Adding an identity provider - OIDC

Name: A unique identifier for the IdP.

Description (optional): A brief description of the IdP.

Population: A population that overrides the authentication policy’s registration population and enables just-in-time registration from the IdP.

Icon (optional): An image to represent the IdP. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format. Use a 90 x 90 pixel image.

Sign-on button (optional): An image to use for the login button displayed to the end user. Use a 300 x 42 pixel image.

Client ID: The application ID that is generated by the external IdP to which you are connecting.

Client secret: The application secret that is generated by the external IdP to which you are connecting.

Callback URL: Copy the Callback URL to a secure location. You’ll provide this value to the IdP later.

Discovery document URI (optional): The discovery endpoint from the external IdP. Enter the URL and then click Use Discovery document to populate the remaining settings in Discovery Details automatically. Learn more in Discovery document URI.

Issuer: The issuer to which the authentication is sent for the external IdP. This URL must use the https protocol.

JWKS endpoint: The URL that specifies the JSON Web Key Set (JWKS) endpoint for the external IDP. The JWKS endpoint includes public keys that can be used to verify JSON Web Keys (JWKs) from the IdP. This URL must use the https protocol.

Authorization endpoint: The URL that specifies the authorization endpoint for the external IdP. The client requests an authorization grant from the authorization endpoint. This URL must use the https protocol.

Token endpoint: The URL that specifies the token endpoint for the external IdP. The client presents its authorization grant to the token endpoint to obtain an access token and a refresh token when needed. This URL must use the https protocol.

User information endpoint (optional): The URL that specifies the userInfo endpoint for the external IdP. The client can present an access token to the userInfo endpoint to retrieve additional information about the user, including attributes. Clients can use this endpoint to retrieve profile information, preferences, and other user-specific information. This URL must use the https protocol.

Token endpoint authentication method: The authentication method to use for authenticating the external IdP. Select None, Client Secret Basic, or Client Secret Post.

Requested scopes: The scopes to include in the authentication request to the external IdP. Scope values are case sensitive. You can provide multiple scopes by separating them with a space.

Proof Key for Code Exchange (PKCE): Select to use PKCE to secure communication with the IdP and help prevent authorization code interception attacks.

"code_challenge_methods_supported": [
"plain",
"S256"
]

Enter the PingOne user profile attribute and the external IdP attribute. Learn more about attribute syntax in Identity provider attributes.

To add an attribute, click Add.

To use the advanced expression builder, click the Gear icon. Learn more in Using the expression builder.

Select the update condition, which determines how PingOne updates its user directory with the values from the IdP: