logo

PingFederate

PingFederate configuration tips

OIDC: Authorization Code + PKCE

  1. Create OAuth > Clients — enable authorization_code and refresh_token, require PKCE (S256).
  2. Assign Allowed Scopes (openid, profile, email). Map attributes via Attribute Contract.
  3. Choose Signing Key (RS256/ES256) and expose JWKS at /pf/JWKS.
  4. Set Redirect URIs and Post-Logout Redirect URIs.
  5. Configure IdP Adapter (HTML Form or Kerberos/Identifier First) and map to policy.

Template: OIDC client JSON

SAML: SP Connection (as IdP)

  1. Import SP metadata (or use our SP template).
  2. Set NameID (email or persistent) and add Attribute Contract (given_name, email, role).
  3. Bindings: HTTP-Redirect for AuthnRequest; HTTP-POST for Response.
  4. Sign Assertions and optionally encrypt. Share IdP metadata with SP.

SAML: IdP Connection (as SP)

  1. Import IdP metadata (or use our IdP template).
  2. ACS URL must match exactly. Enable Allow Unsolicited Responses only if required.
  3. Validate signature; set Certificate Revocation and clock skew.

Endpoints (typical)

Authorization:   https://AUTH_HOST/as/authorize
Token:           https://AUTH_HOST/as/token.oauth2
UserInfo:        https://AUTH_HOST/idp/userinfo.openid
JWKS:            https://AUTH_HOST/pf/JWKS
End Session:     https://AUTH_HOST/idp/startSLO.ping
SAML SSO:        https://AUTH_HOST/idp/SSO.saml2
SAML SLO:        https://AUTH_HOST/idp/SLO.saml2

Replace AUTH_HOST with your environment FQDNs and ensure TLS + HSTS.