PingOne Platform APIs

Create Identity Provider (OpenID Connect)

   

POST {{apiPath}}/environments/{{envID}}/identityProviders

The POST {{apiPath}}/environments/{{envID}}/identityProviders operation adds a new identity provider resource to the specified environment.

When the type property value is set to OPENID_CONNECT, the OpenID Connect application’s clientId and clientSecret property values are required in the request body. Other required properties are: name, type, authorizationEndpoint, jwksEndpoint, tokenEndpoint, issuer, scopes, and tokenEndpointAuthMethod.

Prerequisites

Request Model

OpenID Connect identity provider settings data model

Property Type Required?

authorizationEndpoint

Required

Mutable

clientId

String

Required

clientSecret

String

Required

discoveryEndpoint

String

Optional

issuer

String

Required

jwksEndpoint

String

Required

scopes

String

Required

tokenEndpoint

String

Required

tokenEndpointAuthMethod

userInfoEndpoint

String

Optional

OpenID Connect core attributes

Property Description

username

A string that specifies the core OpenID Connect attribute. The default value is ${providerAttributes.sub} and the default update value is EMPTY_ONLY.

OpenID Connect provider attributes

Permission Provider attributes

openid

sub

Refer to Base IdP data model for the properties available to all of the supported identity providers.

Clients can specify any attribute that the identity provider returns in an ID token (for example, iss, aud, exp). For more information, refer to OpenID Connect 1.0.
Query parameters
Parameter Description

expand

When equal to attributes, shows the details for the core attribute mapping created by the request.

Example: POST {{apiPath}}/environments/{{envID}}/identityProviders?expand=attributes

Headers

Authorization      Bearer {{accessToken}}

Content-Type      application/json

Body

raw ( application/json )

{
    "description": "Custom OpenID Connect Provider",
    "enabled": true,
    "name": "OpenIDConnectIdP",
    "type": "OPENID_CONNECT",
    "clientId": "OPENID_CONNECT_ID",
    "clientSecret": "OPENID_CONNECT_SECRET",
    "authorizationEndpoint": "https://OPENID_CONNECT_AUTH_ENDPOINT",
    "tokenEndpoint": "https://OPENID_CONNECT_TOKEN_ENDPOINT",
    "userInfoEndpoint": "https://OPENID_CONNECT_USER_INFO_ENDPOINT",
    "jwksEndpoint": "https://OPENID_CONNECT_JWKS_ENDPOINT",
    "issuer": "https://OPENID_CONNECT_ISSUER",
    "scopes": ["openid", "CUSTOM_SCOPE"],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://OPENID_CONNECT_DISCOVERY_ENDPOINT"
}

Example Request

  • cURL

  • C#

  • Go

  • HTTP

  • Java

  • jQuery

  • NodeJS

  • Python

  • PHP

  • Ruby

  • Swift

curl --location --globoff '{{apiPath}}/environments/{{envID}}/identityProviders' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{accessToken}}' \
--data '{
    "description": "Custom OpenID Connect Provider",
    "enabled": true,
    "name": "OpenIDConnectIdP",
    "type": "OPENID_CONNECT",
    "clientId": "OPENID_CONNECT_ID",
    "clientSecret": "OPENID_CONNECT_SECRET",
    "authorizationEndpoint": "https://OPENID_CONNECT_AUTH_ENDPOINT",
    "tokenEndpoint": "https://OPENID_CONNECT_TOKEN_ENDPOINT",
    "userInfoEndpoint": "https://OPENID_CONNECT_USER_INFO_ENDPOINT",
    "jwksEndpoint": "https://OPENID_CONNECT_JWKS_ENDPOINT",
    "issuer": "https://OPENID_CONNECT_ISSUER",
    "scopes": ["openid", "CUSTOM_SCOPE"],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://OPENID_CONNECT_DISCOVERY_ENDPOINT"
}'
var options = new RestClientOptions("{{apiPath}}/environments/{{envID}}/identityProviders")
{
  MaxTimeout = -1,
};
var client = new RestClient(options);
var request = new RestRequest("", Method.Post);
request.AddHeader("Content-Type", "application/json");
request.AddHeader("Authorization", "Bearer {{accessToken}}");
var body = @"{" + "\n" +
@"    ""description"": ""Custom OpenID Connect Provider""," + "\n" +
@"    ""enabled"": true," + "\n" +
@"    ""name"": ""OpenIDConnectIdP""," + "\n" +
@"    ""type"": ""OPENID_CONNECT""," + "\n" +
@"    ""clientId"": ""OPENID_CONNECT_ID""," + "\n" +
@"    ""clientSecret"": ""OPENID_CONNECT_SECRET""," + "\n" +
@"    ""authorizationEndpoint"": ""https://OPENID_CONNECT_AUTH_ENDPOINT""," + "\n" +
@"    ""tokenEndpoint"": ""https://OPENID_CONNECT_TOKEN_ENDPOINT""," + "\n" +
@"    ""userInfoEndpoint"": ""https://OPENID_CONNECT_USER_INFO_ENDPOINT""," + "\n" +
@"    ""jwksEndpoint"": ""https://OPENID_CONNECT_JWKS_ENDPOINT""," + "\n" +
@"    ""issuer"": ""https://OPENID_CONNECT_ISSUER""," + "\n" +
@"    ""scopes"": [""openid"", ""CUSTOM_SCOPE""]," + "\n" +
@"    ""tokenEndpointAuthMethod"": ""CLIENT_SECRET_BASIC""," + "\n" +
@"    ""discoveryEndpoint"": ""https://OPENID_CONNECT_DISCOVERY_ENDPOINT""" + "\n" +
@"}";
request.AddStringBody(body, DataFormat.Json);
RestResponse response = await client.ExecuteAsync(request);
Console.WriteLine(response.Content);
package main

import (
  "fmt"
  "strings"
  "net/http"
  "io"
)

func main() {

  url := "{{apiPath}}/environments/{{envID}}/identityProviders"
  method := "POST"

  payload := strings.NewReader(`{
    "description": "Custom OpenID Connect Provider",
    "enabled": true,
    "name": "OpenIDConnectIdP",
    "type": "OPENID_CONNECT",
    "clientId": "OPENID_CONNECT_ID",
    "clientSecret": "OPENID_CONNECT_SECRET",
    "authorizationEndpoint": "https://OPENID_CONNECT_AUTH_ENDPOINT",
    "tokenEndpoint": "https://OPENID_CONNECT_TOKEN_ENDPOINT",
    "userInfoEndpoint": "https://OPENID_CONNECT_USER_INFO_ENDPOINT",
    "jwksEndpoint": "https://OPENID_CONNECT_JWKS_ENDPOINT",
    "issuer": "https://OPENID_CONNECT_ISSUER",
    "scopes": ["openid", "CUSTOM_SCOPE"],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://OPENID_CONNECT_DISCOVERY_ENDPOINT"
}`)

  client := &http.Client {
  }
  req, err := http.NewRequest(method, url, payload)

  if err != nil {
    fmt.Println(err)
    return
  }
  req.Header.Add("Content-Type", "application/json")
  req.Header.Add("Authorization", "Bearer {{accessToken}}")

  res, err := client.Do(req)
  if err != nil {
    fmt.Println(err)
    return
  }
  defer res.Body.Close()

  body, err := io.ReadAll(res.Body)
  if err != nil {
    fmt.Println(err)
    return
  }
  fmt.Println(string(body))
}
POST /environments/{{envID}}/identityProviders HTTP/1.1
Host: {{apiPath}}
Content-Type: application/json
Authorization: Bearer {{accessToken}}

{
    "description": "Custom OpenID Connect Provider",
    "enabled": true,
    "name": "OpenIDConnectIdP",
    "type": "OPENID_CONNECT",
    "clientId": "OPENID_CONNECT_ID",
    "clientSecret": "OPENID_CONNECT_SECRET",
    "authorizationEndpoint": "https://OPENID_CONNECT_AUTH_ENDPOINT",
    "tokenEndpoint": "https://OPENID_CONNECT_TOKEN_ENDPOINT",
    "userInfoEndpoint": "https://OPENID_CONNECT_USER_INFO_ENDPOINT",
    "jwksEndpoint": "https://OPENID_CONNECT_JWKS_ENDPOINT",
    "issuer": "https://OPENID_CONNECT_ISSUER",
    "scopes": ["openid", "CUSTOM_SCOPE"],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://OPENID_CONNECT_DISCOVERY_ENDPOINT"
}
OkHttpClient client = new OkHttpClient().newBuilder()
  .build();
MediaType mediaType = MediaType.parse("application/json");
RequestBody body = RequestBody.create(mediaType, "{\n    \"description\": \"Custom OpenID Connect Provider\",\n    \"enabled\": true,\n    \"name\": \"OpenIDConnectIdP\",\n    \"type\": \"OPENID_CONNECT\",\n    \"clientId\": \"OPENID_CONNECT_ID\",\n    \"clientSecret\": \"OPENID_CONNECT_SECRET\",\n    \"authorizationEndpoint\": \"https://OPENID_CONNECT_AUTH_ENDPOINT\",\n    \"tokenEndpoint\": \"https://OPENID_CONNECT_TOKEN_ENDPOINT\",\n    \"userInfoEndpoint\": \"https://OPENID_CONNECT_USER_INFO_ENDPOINT\",\n    \"jwksEndpoint\": \"https://OPENID_CONNECT_JWKS_ENDPOINT\",\n    \"issuer\": \"https://OPENID_CONNECT_ISSUER\",\n    \"scopes\": [\"openid\", \"CUSTOM_SCOPE\"],\n    \"tokenEndpointAuthMethod\": \"CLIENT_SECRET_BASIC\",\n    \"discoveryEndpoint\": \"https://OPENID_CONNECT_DISCOVERY_ENDPOINT\"\n}");
Request request = new Request.Builder()
  .url("{{apiPath}}/environments/{{envID}}/identityProviders")
  .method("POST", body)
  .addHeader("Content-Type", "application/json")
  .addHeader("Authorization", "Bearer {{accessToken}}")
  .build();
Response response = client.newCall(request).execute();
var settings = {
  "url": "{{apiPath}}/environments/{{envID}}/identityProviders",
  "method": "POST",
  "timeout": 0,
  "headers": {
    "Content-Type": "application/json",
    "Authorization": "Bearer {{accessToken}}"
  },
  "data": JSON.stringify({
    "description": "Custom OpenID Connect Provider",
    "enabled": true,
    "name": "OpenIDConnectIdP",
    "type": "OPENID_CONNECT",
    "clientId": "OPENID_CONNECT_ID",
    "clientSecret": "OPENID_CONNECT_SECRET",
    "authorizationEndpoint": "https://OPENID_CONNECT_AUTH_ENDPOINT",
    "tokenEndpoint": "https://OPENID_CONNECT_TOKEN_ENDPOINT",
    "userInfoEndpoint": "https://OPENID_CONNECT_USER_INFO_ENDPOINT",
    "jwksEndpoint": "https://OPENID_CONNECT_JWKS_ENDPOINT",
    "issuer": "https://OPENID_CONNECT_ISSUER",
    "scopes": [
      "openid",
      "CUSTOM_SCOPE"
    ],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://OPENID_CONNECT_DISCOVERY_ENDPOINT"
  }),
};

$.ajax(settings).done(function (response) {
  console.log(response);
});
var request = require('request');
var options = {
  'method': 'POST',
  'url': '{{apiPath}}/environments/{{envID}}/identityProviders',
  'headers': {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer {{accessToken}}'
  },
  body: JSON.stringify({
    "description": "Custom OpenID Connect Provider",
    "enabled": true,
    "name": "OpenIDConnectIdP",
    "type": "OPENID_CONNECT",
    "clientId": "OPENID_CONNECT_ID",
    "clientSecret": "OPENID_CONNECT_SECRET",
    "authorizationEndpoint": "https://OPENID_CONNECT_AUTH_ENDPOINT",
    "tokenEndpoint": "https://OPENID_CONNECT_TOKEN_ENDPOINT",
    "userInfoEndpoint": "https://OPENID_CONNECT_USER_INFO_ENDPOINT",
    "jwksEndpoint": "https://OPENID_CONNECT_JWKS_ENDPOINT",
    "issuer": "https://OPENID_CONNECT_ISSUER",
    "scopes": [
      "openid",
      "CUSTOM_SCOPE"
    ],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://OPENID_CONNECT_DISCOVERY_ENDPOINT"
  })

};
request(options, function (error, response) {
  if (error) throw new Error(error);
  console.log(response.body);
});
import requests
import json

url = "{{apiPath}}/environments/{{envID}}/identityProviders"

payload = json.dumps({
  "description": "Custom OpenID Connect Provider",
  "enabled": True,
  "name": "OpenIDConnectIdP",
  "type": "OPENID_CONNECT",
  "clientId": "OPENID_CONNECT_ID",
  "clientSecret": "OPENID_CONNECT_SECRET",
  "authorizationEndpoint": "https://OPENID_CONNECT_AUTH_ENDPOINT",
  "tokenEndpoint": "https://OPENID_CONNECT_TOKEN_ENDPOINT",
  "userInfoEndpoint": "https://OPENID_CONNECT_USER_INFO_ENDPOINT",
  "jwksEndpoint": "https://OPENID_CONNECT_JWKS_ENDPOINT",
  "issuer": "https://OPENID_CONNECT_ISSUER",
  "scopes": [
    "openid",
    "CUSTOM_SCOPE"
  ],
  "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
  "discoveryEndpoint": "https://OPENID_CONNECT_DISCOVERY_ENDPOINT"
})
headers = {
  'Content-Type': 'application/json',
  'Authorization': 'Bearer {{accessToken}}'
}

response = requests.request("POST", url, headers=headers, data=payload)

print(response.text)
<?php
require_once 'HTTP/Request2.php';
$request = new HTTP_Request2();
$request->setUrl('{{apiPath}}/environments/{{envID}}/identityProviders');
$request->setMethod(HTTP_Request2::METHOD_POST);
$request->setConfig(array(
  'follow_redirects' => TRUE
));
$request->setHeader(array(
  'Content-Type' => 'application/json',
  'Authorization' => 'Bearer {{accessToken}}'
));
$request->setBody('{\n    "description": "Custom OpenID Connect Provider",\n    "enabled": true,\n    "name": "OpenIDConnectIdP",\n    "type": "OPENID_CONNECT",\n    "clientId": "OPENID_CONNECT_ID",\n    "clientSecret": "OPENID_CONNECT_SECRET",\n    "authorizationEndpoint": "https://OPENID_CONNECT_AUTH_ENDPOINT",\n    "tokenEndpoint": "https://OPENID_CONNECT_TOKEN_ENDPOINT",\n    "userInfoEndpoint": "https://OPENID_CONNECT_USER_INFO_ENDPOINT",\n    "jwksEndpoint": "https://OPENID_CONNECT_JWKS_ENDPOINT",\n    "issuer": "https://OPENID_CONNECT_ISSUER",\n    "scopes": ["openid", "CUSTOM_SCOPE"],\n    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",\n    "discoveryEndpoint": "https://OPENID_CONNECT_DISCOVERY_ENDPOINT"\n}');
try {
  $response = $request->send();
  if ($response->getStatus() == 200) {
    echo $response->getBody();
  }
  else {
    echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' .
    $response->getReasonPhrase();
  }
}
catch(HTTP_Request2_Exception $e) {
  echo 'Error: ' . $e->getMessage();
}
require "uri"
require "json"
require "net/http"

url = URI("{{apiPath}}/environments/{{envID}}/identityProviders")

http = Net::HTTP.new(url.host, url.port);
request = Net::HTTP::Post.new(url)
request["Content-Type"] = "application/json"
request["Authorization"] = "Bearer {{accessToken}}"
request.body = JSON.dump({
  "description": "Custom OpenID Connect Provider",
  "enabled": true,
  "name": "OpenIDConnectIdP",
  "type": "OPENID_CONNECT",
  "clientId": "OPENID_CONNECT_ID",
  "clientSecret": "OPENID_CONNECT_SECRET",
  "authorizationEndpoint": "https://OPENID_CONNECT_AUTH_ENDPOINT",
  "tokenEndpoint": "https://OPENID_CONNECT_TOKEN_ENDPOINT",
  "userInfoEndpoint": "https://OPENID_CONNECT_USER_INFO_ENDPOINT",
  "jwksEndpoint": "https://OPENID_CONNECT_JWKS_ENDPOINT",
  "issuer": "https://OPENID_CONNECT_ISSUER",
  "scopes": [
    "openid",
    "CUSTOM_SCOPE"
  ],
  "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
  "discoveryEndpoint": "https://OPENID_CONNECT_DISCOVERY_ENDPOINT"
})

response = http.request(request)
puts response.read_body
let parameters = "{\n    \"description\": \"Custom OpenID Connect Provider\",\n    \"enabled\": true,\n    \"name\": \"OpenIDConnectIdP\",\n    \"type\": \"OPENID_CONNECT\",\n    \"clientId\": \"OPENID_CONNECT_ID\",\n    \"clientSecret\": \"OPENID_CONNECT_SECRET\",\n    \"authorizationEndpoint\": \"https://OPENID_CONNECT_AUTH_ENDPOINT\",\n    \"tokenEndpoint\": \"https://OPENID_CONNECT_TOKEN_ENDPOINT\",\n    \"userInfoEndpoint\": \"https://OPENID_CONNECT_USER_INFO_ENDPOINT\",\n    \"jwksEndpoint\": \"https://OPENID_CONNECT_JWKS_ENDPOINT\",\n    \"issuer\": \"https://OPENID_CONNECT_ISSUER\",\n    \"scopes\": [\"openid\", \"CUSTOM_SCOPE\"],\n    \"tokenEndpointAuthMethod\": \"CLIENT_SECRET_BASIC\",\n    \"discoveryEndpoint\": \"https://OPENID_CONNECT_DISCOVERY_ENDPOINT\"\n}"
let postData = parameters.data(using: .utf8)

var request = URLRequest(url: URL(string: "{{apiPath}}/environments/{{envID}}/identityProviders")!,timeoutInterval: Double.infinity)
request.addValue("application/json", forHTTPHeaderField: "Content-Type")
request.addValue("Bearer {{accessToken}}", forHTTPHeaderField: "Authorization")

request.httpMethod = "POST"
request.httpBody = postData

let task = URLSession.shared.dataTask(with: request) { data, response, error in
  guard let data = data else {
    print(String(describing: error))
    return
  }
  print(String(data: data, encoding: .utf8)!)
}

task.resume()

Example Response

201 Created

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/identityProviders/0c9268fd-492e-4cd5-bdc8-33b1273521e1"
        },
        "environment": {
            "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6"
        },
        "attributes": {
            "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/identityProviders/0c9268fd-492e-4cd5-bdc8-33b1273521e1/attributes"
        }
    },
    "id": "0c9268fd-492e-4cd5-bdc8-33b1273521e1",
    "type": "OPENID_CONNECT",
    "name": "OpenIDConnectIdP",
    "description": "Custom OpenID Connect Provider",
    "enabled": true,
    "environment": {
        "id": "abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6"
    },
    "authoritative": false,
    "createdAt": "2020-02-28T18:42:36.781Z",
    "updatedAt": "2020-02-28T18:42:36.781Z",
    "tokenEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/token",
    "clientId": "OPENID_CONNECT_ID",
    "jwksEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/jwks",
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "clientSecret": "OPENID_CONNECT_SECRET",
    "discoveryEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/.well-known/openid-configuration",
    "scopes": [
        "openid",
        "CUSTOM_SCOPE"
    ],
    "userInfoEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/userinfo",
    "authorizationEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/authorize",
    "issuer": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as"
}