PingOne Advanced Identity Cloud

Set up an OIDC-compliant IdP as a federation IdP

To use an OIDC-compliant IdP as a federation IdP for a PingOne Advanced Identity Cloud tenant environment, you need to create a new OIDC client.

Step 1: Configure OIDC-compliant IdP as a federation IdP

  1. Read your IdP vendor’s documentation on configuring an OIDC client.

  2. Configure an OIDC client profile:

    1. Choose a client ID or note the automatically generated client ID. Some OIDC IdPs let you choose the client ID while others autogenerate it for you.

      In Advanced Identity Cloud, use this in an application’s Application ID field.

    2. Choose a client secret or note the automatically generated client secret. Some OIDC IdPs let you choose the client secret while others autogenerate it for you.

      In Advanced Identity Cloud, enter this value in an application’s Application Secret field (or set in an ESV mapped to that field).

    3. Configure the allowed scopes. Recommended scopes: openid, profile, and email.

    4. Configure the client authentication method. Supported authentication methods: client_secret_post and client_secret_basic.

  3. Obtain the well-known URL from the OIDC-compliant IdP. You will enter this URL when you enable the IdP in Advanced Identity Cloud.

    In Advanced Identity Cloud, enter this value in an application’s Well-known Endpoint field (or set in an ESV mapped to that field).

Step 2: Use group membership to enable federation in an OIDC-compliant IdP

Groups let you add and remove sets of administrators based on their group membership in your IdP. You can also specify the level of administrator access (super administrator[1] or tenant administrator) for groups of users.

  1. Read your IdP vendor’s documentation on configuring groups in your OIDC client.

  2. Obtain the name of the groups claim from the OIDC-compliant IdP.

    In Advanced Identity Cloud, enter this value in an application’s Group Claim Name field (or set in an ESV mapped to that field).

  3. Set up super administrators[1] groups:

    1. Set up one or more groups for users that need to be super administrators[1] when they access the tenant using your IdP.

    2. Note the group ID (or group IDs).

      In Advanced Identity Cloud, enter the group ID (or group IDs) in an application’s Group Identifiers field to the left of Super Admins (or set in an ESV mapped to that field).

  4. (Optional) Set up tenant administrators groups:

    1. Set up one or more groups for users that need to be tenant administrators when they access the tenant using your IdP.

    2. Note the group ID (or group IDs).

      In Advanced Identity Cloud, enter the group ID (or group IDs) in an application’s Group Identifiers field to the left of Tenant Admins (or set in an ESV mapped to that field).
1. A super administrator is a tenant administrator with elevated permissions for configuring tenant administrators and federated tenant access. Learn more in Types of administrators.