1. Access your Azure AD OIDC discovery document and record the Issuer value from the /.well-known/openid-configuration endpoint.
    For example, if the Azure AD verified domain is “myglobalco.org”, the URL is: https://login.microsoftonline.com/myglobalco.org/v2.0/.well-known/openid-configuration.
  2. Log in to PingFederate as an administrator, and create an SP configuration for Azure AD using the Issuer value from the previous step as explained in Create an OpenID Connect IdP connection.
  3. Open a new tab and log in as Azure AD administrator to https://apps.dev.microsoft.com/#/appList.
  4. Add a new app that has a friendly and descriptive name to show on the Azure AD login screen for your application.
  5. Obtain an Application ID and Application Secret from Azure AD, and record them.
  6. In your PingFederate IdP Connection tab, add the Azure Application ID in the Client ID field and the Azure Application Secret in the Client Secret field. See Create an OpenID Connect IdP connection.
  7. To verify browser SSO settings, click Configure Browser SSO.
  8. In the Activation and Summary screen, change your connection status to Active, record the redirect URI, and click Save.
    Tip: To aid initial testing, record the SSO application endpoint.
  9. In the Azure AD administrator app list configuration, select your application from PingFederate, click Add Platform, select type Web, and paste your redirect URI.
  10. Change any other MS Graph Permissions, logo, Terms of Service or Privacy Statement options that you need to change, and click Save.
    Tip: To obtain group information, choose Advanced Options > Application Manifest and change “groupMembershipClaims” to “All”.
  11. To verify that your OIDC IdP connection is working, go to your SSO Application endpoint from PingFederate.
    You should be redirected to login with your Azure AD credentials, and you should be SSO’d into your SP adapter if one is configured.