>
    Strata Copilot
    Set Up OIDC Authentication (PingOne)
    Focus
    Download PDF
    Focus
    1. Home
    2. Identity
    3. Authenticate Users with the Cloud Identity Engine
    4. Configure an OIDC Authentication Type
    5. Set Up OIDC Authentication (PingOne)
    Download PDF
    Identity

    Set Up OIDC Authentication (PingOne)

    Table of Contents

    Set Up OIDC Authentication (PingOne)

    Learn about setting up OIDC authentication for PingOne in CIE.
    1. Set up OIDC as an authentication type in the Cloud Identity Engine.
      1. Select AuthenticationAuthentication TypesAdd New Authentication Type.
      2. Set Up the OIDC authentication type.
      3. Enter a unique and descriptive Authentication Type Name for your OIDC configuration.
      4. Copy the Callback URL/ Redirect URL.
    2. Configure PingOne to use OIDC with the Cloud Identity Engine.
      1. Sign On to your PingOne account.
      2. Select Applications.
      3. Select OIDC then click Add Application.
      4. Select Web App then click Next.
      5. Enter an Application Name, a Short Description for the app, and select the app Category, then click Next.
    3. Continue the OIDC Okta configuration.
      1. Click Add Secret then click Next.
      2. Enter the Start SSO URL and the Redirect URIs then click Next.
      3. Click Next.
        No configuration changes are necessary for this step.
      4. Add all the scopes in the List of Scopes to the Connected Scopes then click Next.
      5. Select Email (Work) as the sub attribute then click Next.
      6. Select all the Available Groups and add them to the Added Groups then click Done.
    4. Obtain the information you need to complete your OIDC PingOne configuration and enter it in your Cloud Identity Engine configuration.
      1. Copy the following information from your configuration and save it in a secure location:
        • The Application Name you entered in step 2.
        • The Client ID and Client Secrets you added in step 3.
          Don’t allow the client secret to expire. If the client secret isn’t up to date, users can’t log in using OIDC.
        • The Issuer URL (as shown below).
      2. Enter the Application Name you entered in PingOne in step 2 as the Client Name.
      3. Enter the Client ID you created in PingOne in step 3.
      4. Enter the Client Secrets you created in PingOne in step 3 as the Client Secret.
      5. Enter the Issuer URL for your PingOne IdP that you copied in step 4 as the Issuer URL.
      6. (Optional) If you have your Endpoint URL, enter it here. If not, continue to the next step (the Cloud Identity Engine populates the Endpoint URL automatically after you successfully test the connection).
      7. Click Test Connection and log in to confirm that the Cloud Identity Engine can reach your PingOne IdP using OIDC.
        If you did not enter the OIDC Issuer URL in the previous step, the Cloud Identity Engine automatically populates the information.
      8. After confirming that the connection is successful, Submit the configuration.
        You can now use OIDC as an authentication type when you Set Up an Authentication Profile.

    © 2026 Palo Alto Networks, Inc. All rights reserved.