Create a new OpenID Connect (OIDC) application, or modify an existing application in PingOne SSO for SaaS Apps.
Before you initially add an OICD application, you need to configure the access token your account will use for OIDC applications. These are account-level settings that will be inherited at the application level when you add or update and application, as you are doing here.
PingOne SSO for SaaS Apps returns OIDC user attributes in different ways depending on the response_type parameter.
The contents of the ID token depend on whether or not the application also returns an access token:
- For flows that return both an access token and an ID token (such as authorization
code flow, or implicit flows where the response_type includes
token) the ID token contains the
sub
and, if requested,email
scopes. Theuserinfo
endpoint contains all of the attributes for the requested scopes and attributes configured on the User Info tab for the application, if theopenid
scope was requested. - For flows that don't return an access token, the ID token contains all of the
attributes for the requested scopes and any attributes configured on the
User Info tab for the application, if the
openid
scope was requested. Theuserinfo
endpoint is inaccessible in this case because no access token is issued.
The access token contains attributes configured at
.See Manage OAuth settings and Configuring your OAuth settings.
When updating an application, any changes you make to the existing configuration parameters will be reflected in your customer's or partner's connection to the application.
However, if your customer or partner has changed the parameter settings in their PingOne for Enterpriseaccount, their local settings will override your updated configuration.
In other words, configuration updates made by a service provider at the application level will not override configuration updates made at the connection level.