> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# PingFederate (OIDC)

The PingFederate connector integrates the Maverics Orchestrator with Ping Identity's PingFederate server -- enabling OIDC-based single sign-on for your applications.

<Note>
  **Console terminology:** In the Maverics Console, this section is called
  **Identity Fabric**. The YAML configuration uses the `connectors` key to define
  identity provider integrations.
</Note>

## Overview

The PingFederate connector uses OpenID Connect to federate authentication with PingFederate and supports standard OIDC flows -- allowing you to extend PingFederate authentication to applications that don't natively support modern identity protocols.

<Note>
  This connector integrates with PingFederate, Ping Identity's on-premises federation server. The connector type in YAML is `pingfederate`.
</Note>

## Use Cases

* **Unify SSO across PingFederate-managed apps** -- Extend PingFederate authentication to legacy applications via header or cookie injection, delivering seamless SSO without modifying existing applications
* **Rationalize identity platforms** -- Orchestrate a phased migration away from PingFederate to a target IdP, reducing Ping licensing costs while maintaining uninterrupted access during the transition
* **Authentication resilience** -- Pair PingFederate with a secondary identity provider for automatic failover, ensuring users retain access if PingFederate becomes unavailable
* **Multi-IdP orchestration** -- Route authentication to PingFederate alongside other identity providers based on user context, enabling coexistence during mergers or multi-vendor environments

## Setup

<Tabs>
  <Tab title="Console UI">
    To create a Ping Federate (OIDC) connector in the Maverics Console:

    1. Navigate to **Identity Fabric** in the Console sidebar.
    2. Click **Create** and select **Ping Federate (OIDC)**.

    <Note>
      The Console also offers **Ping Federate (SAML)** for SAML-based integration. This page covers the OIDC variant. Select **Ping Federate (OIDC)** for OpenID Connect federation.
    </Note>

    3. Enter a **Name** for the connector -- this is the friendly name that identifies your PingFederate integration.
    4. Enter the **OIDC Well Known URL** -- the OpenID Connect discovery endpoint for your PingFederate server (e.g., `https://your-pingfederate-host/.well-known/openid-configuration`).
    5. Enter the **OAuth Client ID** -- the client ID of the application registered in PingFederate.
    6. Enter the **OAuth Client Secret** -- the client secret associated with the client ID. Use the show/hide toggle to verify the value.
    7. Add one or more **Redirect URLs** -- the callback URL(s) where PingFederate redirects users after authentication. The Maverics OIDC handler will be served on this URL.
    8. Optionally add **Logout Callback URLs** -- the URL(s) that PingFederate calls after a successful logout.
    9. Optionally enter **Scopes** -- space-separated OIDC scopes to request (e.g., `openid profile email`). If left empty, default scopes are used.
    10. **Proof Key for Code Exchange (PKCE)** is enabled by default. Disable this toggle only if your PingFederate server is not configured to support PKCE.
    11. Optionally enable **Offline Access** if you need refresh tokens. When enabled, set your policy's `decision.lifetime` slightly longer than the interval for token refreshing.
    12. Click **Save**.
  </Tab>

  <Tab title="Configuration">
    ```yaml theme={null}
    connectors:
      - name: pingfederate
        type: pingfederate
        oidcWellKnownURL: "https://{{ env.PING_HOST }}/.well-known/openid-configuration"
        oauthClientID: "{{ env.PING_CLIENT_ID }}"
        oauthClientSecret: <vault.ping_client_secret>
        oauthRedirectURL: "https://app.example.com/oidc/callback"
    ```

    ## Configuration Reference

    | Key                 | Type   | Required | Description                                              |
    | ------------------- | ------ | -------- | -------------------------------------------------------- |
    | `name`              | string | Yes      | Unique connector identifier referenced in app policies   |
    | `type`              | string | Yes      | Must be `pingfederate`                                   |
    | `oidcWellKnownURL`  | string | Yes      | OIDC discovery endpoint URL for your PingFederate server |
    | `oauthClientID`     | string | Yes      | OAuth 2.0 client ID from PingFederate                    |
    | `oauthClientSecret` | string | Yes      | OAuth 2.0 client secret (use secret reference syntax)    |
    | `oauthRedirectURL`  | string | Yes      | Callback URL registered with the PingFederate client     |
    | `tls`               | string | No       | Named TLS profile for provider communication             |

    For the complete field reference including health checks, offline access, and PKCE settings, see [Identity Fabric](/reference/orchestrator/identity-fabric#configuration-reference).
  </Tab>
</Tabs>

## Troubleshooting

* **Verify the `oidcWellKnownURL` is accessible** from the Orchestrator host -- ensure the PingFederate hostname and port are correct
* **Ensure the `oauthRedirectURL` matches exactly** what is registered in the PingFederate client configuration
* **Check that the client secret reference resolves correctly** via your secret provider

## Related Pages

<CardGroup cols={2}>
  <Card title="Identity Fabric" icon="id-badge" href="/reference/orchestrator/identity-fabric">
    Overview of all identity providers
  </Card>

  <Card title="Generic OIDC" icon="key" href="/reference/orchestrator/identity-fabric/custom-oidc">
    Generic OpenID Connect connector
  </Card>

  <Card title="Okta" icon="shield-halved" href="/reference/orchestrator/identity-fabric/okta">
    OIDC connector for Okta
  </Card>

  <Card title="Continuity" icon="arrows-rotate" href="/reference/orchestrator/identity-fabric/continuity">
    Failover connector for IdP high availability
  </Card>
</CardGroup>
