---
title: "Azure Configuration For PingOne as OpenID Connect Identity Provider"
slug: "fortanix-key-insight-azure-configuration-for-pingone-as-open-id-connect-identity-provider"
updated: 2026-03-23T06:27:19Z
published: 2026-03-23T06:38:28Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure Configuration For PingOne as OpenID Connect Identity Provider

## 1.0 Introduction

The purpose of this article is to outline the necessary steps for configuring the connection between Fortanix Key Insight **Azure** and **PingOne**as an OpenID Connect (OIDC) identity provider (IdP) using the **Authorization Code Flow.**

Federated authentication in Azure refers to the process of enabling users to access Azure resources using their existing credentials from an external identity provider (IdP), such as PingOne, Microsoft Entra ID, and so on.

Configuring PingOne as an OpenID Connect IdP in Azure involves the following steps:

1. Register a client application with PingOne.
2. Configure the redirect Uniform Resource Locator (URL) on the client application.
3. Gather the Client ID, a unique identifier for your registered application.
4. Gather the OpenID configuration document (well-known) URL specific to your IdP tenant or account.
5. Provide permissions to your Azure application to scan Fortanix Key Insight Azure resources.
6. Configure federated credentials in your Azure application to scan resources.

## 2.0 Register a Client Application with PingOne

Perform the following steps to register a client application with PingOne:

1. Set up a single-page application in PingOne.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Create an Application.png)

**Figure 1: Add a PingOne application**

*For more information, refer to the*[*PingOne official documentation*](https://docs.pingidentity.com/pingone/applications/p1_applications_add_applications.html)*.*
  1. Navigate to the **Applications** section in the **PingOne** console and click the '**+**' icon next to the **Applications** title.
  2. **Application Name**: Enter the application name.
  3. **Description**: Enter your app description.
  4. **Icon**: Add your app icon.
  5. **Application Type:**Select **Single-Page**.
  6. Click**Save**.
2. Edit the **Configuration** section of the application created in the previous step to include the following:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Edit the Application Configuration.png)

**Figure 2: Application configuration**

*For more information, refer to the*[*PingOne official documentation*](https://docs.pingidentity.com/pingone/applications/p1_edit_application_oidc.html)*.*
  - Response Type: `Code, Token, ID Token`
  - Grant Type: `Authorization Code, Implicit, Refresh Token`
  - Redirect URL:

```bash
https://armor.fortanix.com/system/discovery/{region}/oauth/callback
```

Here, replace `{region}` with your appropriate region. For example, `eu` or `na`.
  - Token Endpoint Authentication Method: `None`
3. Enable the application created in *Step 1* to save all configurations.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Enable the application.png)

**Figure 3: Enable the PingOne application**
4. Register at least one user in your directory:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Create a User.png)

**Figure 4: Create a user**
  1. Navigate to the **Users** section in the PingOne console and click the '**+**' icon next to the **Users** title.
  2. Enter all the required fields.
  3. Click **Save**.

## 3.0 Configure the Redirect URL on the Client Application

The redirect URL is the address to which PingOne forwards the OIDC response after authentication.

You can retrieve the redirect URL after registering your application with PingOne, as explained in *Step 2* of [*Section 2.0: Register a Client Application with PingOne*](/v1/docs/fortanix-key-insight-azure-configuration-for-pingone-as-open-id-connect-identity-provider#20-register-a-client-application-with-pingone)*.*

## 4.0 Gather the Client ID

A Client ID is a unique identifier for the registered client application. It allows you to validate the security tokens you receive from the IdP.

To retrieve the Client ID, copy the `Client ID` from the **Configuration** section of the OIDC application created in *Step 1* of [*Section 2.0: Register a Client Application with PingOne*](/v1/docs/fortanix-key-insight-azure-configuration-for-pingone-as-open-id-connect-identity-provider#20-register-a-client-application-with-pingone)*.*

> [!NOTE]
> NOTE
> 
> Ensure to record the `Client ID` value as it is necessary for the identity provider configuration when setting up the Azure cloud connection in the Fortanix Key Insight user interface (UI).

## 5.0 Gather the OpenID Configuration Document (Well-Known) URL

An OIDC provider provides a standard well-known URL that your client application can use to discover information about the provider's configuration dynamically.

This URL is specific to your IdP tenant or account.

To retrieve this value, copy the `OIDC Discovery Endpoint` from the **Configuration → URLs**section of the OIDC application created in *Step 1* of [*Section 2.0: Register a Client Application with PingOne*](/v1/docs/fortanix-key-insight-azure-configuration-for-pingone-as-open-id-connect-identity-provider#20-register-a-client-application-with-pingone)*.*

> [!NOTE]
> NOTE
> 
> Ensure to record the well-known URL value as it is necessary for the identity provider configuration when setting up the Azure cloud connection in the Fortanix Key Insight user interface (UI).

## 6.0 Provide Permissions to your Azure Application to Scan Resources

Applications are authorized to call APIs when they are granted permissions by users or administrators (admins) as part of the consent process.

Ensure you have added the following permissions to your Azure application to scan Azure resources on Fortanix Key Insight:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_Azure Fed Auth Permissions(4).png)

**Figure 5: Configure permissions**

> [!NOTE]
> NOTE
> 
> The **user_impersonation** permissions may require user or admin consent based on the tenant's application consent policies. If admin consent is necessary, obtain admin consent for these permissions following your organization's security or IT policy before configuring federated authentication in Fortanix Key Insight.

*For more information, refer to the*[*Microsoft official documentation*](https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview)*.*

## 7.0 Configure Federated Credentials in your Azure Application

You can configure federated credentials in your Azure application to scan Azure resources on Fortanix Key Insight.

In Azure, federated credentials refer to the capability of Microsoft Entra ID to enable users to access applications using their existing credentials from other trusted identity providers (IdPs) such as PingOne. This is achieved through federated authentication, which allows users to authenticate using their organization's identity system rather than their Azure app credentials.

Perform the following steps to configure the federated credentials:

1. Select your app in Azure **App registrations**. *If you have not created one, refer to the*[*Microsoft official documentation*](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate)*to create your Azure app.*
2. Navigate to **Manage**→**Certificates & secrets.**
3. On the **Certificates & secrets** page, select**Federated credentials** and click **Add credential** to add a new federated credential.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Access Federated credentials.png)

**Figure 6: Access federated credentials**
4. On the **Add a credential** page, configure the details as shown below, and click **Add** to add the new federated credentials.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Configure Federated Credentials.png)

**Figure 7: Configure federated credentials**

> [!NOTE]
> NOTE
> 
> You can retrieve the**Subject identifier** and **Audience** values from your PingOne app’s ID Token.
> 
> *For more information on how to obtain the ID Token, refer to the*[*PingOne official documentation*](https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1az_aam_tutorial_get_token.html)*.*
> 
> After you retrieve the ID Token, decode it using the [JWT Debugger](https://jwt.io/) and copy the following values to use them as your **Subject identifier** and**Audience**.
> 
> ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/ID Token.png)
> 
> **Figure 8: Obtain subject identifier and audience values**
  - **Federated credential scenario**: The value must be **Other issuer** to configure an identity managed by an external OpenID Connect provider to get tokens for this application and access Azure resources.
  - **Issuer** URL: To retrieve this, copy the `Issuer` value from the **Configuration**→**URLs** section in the OIDC application created in *Step 1* of [*Section 2.0: Register a Client Application with PingOne*](/v1/docs/fortanix-key-insight-azure-configuration-for-pingone-as-open-id-connect-identity-provider#20-register-a-client-application-with-pingone). The value is `https://auth.pingone.com/&lt;ENVIRONMENT_ID&gt;/as`.
  - **Name**: The name given for the credential.
  - **Description**(optional): The description of the credential, if any.
  - **Subject identifier**and**Audience**: These values help establish a connection between PingOne and your Azure app.

Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.