Skip to content

Latest commit

 

History

History
200 lines (157 loc) · 10.4 KB

identity-provider-ping-one.md

File metadata and controls

200 lines (157 loc) · 10.4 KB
title titleSuffix description author manager ms.service ms.topic ms.date ms.author ms.subservice zone_pivot_groups
Set up sign-up and sign-in with a PingOne account
Azure AD B2C
Provide sign-up and sign-in to customers with PingOne accounts in your applications using Azure Active Directory B2C.
garrodonnell
CelesteDG
azure-active-directory
how-to
12/2/2021
godonnell
b2c
b2c-policy-type

Set up sign-up and sign-in with a PingOne account using Azure Active Directory B2C

[!INCLUDE active-directory-b2c-choose-user-flow-or-custom-policy]

Prerequisites

[!INCLUDE active-directory-b2c-customization-prerequisites]

Create a PingOne application

To enable sign-in for users with a PingOne (Ping Identity) account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in the Ping Identity Administrator Console. If you don't already have a PingOne account, you can sign up at https://admin.pingone.com/web-portal/register.

  1. Sign in to the Ping Identity Administrator Console with your PingOne account credentials.
  2. In the left menu of the page, select Connections, then next to Applications, select +.
  3. On the New Application page, select web app, then under OIDC, select Configure.
  4. Enter an Application name, and select Next.
  5. For the Redirect URLs, enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp. If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp. Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant. Use all lowercase letters when entering your tenant name even if the tenant is defined with uppercase letters in Azure AD B2C.
  6. Select Save and Continue.
  7. Under SCOPES select email, and profile, then select Save and Continue.
  8. Under OIDC attributes page, select Save and Close.
  9. From the list of applications, select the application you created.
  10. In the application Profile page, do the following:
    1. Next to the application name enable the app using the switch button.
    2. Copy the values of Client ID.
  11. Select the Configuration tab, and do the following:
    1. Copy the OIDC discovery endpoint.
    2. Show and copy the Client secret.
    3. Change the mode to edit. Then, under the Token endpoint authentication method change the value to Client Secret Post, and select Save

::: zone pivot="b2c-user-flow"

Configure PingOne as an identity provider

  1. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.

  2. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.

  3. Select Identity providers, and then select New OpenID Connect provider.

  4. Enter a Name. For example, enter PingOne.

  5. For Metadata url, enter the OIDC DISCOVERY ENDPOINT that you previously recorded. For example:

    https://auth.pingone.eu/00000000-0000-0000-0000-000000000000/as/.well-known/openid-configuration

  6. For Client ID, enter the client ID that you previously recorded.

  7. For Client secret, enter the client secret that you previously recorded.

  8. For Scope, enter openid email profile.

  9. Leave the default values for Response type, and Response mode.

  10. (Optional) For the Domain hint, enter pingone.com. For more information, see Set up direct sign-in using Azure Active Directory B2C.

  11. Under Identity provider claims mapping, select the following claims:

    • User ID: sub
    • Display name: name
    • Given name: given_name
    • Surname: family_name
    • Email: email

  12. Select Save.

Add PingOne identity provider to a user flow

At this point, the PingOne identity provider has been set up, but it's not yet available in any of the sign-in pages. To add the PingOne identity provider to a user flow:

  1. In your Azure AD B2C tenant, select User flows.
  2. Click the user flow that you want to add the PingOne identity provider.
  3. Under the Social identity providers, select PingOne.
  4. Select Save.
  5. To test your policy, select Run user flow.
  6. For Application, select the web application named testapp1 that you previously registered. The Reply URL should show https://jwt.ms.
  7. Select the Run user flow button.
  8. From the sign-up or sign-in page, select PingOne to sign in with PingOne account.

If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.

::: zone-end

::: zone pivot="b2c-custom-policy"

Create a policy key

You need to store the client secret that you previously recorded in your Azure AD B2C tenant.

  1. Sign in to the Azure portal.
  2. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
  3. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
  4. On the Overview page, select Identity Experience Framework.
  5. Select Policy Keys and then select Add.
  6. For Options, choose Manual.
  7. Enter a Name for the policy key. For example, PingOneSecret. The prefix B2C_1A_ is added automatically to the name of your key.
  8. In Secret, enter your client secret that you previously recorded.
  9. For Key usage, select Signature.
  10. Click Create.

Configure PingOne as an identity provider

To enable users to sign in using a PingOne account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.

You can define a PingOne account as a claims provider by adding it to the ClaimsProviders element in the extension file of your policy.

  1. Open the TrustFrameworkExtensions.xml.

  2. Find the ClaimsProviders element. If it does not exist, add it under the root element.

  3. Add a new ClaimsProvider as follows:

    <ClaimsProvider>
  <Domain>pingone.com</Domain>
  <DisplayName>PingOne</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="PingOne-OpenIdConnect">
      <DisplayName>Ping Identity</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <Metadata>
        <Item Key="METADATA">Your PingOne OIDC discovery endpoint</Item>
        <Item Key="client_id">Your PingOne client ID</Item>
        <Item Key="response_types">code</Item>
        <Item Key="scope">openid email profile</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="UsePolicyInRedirectUri">0</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_PingOneSecret" />
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

  4. Set the METADATA metadata to your PingOne OIDC discovery endpoint.

  5. Set client_id metadata to your PingOne client ID.

  6. Save the file.

[!INCLUDE active-directory-b2c-add-identity-provider-to-user-journey]

<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
  <ClaimsProviderSelections>
    ...
    <ClaimsProviderSelection TargetClaimsExchangeId="PingOneExchange" />
  </ClaimsProviderSelections>
  ...
</OrchestrationStep>

<OrchestrationStep Order="2" Type="ClaimsExchange">
  ...
  <ClaimsExchanges>
    <ClaimsExchange Id="PingOneExchange" TechnicalProfileReferenceId="PingOne-OpenIdConnect" />
  </ClaimsExchanges>
</OrchestrationStep>

[!INCLUDE active-directory-b2c-configure-relying-party-policy]

Test your custom policy

  1. Select your relying party policy, for example B2C_1A_signup_signin.
  2. For Application, select a web application that you previously registered. The Reply URL should show https://jwt.ms.
  3. Select the Run now button.
  4. From the sign-up or sign-in page, select PingOne to sign in with PingOne account.

If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.

::: zone-end

Next steps

Learn how to pass a PingOne token to your application.