Ping Identity (OIDC) SSO Setup Guide
Descope supports SSO providers both with OIDC and SAML. This guide showcases how to integrate Ping Identity as an OpenID Connect (OIDC) SSO provider with a Tenant in Descope.
Configuration Steps
1. Tenant and SSO Setup
- Begin by creating your tenant in Descope. Navigate to
Authentication Methods
under your tenant settings. - Select
SSO
, then chooseOIDC
from the available options.
2. Ping Application Creation
- Create an application within Ping Identity.
- Ensure your OIDC application is set to use Implicit Flow. Configure the redirect URI to include Descope's OAuth callback.
- If you're a Pro or Enterprise users, this callback will utilize your own custom domain or CNAME.
- For others: Use the default
https://api.descope.com/v1/oauth/callback
.
3. Scope Configuration
- Configure your Ping application to include the necessary scopes. At a minimum, you should have
email
andprofile
. Includingphone
is also beneficial to retrieve phone number information.
4. Claims Setup
- Ensure the correct claims are configured within your Ping application. As an example, these should include things like:
given_name
,family_name
,email_verified
,email
, andphone_number
.
You'll have to make sure that the attribute mapping in Ping matches what is in Descope. This ensures that the user information from Ping is correctly understood and utilized by Descope. The mapping can be found in the new tenant's settings in the Descope Console.
5. OIDC Configuration in Descope
- Under your Tenant Settings in the Descope Console, proceed to configure OIDC with the details from your Ping Identity setup:
- Input your SSO domain, this is the email domain of the users of your SSO-enabled tenant.
- Enter
Ping Identity
as the Provider Name. - Insert the Client ID, Client Secret, and scopes (openid, email, profile, and phone) that you configured in Step 3.
- Change the grant type to Implicit.
- In the Connection Settings, input the authorization, token, userinfo, and JWKS endpoints provided by Ping.
- Ensure that attribute mapping is correctly set up to match the claims provided by Ping. This should have been completed in Step 4.
At the end of the configuration, it should look something like this:
6. Using SSO in Your Flow
- Finally, use the SSO action within your Descope flow. Ping Identity will now serve as the SSO provider for all users associated with the specific tenant you configured.
By following these steps, you will have successfully set up Ping Identity as an OIDC provider using Implicit Flow in Descope.
Was this helpful?