Skip to content

OpenID Connect (OIDC) Integration

Follow the steps documented below to integrate your Org with an OIDC-compliant Identity Provider (IdP) such as Ping for Single Sign On (SSO).

Important

Only users with "Organization Admin" privileges can configure SSO in the Web Console.

Step 1: Create IdP in Web Console

  • Log in to the Web Console as an Organization Admin.
  • Navigate to System → Identity Providers.
  • Click New Identity Provider.
  • In the IdP Configuration tab, provide a unique name for the Identity Provider.
  • Optionally, enter a description for reference.
  • Select OIDC as the Authentication Type.
  • Choose Ping as the Provider Name.
  • Enter the Domain associated with the organization (for example, mycompany.com).
  • Provide an Admin Email ID (for example, admin@mycompany.com).
  • Provide a Client ID

Create IdP

The remaining fields: Client Secret, OP Domain URL, and Group Attribute Name must be populated after configuring the corresponding Ping application and retrieving these details from Ping.

Once these values are available, return to this page, complete the remaining fields, and then proceed with the setup.

Important

  • Within an organization, both the IdP Name and Domain must be unique. A domain used in one organization can be reused in a different organization.
  • The Domain and Admin Email domain must match. For example, if the domain is mycompany.com, the admin email should also belong to the same domain (e.g., admin@mycompany.com).

After completing the IdP configuration steps, the Redirect URL is generated in the Web Console. This Redirect URL must be added in the Ping Valid Redirect URIs field when creating the OIDC client.

Step 2: Configure Ping App

  • Login into the Ping console as an Administrator
  • In the Ping Identity console, navigate to an existing environment or click on Environment + button to create a new one.

Create IdP

  • Select Create a Customer Solution and click Next

Create App Integration

  • This page displays the list of available PingOne services that can be deployed as part of the environment. Click Next to continue.

Create App Integration

  • Provide a name for the environment, complete the required details, and click Finish.

Create App Integration

  • The newly created environment appears in the list. Select the environment and click Manage Environment.

Create App Integration

  • Inside the environment, navigate to Applications, where the list of default applications is displayed.
  • Click Application + to create a new application and provide a name.
  • Select OIDC Web App and click Save.

Create App Integration

  • Once saved, the application configuration becomes available, including the client ID, client secret, and other connection details.

Create App Integration

Step 3: Capture Client Credentials

  • Enable or disable the OIDC application in the IdP by using the toggle next to the application name
  • Retrieve the Client ID, Client Secret, and OP Domain URL (Issuer ID) from the PingOnce Config section, as shown below.

Create App Integration

Note: The OIDC discovery endpoint is also available in the connection details.

  • Copy/paste those details into the Console and provide the Group Attribute Name.
  • Click Update & Continue.

Create App Integration

  • From the SP Configuration page, copy the Redirect URL from the console

Create App Integration

  • Paste the URL in the PingOne Application -> Configuration page
  • Select the Token Endpoint Authentication Method to Client Secret Post, since the client ID and Client Secret are sent through the POST method.
  • Click Save.

Create App Integration

🚨 Important: Ensure that the OP Domain URL includes the protocol prefix — http:// or https:// — to make it a valid URL. The process cannot proceed without a properly formatted URL.

Step 5: Webhook Configuration (Optional)

In the Web Console, configure the webhook if required, and click Save & Exit.

Client Credentials

Once the configuration is complete, a verification email is sent to the admin email ID specified on the IdP Configuration page. Complete the verification before users can log in with OIDC

Troubleshooting

Scenario 1: Missing Required Scopes or Group Attribute Mapping in PingOne

The IdP is configured in the Web Console, and the OIDC application is created in PingOne. However, required scopes such as email, profile, or the group attribute name configured in the Rafay console are not enabled or mapped in the PingOne application.

Resolution

  • Open the Application in PingOne.
  • Navigate to the Resources tab and edit the Allowed Scopes.
  • Enable the email and profile scopes.
  • Click Save to apply the changes.

Create App Integration

If the group attribute name does not match between PingOne and the Web Console (as configured in Step 1), group-based access and role mapping will fail during authentication.

  • Navigate to Attribute Mappings.
  • Add or edit the group attribute name to match the value configured in the Rafay console.
  • Map the attribute to Group Names.
  • Click Save.

Create App Integration