This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 40%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
We are using ADB2C as our identity provider with the existing federation to Azure AD and Ping Identity. Here Ping Identity is owned by Third Party say Customer 1. Now we have a request to integrate to customer 2 which also uses Ping Identity. Should I set up the code block below for customer 2 after procuring the client id and secret from customer 2? I know that if it is an MS AD tenant then I can just add the tenant id in the ValidTokenIssuerPrefixes and MS will handle the organization routing. Wondering if something similar exists for Ping Identity federation as well
<ClaimsProvider>
<Domain>pingone.com</Domain>
<DisplayName>PingOne</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="PingOne-OpenIdConnect">
<DisplayName>Ping Identity</DisplayName>
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="METADATA">Your PingOne OIDC discovery endpoint</Item>
<Item Key="client_id">Your PingOne client ID</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">openid email profile</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_PingOneSecret" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Aravind Rajasekharan Pillai ,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,
Shweta
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 52%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Hello Aravind,
I was just looking over this and to explain to everyone, you're wondering if the method described in this document could be applicable to a PingOne/PingIdentity implementation: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant?pivots=b2c-custom-policy#restrict-access.
While I don't have as much familiarity with Ping, reviewing the documentation on the B2C side: https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect-technical-profile#metadata
This indicates that this can be used to support any multi-tenant identity provider such as Azure AD. Theoretically, this would be doable with PingOne, however I would make sure you have a common Metadata endpoint that can be used across each PingOne tenant, similar to how AAD does this, and then ensure that you have the ValidTokenIssuerPrefixes enabled and pointing to the right PingOne issuer values, this could all theoretically work, however I'm not very familiar with the PingOne/PingIdentity IdP so there may be a limiting factor there.