.
- Click Next.
Click the +icon to add scopes to the allowed list, or
click the - icon to remove them.
These OAuth user scopes are the user resources to which the application will request access. The
openidscope is expected to always be included in the authorization request.
- Click Next.
Map identity repository attributes to claims made by the application.
For each IdP attribute, enter or select the target attribute from the list.
Click Advanced to display the advanced attribute mapping mode. For more information, see Assign advanced attribute mappings.Note:
This is a mapping of your identity repository attributes to the OIDC scope claims available to the application. By default, the attribute mapping inherits the account-level attribute mapping that you specify when you configure your OAuth settings.
You can override the account-level attribute mappings for the application. If you update the attribute mappings, the inherited account-level mappings remain available as selections in the list.
The OIDC claims listed here include all claims from the access token attribute contract, the
UserInfoattribute contract for this application, and the claims for any scopes to which this application is permitted.
The attributes listed are determined by the scopes that you added previously. The
subattribute is required for all applications.
- Click Next.
Make the new application available to your users by assigning the groups
authorized to use the application.
Click the + icon for each group that you want to authorize.Note:
All members of the selected groups can use the application.
- Click Done.
The new OIDC application is added to your My Applications list for OIDC. You can edit the application configuration by clicking the Edit icon.
Integrate your OIDC applicationwith PingOne for Enterprise.