• If you want to use OpenID Connect (OIDC), you must configure an OIDC client in PingFederate .
  • If you want to use SAML, you must configure a SAML service provider (SP) in PingFederate.
  1. In your PingOne tenant, go to Connections > External IdPs and click Add Provider.
  2. Go to Add a Social or Custom Identity Provider > Select an Identity Provider from the Options Below > Custom and click either:
    • OpenID Connect
    • SAML
    Screen capture of the Add a Social or Custom Identity Provider window showing OpenID Connect and SAML options near the bottom.
  3. If you clicked OpenID Connect:
    1. In the Create Profile window, in the Name field, specify a name for the IdP (used only in the PingOne console) and click Continue.
    2. In the Connection Details section, in the Client ID and Client Secret fields, enter the client ID and client secret from the external IdP.
      Note:

      This must be an auth-code client.


      Screen capture of the Configure OpenID Connect Connection window showing the required Client ID and Client Secret fields.
    3. In the Discovery Details section, you can provide the OpenID well-known endpoint in the Discovery Document section to pre-populate all values.
      If the OpenID well-known endpoint isn't available, you must manually enter all the required values.
      Screen capture of the Discovery Details sections showing the required Authorization Endpoint, Token Endpoint, JWKS Endpoint and Issuer fields.
    4. Click Save and Continue.
    5. In the Map Attributes window, map incoming values as needed, and then click Save and Finish.

      Screen capture of the Map Attributes window showing the PingOne User Profile Attribute, OIDC Attribute and Update Condition fields.
  4. If you clicked SAML:
    1. In the Create Profile window, in the Name field, specify a name for the IdP (used only in the PingFederate console) and click Continue.
    2. In the Configure PingOne Connection section, choose the signing certificate for SP-initiated SAML authentication requests and click Continue.
      Screen capture of the Configure PingOne Connection window.
    3. In the Configure IDP Connection window, import data or provide the values, and then click Save and Continue.
    4. In the Map Attributes window, map incoming values as needed, and then click Save and Finish.
      Screen capture of the Map Attributes window showing the PingOne User Profile Attribute, OIDC Attribute and Update Condition fields.
  5. Optional: To support just-in-time (JIT) creation, edit the newly created external IdP:

    If a user who doesn't exist in PingOne is redirected from the external IdP, PingOne can perform a JIT creation of an account for that user in PingOne.

    1. Click Registration.
    2. In the Population list, select the population into which new users should be JIT provisioned.
    3. Click Save.
  6. Enable the external IdP you created.