- In PingFederate, go to and click Create Connection.
- On the Connection Type tab, select Browser SSO.
- In the Protocol list, select OpenID Connect.
- Click Next.
- On the Connection Options tab, click Next.
On the General Info tab, enter the following
In the Issuer field, enter
click Load Metadata.
When you click Load Metadata, the Issuer field is updated with a metadata URL.
Replace the <tenant> placeholder at the end of
the URL with your Microsoft Tenant ID and add
/v2.0 to the end of the URL.
You can find your Tenant ID atin your Microsoft Azure account.
- Select the Enable Additional Issuers check box.
In the Connection Name field, enter a
plain-language identifier for the connection, for example a company or
This name is displayed in the connection list in the administration console.
- In the Client ID field, enter the Application (client) ID value found in the App registrations menu in Azure AD.
- Click Next.
- In the Issuer field, enter https://login.microsoftonline.com/common and click Load Metadata.
- On the Additional issuers tab, select the Accept All issuers (Not Recommended) check box and click Save.
On the Browser SSO tab, click Configure
- On the User-Session Creation tab, click Configure User-Session Creation
Choose one of the Identity Mapping tab
- Click Account Mapping if you plan to pass end-user claims to the target application through a service provider (SP) adapter instance, or an authentication policy contract if your PingFederate server is a federation hub that bridges an OpenID provider to an SP.
- Click Account Linking if your target application requires account linking.
- Click No Mapping if you plan to pass end-user claims to the target application through an authentication policy contract in an SP authentication policy.
- Delete the attributes that are unnecessary to your application in the Attribute Contract menu generated by the issuer metadata in Step 5. You are likely to encounter attribute-related errors when testing your connection. If this occurs, review the server.log file to see what attributes or claims are sent to Azure and delete the unnecessary attributes from your attribute contract.
On the Target Session Mapping menu, click Map
New Adapter Instance to map end-user claims to the target
application through an SP adapter instance or an authentication policy
For more information, see Managing target session mappings.
- On the Summary tab, review the User Session Creation settings and click Save.
- On the Protocol Settings tab, click Configure Protocol Settings.
On the OpenID Provider Info tab, enter the following
User Info Endpoint
When you have finished configuring the identity provider (IdP) connection, copy
the Redirect URI from the Activation &
Summary tab and add it to your V2 application.
- In your Azure account, go to App registrations.
- Click the application you want to connect.
- Click .
- Paste the redirect URI into the Enter the redirect URI of the application field.
- Select both the Access Tokens and ID Tokens check boxes.
- Click Configure.
Page created: 27 Dec 2019 |
Page updated: 16 Feb 2022