---
title: Delegating all authentication to an external IdP
description: PingOne provides an authentication policy step that allows you to make an external identity provider (IdP) part of a PingOne authentication policy or delegate all authentication to that external IdP.
component: solution-guides
page_id: solution-guides:workforce_use_cases:htg_delegate_authn_to_external_idp
canonical_url: https://docs.pingidentity.com/solution-guides/workforce_use_cases/htg_delegate_authn_to_external_idp.html
revdate: April 13, 2025
page_aliases: ["workforce_use_cases:htg_delegate_authn_to_external_idp_config_idp.adoc", "workforce_use_cases:htg_delegate_authn_to_external_idp_create_authn_policy.adoc"]
section_ids:
  before-you-begin: Before you begin
  configuring-an-external-idp: Configuring an external IdP
  before-you-begin-2: Before you begin
  steps: Steps
  choose-from: Choose from:
  creating-an-external-idp-authentication-policy: Creating an external IdP authentication policy
  steps-2: Steps
  next-steps: Next steps
---

# Delegating all authentication to an external IdP

PingOne provides an authentication policy step that allows you to make an external identity provider (IdP) part of a PingOne authentication policy or delegate all authentication to that external IdP.

## Before you begin

You must have:

* An external IdP defined in your PingOne tenant

* An authentication policy that specifies that external IdP as the only step

## Configuring an external IdP

### Before you begin

* If you want to use OpenID Connect (OIDC), you must configure an OIDC client in PingFederate.

* If you want to use SAML, you must configure a SAML service provider (SP) in PingFederate.

### Steps

1. In your PingOne tenant, go to **Integrations > External IdPs** and click **Add Provider**.

2. Go to **Add a Social or Custom Identity Provider > Select an Identity Provider from the Options Below > Custom** and click either:

   #### Choose from:

   * **OpenID Connect**

   * **SAML**

     ![Screen capture of the Add a Social or Custom Identity Provider window showing OpenID Connect and SAML options near the bottom.](_images/xld1621366507424.png)

3. If you clicked **OpenID Connect**:

   1. In the **Create Profile**window, in the **Name** field, specify a name for the IdP (used only in the PingOne console) and click **Continue**.

      ![igv1621366618264](_images/igv1621366618264.png)

   2. In the **Connection Details** section, in the **Client ID** and **Client Secret** fields, enter the client ID and client secret from the external IdP.

      |   |                                   |
      | - | --------------------------------- |
      |   | This must be an auth-code client. |

      ![Screen capture of the Configure OpenID Connect Connection window showing the required Client ID and Client Secret fields.](_images/aqn1621366697208.png)

   3. In the **Discovery Details** section, you can provide the OpenID well-known endpoint in the **Discovery Document** section to pre-populate all values.

      If the OpenID well-known endpoint isn't available, you must manually enter all the required values.

      ![Screen capture of the Discovery Details sections showing the required Authorization Endpoint, Token Endpoint, JWKS Endpoint and Issuer fields.](_images/gob1621366774192.png)

   4. Click **Save and Continue**.

   5. In the **Map Attributes** window, map incoming values as needed, and then click **Save and Finish**.

      ![Screen capture of the Map Attributes window showing the PingOne User Profile Attribute, OIDC Attribute and Update Condition fields.](_images/lqh1621366872979.png)

4. If you clicked **SAML**:

   1. In the **Create Profile** window, in the **Name** field, specify a name for the IdP (used only in the PingFederate console) and click **Continue**.

   2. In the **Configure PingOne Connection** section, choose the signing certificate for SP-initiated SAML authentication requests and click **Continue**.

      ![Screen capture of the Configure PingOne Connection window.](_images/tuz1621366926726.png)

   3. In the **Configure IDP Connection** window, import data or provide the values, and then click**Save and Continue**.

   4. In the **Map Attributes** window, map incoming values as needed, and then click **Save and Finish**.

      ![Screen capture of the Map Attributes window showing the PingOne User Profile Attribute, OIDC Attribute and Update Condition fields.](_images/grz1621367035594.png)

5. **Optional:** To support just-in-time (JIT) creation, edit the newly created external IdP:

   If a user who doesn't exist in PingOne is redirected from the external IdP, PingOne can perform a JIT creation of an account for that user in PingOne.

   1. Click **Registration**.

   2. In the **Population** list, select the population into which new users should be JIT provisioned.

   3. Click **Save**.

6. Enable the external IdP you created.

## Creating an external IdP authentication policy

### Steps

1. In your PingOne tenant, go to **Authentication > Authentication** and click **Add Policy**.

   ![Screen capture of the Policies window with the Add Policy option in the upper right corner.](_images/bkh1621367287358.png)

2. In the **Policy Name** field, enter a unique policy name.

3. In the **Step Type** list, select **External Identity Provider**.

   ![Screen capture of the expanded Step Type list showing External Identity Provider highlighted.](_images/rnt1621367352829.png)

4. In the **External Identity Provider** list, select the external IdP you want to delegate to.

   |   |                                                                                                                                                                                       |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | Disabled external IdPs are marked as such.![Screen capture of the expanded External Identity Provider list showing PF and PFIDP (Disabled) as options.](_images/bfs1621367395681.png) |

5. **Optional:** In the **Required Authentication Level** field, specify an authentication context to request from the IdP.

   For example, if you were using PingFederate you could use a selector on the incoming context to determine authentication policy flows.

   ![Screen capture of the Identity Provider Settings section showing the optional Required Authentication Level field.](_images/mug1621367434316.png)

6. Click **Save and Continue**.

### Next steps

Depending on how you want to use it, you can configure this policy as the default or assign it to specific applications. After calling an app that has this policy assigned, users are automatically sent to the external IdP for authentication.

After a successful return from the external IdP:

* If the user doesn't exist in PingOne, the user is created.

* If user does exist in PingOne, the user is prompted for linking and then passed to their respective application.