Creating an OpenID Connect IdP connection in PingFederate
Steps
-
In PingFederate, go to Authentication → Integration → IdP Connections and click Create Connection.
-
On the Connection Type tab, select Browser SSO.
-
In the Protocol list, select OpenID Connect.
-
Click Next.
-
On the Connection Options tab, click Next.
-
On the General Info tab, enter the following values:
-
In the Issuer field, enter
https://login.microsoftonline.com/common
and click Load Metadata.Result:
When you click Load Metadata, the Issuer field is updated with a metadata URL.
-
Replace the <tenant> placeholder at the end of the URL with your Microsoft Tenant ID and add
/v2.0
to the end of the URL.You can find your Tenant ID at Azure Active Directory → Overview in your Microsoft Azure account.
-
Select the Enable Additional Issuers check box.
-
In the Connection Name field, enter a plain-language identifier for the connection, for example a company or department name.
This name is displayed in the connection list in the administration console.
-
In the Client ID field, enter the Application (client) ID value found in the App registrations menu in Azure AD.
-
Click Next.
-
-
On the Additional issuers tab, select the Accept All issuers (Not Recommended) check box and click Save.
-
On the Browser SSO tab, click Configure Browser SSO.
-
On the User-Session Creation tab, click Configure User-Session Creation
-
Choose one of the Identity Mapping tab options:
-
Click Account Mapping if you plan to pass end-user claims to the target application through a service provider (SP) adapter instance, or an authentication policy contract if your PingFederate server is a federation hub that bridges an OpenID provider to an SP.
-
Click Account Linking if your target application requires account linking.
-
Click No Mapping if you plan to pass end-user claims to the target application through an authentication policy contract in an SP authentication policy.
-
-
-
Delete the attributes that are unnecessary to your application in the Attribute Contract menu generated by the issuer metadata in Step 5.
Troubleshooting:
You are likely to encounter attribute-related errors when testing your connection. If this occurs, review the
server.log
file to see what attributes or claims are sent to Azure and delete the unnecessary attributes from your attribute contract. -
Optional: On the Target Session Mapping menu, click Map New Adapter Instance to map end-user claims to the target application through an SP adapter instance or an authentication policy contract.
For more information, see Managing target session mappings.
-
On the Summary tab, review the User Session Creation settings and click Save.
-
On the Protocol Settings tab, click Configure Protocol Settings.
-
On the OpenID Provider Info tab, enter the following values.
Field Value Authorization Endpoint
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Token Endpoint
https://login.microsoftonline.com/common/oauth2/v2.0/token
User Info Endpoint
https://graph.microsoft.com/oidc/userinfo
JWKS URL
https://login.microsoftonline.com/common/discovery/v2.0/keys
-
When you have finished configuring the identity provider (IdP) connection, copy the Redirect URI from the Activation & Summary tab and add it to your V2 application.
-
In your Azure account, go to App registrations.
-
Click the application you want to connect.
-
Click Authentication → Add a platform → Web.
-
Paste the redirect URI into the Enter the redirect URI of the application field.
-
Select both the Access Tokens and ID Tokens check boxes.
-
Click Configure.
-
Result
You can now authenticate users with non-Azure Microsoft accounts.