OIDC provider configuration

You can configure the PingOne Advanced Identity Cloud OAuth 2.0 provider service to act as an OpenID provider (OP).

To do so, configure the OAuth 2.0 provider service then refer to OIDC-specific configuration.

OIDC-specific configuration

To set the OAuth 2.0 provider configuration, under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider.

Refer to the OAuth2 Provider reference section for details on each configuration property.

Task Resources

Configure the public keys for the provider

OPs sign ID tokens so that clients can ensure their authenticity. PingOne Advanced Identity Cloud exposes the URI where clients can check the signing public keys to verify the ID token signatures.

N/A

Enable the OIDC Provider Discovery endpoint

The discovery endpoint is enabled by default. Enable the endpoint if your clients need to discover the URL of the OP for a given user.

OIDC discovery

Configure pairwise subject types for dynamic registration

To provide different values to the sub claim in the ID token for different clients (refer to Subject Identifier Types), make sure that the Subject Types supported property on the Core tab of the OAuth 2.0 provider configuration includes pairwise. This is the default.

Also, change the default value of the Subject Identifier Hash Salt field on the same tab.

If you specify a pairwise subject type, check the value of the Sector Identifier URI in the OAuth 2.0 client configuration. The value of this field must be a URL (including the https scheme) that references a JSON file containing an array of redirect_uri values. PingOne Advanced Identity Cloud uses the host component of this URL to compute pairwise subject identifiers.

If you configure a single Post Logout Redirect URI, the Sector Identifier URI takes this value by default. If you configure several Post Logout Redirect URIs and specify a pairwise Subject Type, you must set a value for the Sector Identifier URI.

N/A

Specify whether PingOne Advanced Identity Cloud should return scope-derived claims in the ID token

Scope-derived claims, such as those returned when requesting the profile scope, aren’t returned in the ID token by default.

Claims

Configure how PingOne Advanced Identity Cloud maps scopes to claims and user profile attributes

Use scripts to map user profile attributes to claims and scopes.

Claims

OpenID Connect 1.0 (OIDC) claims

Configure the OP for dynamic application registration and management

PingOne Advanced Identity Cloud supports several methods of dynamic application registration.

You can also register applications manually.

Dynamic client registration

Add authentication requirements to ID tokens

Require end users to satisfy specific authentication rules or conditions when authenticating to the OP, such as using a specific authentication journey.

Authentication requirements

Configure PingOne Advanced Identity Cloud for GSMA Mobile Connect

Configure the OAuth 2.0 authorization server to act as a Mobile Connect provider.

Configure Mobile Connect

Configure the OP to encrypt ID tokens and logout tokens

By default, ID tokens and backchannel logout tokens are signed. If these tokens carry sensitive information about your end users, consider encrypting them.

Encrypt ID tokens and backchannel logout tokens