How to setup PingFederate in Keycloak with OIDC¶
This guide explains how to configure PingFederate as an Identity Provider (IdP) in Keycloak.
Note
This guide assumes that you have access to the Authentication Admin Console and to your PingFederate instance.
Note
You need the discovery info endpoint URL from your PingFederate instance. This URL is used to configure the IdP auto-discovery in Keycloak.
Following this guide the URL should be https://<PINGFEDERATE_HOST>/.well-known/openid-configuration.
Client and Keycloak Configuration¶
To configure PingFederate as an IdP in Keycloak, you need to go to the Authentication Admin Console and follow these steps:
Go to > > .
Select an alias for the IdP, for example,
PingFederateand copy the redirect URL.Open a new page and go to your PingFederate console.
Next, we need to create a new OIDC client in PingFederate, you can follow this guide to create a new client. Feel free to configure the settings as needed, however, it is recommended to use the following parameters:
Field |
Value |
|
|---|---|---|
Client Authentication |
Client Secret |
|
Allowed Grant Types |
Select at least Authorization Code |
|
Scopes |
At least openid and profile |
|
Redirection URI |
The redirect URL from Keycloak |
Note
Other parameters have to be configured depending on your own setup.
Now you can copy the client id and the secret, and put them in the Keycloak configuration. After that, simply click on .
Next step is adding a new mapper in with the following settings:
Name:
usernameMapper Type:
Attribute ImporterAttribute Name:
subUser Attribute Name:
username
Note
The Attribute Name MAY be different for you, refer to your claim names to make sure. In this configuration we used sub that is the default with profile scope
At this point, you can complete the rest of the configuration with common settings, please refer to Common IdP configuration and IdP After Setting up configuration sections to find all the information you need.
