Skip to main content
Connect Ping Identity to authenticate end users with your Char widget. This guide covers both PingOne (cloud) and PingFederate (on-premises/hybrid) configurations.

Prerequisites

  • A Ping Identity account (PingOne or PingFederate)
  • Admin access to create applications
  • Access to the Char dashboard

PingOne Admin Console

Sign in to PingOne Administration

PingOne Documentation

PingOne documentation

OIDC Configuration

OpenID Connect overview

PingFederate Docs

PingFederate documentation

SDK References

oidc-client-ts

TypeScript OIDC client library

react-oidc-context

React context for OIDC authentication

PingOne Configuration

1

Create an Application in PingOne

  1. Sign in to the PingOne Admin Console
  2. Navigate to ApplicationsApplications
  3. Click + Add Application
  4. Select OIDC Web App
  5. Enter application details:
SettingValue
Application NameChar Widget
DescriptionAI widget authentication
Icon(Optional) Upload an icon
  1. Click Save
2

Configure OIDC Settings

In your application’s OIDC tab:
SettingValue
Application TypeSingle Page App
Grant TypeAuthorization Code, Implicit (for legacy)
Response TypeCode, ID Token
PKCE EnforcementRequired (recommended)
Redirect URIsYour callback URLs
Signoff URLsYour logout URLs
Click Save.
3

Configure Token Settings

In the Resources tab:
  1. Enable the scopes you need: openid, profile, email
  2. Optionally add custom scopes for additional claims
In the Policies tab:
  1. Assign an authentication policy (or use default)
4

Note Your Environment ID and Client ID

From PingOne:
  1. Environment ID: Found in SettingsEnvironmentProperties
  2. Client ID: Found in your application’s Configuration tab
  3. Region: Note your PingOne region (NA, EU, AP, CA)
PingOne Application Settings

Find your Environment ID and Client ID in PingOne

The issuer URL format is:
https://auth.pingone.{region}/{{environment-id}}/as
5

Configure Char

In the Char Dashboard:
  1. Navigate to SettingsIntegration
  2. Under SSO Configuration, select Custom OIDC as the provider
  3. Enter your configuration:
FieldValue
Client IDYour PingOne Client ID
Issuer URLhttps://auth.pingone.{region}/{environment-id}/as
  1. Click Test Connection to verify
  2. Click Save Changes

PingOne Configuration Reference

Char FieldPingOne ValueExample
Provider TypeCustom OIDCcustom_oidc
Client IDApplication Client IDa1b2c3d4-e5f6-7890-abcd-ef1234567890
Issuer URLPingOne issuerhttps://auth.pingone.com/12345678-abcd-1234-efgh-567890abcdef/as

PingOne Regions

RegionCodeAuth URL
North Americacomauth.pingone.com
Europeeuauth.pingone.eu
Asia-Pacificasiaauth.pingone.asia
Canadacaauth.pingone.ca
Ensure you use the correct regional domain for your PingOne environment. Using the wrong region will result in connection failures.

PingFederate Configuration

For on-premises or hybrid PingFederate deployments:
1

Create an OAuth Client

  1. Sign in to your PingFederate Admin Console
  2. Navigate to ApplicationsOAuthClients
  3. Click Add Client
  4. Configure the client:
SettingValue
Client IDYour chosen client ID
Client AuthenticationNone (public client)
Redirect URIsYour callback URLs
Allowed Grant TypesAuthorization Code, Implicit
Allowed Scopesopenid, profile, email
2

Configure OpenID Connect Policy

  1. Navigate to ApplicationsOAuthOpenID ConnectPolicies
  2. Create or modify a policy
  3. Ensure the policy includes the required scopes and claims
  4. Assign the policy to your OAuth client
3

Configure Char for PingFederate

In the Char Dashboard:
FieldValue
Client IDYour PingFederate Client ID
Issuer URLhttps://{pingfederate-host}
The issuer URL is your PingFederate server’s base URL.

Token Requirements

Char validates Ping Identity tokens with these requirements:
ClaimRequirement
issMust match your configured issuer URL
audMust include your configured Client ID
subRequired - Ping user identifier
expMust not be expired

Standard Ping ID Token Claims

ClaimDescription
subUser identifier
emailUser’s email address
nameUser’s full name
given_nameFirst name
family_nameLast name
preferred_usernameUsername
updated_atLast profile update timestamp

Example: Obtaining and Passing the Token

import "@mcp-b/embedded-agent/web-component";

// PingOne authentication using Authorization Code + PKCE
const config = {
  authority: 'https://auth.pingone.com/{environment-id}/as',
  client_id: 'your-client-id',
  redirect_uri: window.location.origin + '/callback',
  response_type: 'code',
  scope: 'openid profile email',
  code_challenge_method: 'S256',
};

// After successful authentication and token exchange
function handleCallback(idToken) {
  const agent =
    document.querySelector("webmcp-agent") ?? document.createElement("webmcp-agent");

  if (!agent.isConnected) {
    document.body.appendChild(agent);
  }

  agent.setAttribute("auth-token", idToken);
}

Custom Attributes and Claims

PingOne Custom Attributes

  1. Navigate to DirectoryUser Attributes
  2. Add custom attributes as needed
  3. Map attributes to OIDC claims in your application’s Attribute Mapping
// Custom attributes appear in the token
const tokenClaims = parseJwt(idToken);
console.log('Department:', tokenClaims.department);
console.log('Employee ID:', tokenClaims.employee_id);

PingFederate Attribute Mapping

In PingFederate Admin Console:
  1. Navigate to ApplicationsOAuthOpenID ConnectPolicies
  2. Edit your policy’s Attribute Contract
  3. Add custom attributes and map them to data sources

PingOne Groups

To include group memberships in tokens:
  1. In PingOne Admin, navigate to your application
  2. Go to Resources tab
  3. Add a custom scope or use p1:read:user scope
  4. Configure attribute mapping to include groups
// Access groups from token
const tokenClaims = parseJwt(idToken);
console.log('Groups:', tokenClaims.p1.groups);

Troubleshooting

The issuer URL doesn’t match:
  1. Check the format: https://auth.pingone.{region}/{environment-id}/as
  2. Verify region: Use the correct regional domain (com, eu, asia, ca)
  3. Check Environment ID: Must match your PingOne environment
  4. Include /as suffix: The issuer URL must end with /as
The token’s audience doesn’t match:
  • Verify the Client ID matches exactly (including hyphens)
  • Ensure you’re using the ID token, not the access token
  • Check that the application type is configured as SPA
Char couldn’t reach Ping’s JWKS endpoint:
  • PingOne: https://auth.pingone.{region}/{environment-id}/as/jwks
  • PingFederate: https://{pingfederate-host}/pf/JWKS
  • Verify your environment/server is accessible
  • Use Test Connection in the dashboard
If PingOne returns a PKCE error:
  • Ensure your client library supports PKCE
  • Use code_challenge_method: 'S256' in your configuration
  • Consider using oidc-client-ts which handles PKCE automatically
If the well-known configuration isn’t found:
  • Verify the PingFederate server URL
  • Check that OIDC is enabled on your PingFederate instance
  • The metadata URL should be {base-url}/.well-known/openid-configuration

Adaptive Authentication

PingOne supports adaptive MFA based on risk signals:
  • Configure authentication policies in PoliciesAuthentication
  • Set up risk policies in PoliciesRisk
  • Users may be prompted for MFA based on risk score
This doesn’t affect Char integration - tokens are issued after successful authentication regardless of MFA steps.

Security Best Practices

  • Enable PKCE for all SPA applications
  • Configure MFA policies appropriate for your security requirements
  • Use short token lifetimes and implement refresh tokens
  • Enable risk-based authentication in PingOne
  • Review sign-on activity in PingOne audit logs
  • Configure IP restrictions if needed
  • Use PingOne Protect for advanced threat detection
  • Regularly rotate client secrets (for confidential clients)