Skip to main content
The PingFederate connector integrates the Maverics Orchestrator with Ping Identity’s PingFederate server — enabling OIDC-based single sign-on for your applications.
Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The PingFederate connector uses OpenID Connect to federate authentication with PingFederate and supports standard OIDC flows — allowing you to extend PingFederate authentication to applications that don’t natively support modern identity protocols.
This connector integrates with PingFederate, Ping Identity’s on-premises federation server. The connector type in YAML is pingfederate.

Use Cases

  • Unify SSO across PingFederate-managed apps — Extend PingFederate authentication to legacy applications via header or cookie injection, delivering seamless SSO without modifying existing applications
  • Rationalize identity platforms — Orchestrate a phased migration away from PingFederate to a target IdP, reducing Ping licensing costs while maintaining uninterrupted access during the transition
  • Authentication resilience — Pair PingFederate with a secondary identity provider for automatic failover, ensuring users retain access if PingFederate becomes unavailable
  • Multi-IdP orchestration — Route authentication to PingFederate alongside other identity providers based on user context, enabling coexistence during mergers or multi-vendor environments

Setup

To create a Ping Federate (OIDC) connector in the Maverics Console:
  1. Navigate to Identity Fabric in the Console sidebar.
  2. Click Create and select Ping Federate (OIDC).
The Console also offers Ping Federate (SAML) for SAML-based integration. This page covers the OIDC variant. Select Ping Federate (OIDC) for OpenID Connect federation.
  1. Enter a Name for the connector — this is the friendly name that identifies your PingFederate integration.
  2. Enter the OIDC Well Known URL — the OpenID Connect discovery endpoint for your PingFederate server (e.g., https://your-pingfederate-host/.well-known/openid-configuration).
  3. Enter the OAuth Client ID — the client ID of the application registered in PingFederate.
  4. Enter the OAuth Client Secret — the client secret associated with the client ID. Use the show/hide toggle to verify the value.
  5. Add one or more Redirect URLs — the callback URL(s) where PingFederate redirects users after authentication. The Maverics OIDC handler will be served on this URL.
  6. Optionally add Logout Callback URLs — the URL(s) that PingFederate calls after a successful logout.
  7. Optionally enter Scopes — space-separated OIDC scopes to request (e.g., openid profile email). If left empty, default scopes are used.
  8. Proof Key for Code Exchange (PKCE) is enabled by default. Disable this toggle only if your PingFederate server is not configured to support PKCE.
  9. Optionally enable Offline Access if you need refresh tokens. When enabled, set your policy’s decision.lifetime slightly longer than the interval for token refreshing.
  10. Click Save.

Troubleshooting

  • Verify the oidcWellKnownURL is accessible from the Orchestrator host — ensure the PingFederate hostname and port are correct
  • Ensure the oauthRedirectURL matches exactly what is registered in the PingFederate client configuration
  • Check that the client secret reference resolves correctly via your secret provider

Identity Fabric

Overview of all identity providers

Generic OIDC

Generic OpenID Connect connector

Okta

OIDC connector for Okta

Continuity

Failover connector for IdP high availability