If OpenID Connect is specified as the the external identity provider, the OpenID Connect sub attribute can be used as the provider mapping attribute placeholder value.

The placeholder value must use the following syntax:

${providerAttributes.<OpenID Connect attribute name>}

When you create a new OpenID Connect identity provider entity, the POST request automatically maps the PingOne username attribute to the OpenID Connect sub attribute. For more information, see the OpenID Connect core mapping attribute.

The POST /environments/{environmentId}/identityProviders operation adds a new identity provider resource to the specified environment.

When the type property value is set to OPENID_CONNECT, the OpenID Connect application’s clientId and clientSecret property values are required in the request body. Other required properties are: name, type, authorizationEndpoint, jwksEndpoint, tokenEndpoint, issuer, scopes, and tokenEndpointAuthMethod.

OpenID Connect identity provider settings data model

Property Description
authorizationEndpoint A string that specifies the the OIDC identity provider’s authorization endpoint. This value must be a URL that uses https. This is a required property.
clientId A string that specifies the application ID from the OIDC identity provider. This is a required property.
clientSecret A string that specifies the application secret from the OIDC identity provider. This is a required property.
discoveryEndpoint A string that specifies the OIDC identity provider’s discovery endpoint. This value must be a URL that uses https.
issuer A string that specifies the issuer to which the authentication is sent for the OIDC identity provider. This value must be a URL that uses https. This is a required property.
jwksEndpoint A string that specifies the OIDC identity provider’s jwks endpoint. This value must be a URL that uses https. This is a required property.
scopes An array that specifies the scopes to include in the authentication request to the OIDC identity provider. This is a required property.
tokenEndpoint A string that specifies the OIDC identity provider’s token endpoint. This is a required property.
tokenEndpointAuthMethod A string that specifies the OIDC identity provider’s token endpoint authentication method. Options are CLIENT_SECRET_BASIC (default), CLIENT_SECRET_POST, and NONE. This is a required property.
userInfoEndpoint A string that specifies the OIDC identity provider’s userInfo endpoint.

OpenID Connect core attributes

Property Description
username A string that specifies the core OpenID Connect attribute. The default value is ${providerAttributes.sub} and the default update value is EMPTY_ONLY.

OpenID Connect provider attributes

Permission Provider attributes
openid sub