Before you initially add an OICD application, you need to configure the access token your account will use for OIDC applications. These are account-level settings that will be inherited at the application level when you add or update and application, as you are doing here.

PingOne SSO for SaaS Apps returns OIDC user attributes in different ways depending on the response_type parameter.

The contents of the ID token depend on whether or not the application also returns an access token:

  • For flows that return both an access token and an ID token (such as authorization code flow, or implicit flows where the response_type includes token) the ID token contains the sub and, if requested, email scopes. The userinfo endpoint contains all of the attributes for the requested scopes and attributes configured on the User Info tab for the application, if the openid scope was requested.
  • For flows that don't return an access token, the ID token contains all of the attributes for the requested scopes and any attributes configured on the User Info tab for the application, if the openid scope was requested. The userinfo endpoint is inaccessible in this case because no access token is issued.

The access token contains attributes configured at Applications > OAuth Settings > Access Token.

See Manage OAuth settings and Configuring your OAuth settings.

When updating an application, any changes you make to the existing configuration parameters will be reflected in your customer's or partner's connection to the application.

However, if your customer or partner has changed the parameter settings in their PingOne for Enterpriseaccount, their local settings will override your updated configuration.

In other words, configuration updates made by a service provider at the application level will not override configuration updates made at the connection level.

  1. Go to Applications > My Applications > OIDC.
  2. Add a new application or edit an existing application.
    • To create a new application, click Add Application. See Step 3 for new application types.
    • To update an existing application, expand the application and click the Pencil icon. Skip to Step 4.
Application Type
  1. Select the type of application you want to add and click Next:

    • To create an application that is accessed and used within a browser, click Web App.

    • To create an application that is stored locally and run on a desktop or device, click Native App.

    • To create an API-driven front-end application, such as applications using Node.js or Angular, click Single Page App.

    • If you want full control of all available configuration parameters, click Advanced Configuration.

Application Details
  1. In the Application Name field, enter a name for the application.
  2. In the Short Description field, enter a description of the application.
    Customers will be able to see your description.
  3. In the Category list, select a category for the application.
  4. Optional: Click Icon to add an icon for this application.
    The icon file can be up to 1 Mb in size. The supported graphics formats are JPG, PNG and GIF.
  5. Click Next.
Authorization Settings
  1. Optional: To enable or disable a custom valid duration for the application access token, click the Override Access Token Lifetime toggle.
    When this control is enabled, a Minutes selector is displayed. The valid range is 1 - 60 minutes. The default value is inherited from your account-level OAuth settings.
  2. If you enabled the override, enter the number of minutes access token lifetime in the Minutes field.

    The valid range is 1 - 60 minutes. The default value is inherited from your account-level OAuth settings. For more information, see Configuring your OAuth settings.

  3. Select the grant types allowed for the application.
    Available grant types are determined by the application type. For more information, see OIDC application grant types.
  4. If you selected Refresh Token, configure the token settings:
    1. Click the Override Refresh Idle Lifetime toggle to override the global OAuth setting for the application.
    2. In the Refresh Token Idle Lifetime field, enter the number of minutes that a refresh token can be idle before being used again.
    3. Click the Override Refresh Token Max Lifetime toggle to override the global OAuth setting for this application.
    4. In the Refresh Token Max Lifetime field, enter the maximum number of minutes that a refresh token can be valid.
  5. Copy the Client ID, Discovery URL, and Issuer values to use later in integrating the application with PingOne SSO for SaaS Apps.
  6. Optional: For applications that use the Authorization Code grant type, you can click Add Secret to generate up to two client secrets to pair with the client ID.
  7. Click Next
SSO Flow and Authentication Settings
  1. Optional: In the Start SSO URL field, enter the URL to use for SSO to the application.
    This is the URL to which application users will redirect to initiate SSO to PingOne for Enterprise using OIDC.
  2. In the Redirect URI field, enter URIs for PingOne SSO for SaaS Apps to send responses to for the application's authorization requests.
    Tip: Click Add URL to define multiple redirect URIs.
  3. Optional: In the Logout URI field, enter the URI to which PingOne for Enterprise sends a user for single logout (SLO).
  4. Click Next
Default User Profile Attribute Contract
  1. Click Add Attribute to configure attributes returned by the UserInfo endpoint for this application when the openid scope is included in the authorization request.
    1. In the Attribute Name field, enter a name for the attribute.
    2. Select the Required check box to require the attribute mapping when a UserInfo request is made for this application.

    The sub (Subject) attribute is required for all UserInfo requests.

    The idpid attribute is used by PingOne for Enterprise to identify the identity provider (IdP), and is included in the attribute contract by default.

  2. Click Next.
Connect Scopes
  1. Click the + icon to add scopes to the allowed list, or click the - icon to remove them.
    These OAuth user scopes are the user resources to which the application will request access. The openid scope is expected to always be included in the authorization request.
  2. Click Save.
The new OIDC application is added to your My Applications list for OIDC. You can edit the application configuration as needed by expanding the application and clicking the Pencil icon. Refer to this documentation when updating configuration values.
Integrate the application with PingOne SSO for SaaS Apps. See Integrating an OIDC application for instructions.