AdministrationIdentity providers

Identity providers

MOSTLY AI supports PingOne as an identity provider.

1. Create a new PingOne application

  1. Log in to your PingOne Admin Console.
  2. Click Administrators from the sidebar.
  3. Click Applications and then again Applications from the sidebar.
  4. Click on Plus icon next to the Application title. Create a PingOne application - Click Plus button
  5. Enter Application Name and Description. Optionally, upload and icon.
  6. Select the OIDC Web App card as the application type.
  7. Click Save. Create a PingOne application - Click Plus button

Result

The application is created and PingOne shows its details.

What’s next

Take record of the Client ID, Client Secret, and OIDC Discovery Endpoint. All three are needed for the Keycloak configuration.

Create a PingOne application - Click Plus button

2. Create a new Keycloak identity provider

  1. Log in to the Keycloak Admin Console.
  2. From the drop-down in the upper left, select mostly-generate. Configure PingOne as IdP - Select mostly-generate realm
  3. Select Identity Providers from the sidebar.
  4. Click Add provider and select OpenID Connect v1.0. Configure PingOne as IdP - Add provide and select OpenID Connect v1.0
  5. Configure PingOne identity provider.

    1. For Alias, enter pingone.

    2. For Display name, enter PingOne.

      💡

      Note the rendered Redirect URI. This will be used in the PingOne configuration.

    3. For Client ID, enter the Client ID from the PingOne configuration.

    4. For Client Secret, enter the Client Secret from the PingOne configuration.

    5. For Discovery endpoint, enter the OIDC Discovery Endpoint from the PingOne configuration.

      💡

      This will automatically populate the Authorization URL, Token URL, and similar fields.

    6. For Client Authentication, select Client secret sent as basic auth.

      💡

      This is the default setting for PingOne. You can change it as needed. Just make sure that the Keycloak IdP and PingOne use the same client authentication.

      You can change the PingOne client authentication method under Application > Configuration > OIDC Settings > Token Auth Method.

    7. Click Add.

      Configure PingOne as IdP - Configure PingOne

      Step result: The PingOne configuration is saved and it opens for review.

  6. Scroll down. Under Advanced settings, enable Trust email. Configure PingOne as IdP - Enable Trust Email

3. Configure the PingOne application

  1. Navigate back to Application on the PingOne Admin Console.
  2. Select the Configuration tab.
  3. Click the edit icon and configure the Token Auth Method and Signoff URL.
    1. Under OIDC Settings, make sure that the Token Auth Method for PingOne uses the same client authentication method as Keycloak.
    2. For Signoff URLs, you can set the URL to redirect to after the user logs out of the application.

      For example:
      💡

      Replace:

      • KEYCLOAK_HOST with your MOSTLY AI FQDN.
      • IDP_ALIAS with the Keycloak IdP alias.
      Signoff URL
      https://<KEYCLOAK_HOST>/auth/realms/mostly-generate/broker/<IDP_ALIAS>/endpoint/logout_response
      Configure PingOne application - Token Auth Method and Signoff URL

4. Configure PingOne application attribute mappings

  1. Navigate back to Application on the PingOne Admin Console.
  2. Select Attribute Mappings in the top bar.
  3. Click the edit icon next to Custom Attributes.
  4. Add the following mappings as a minimum:
    • sub -> User ID
    • email -> Email Address
    • given_name -> Given Name
    • family_name -> Family Name
  5. Click Save.

5. Configure PingOne application scopes

  1. Navigate back to Application on the PingOne Admin Console.
  2. Select Resources in the top bar.
  3. Click on the Edit symbol next to Allowed Scopes.
  4. Add the following scopes as a minimum:
    • openid
    • profile
    • email

6. Configure Keycloak Identity Provider’s Attribute Mappings

  1. Navigate back to the PingOne Identity Provider configuration in Keycloak.

  2. Select Mappers in the top bar.

  3. Click on the Add mapper button and add the following mappings as a minimum:

    NameSync Mode overrideMapperClaimUser Attribute NameTemplateTarget
    UsernameForceUsername Template Importer${ALIAS}.${CLAIM.email}Local
    EmailForceAttribute Importeremailemail
    First NameForceAttribute Importergiven_namefirstName
    Last NameForceAttribute Importerfamily_namelastName

Result

The PingOne identity provider is now configured and ready to use with MOSTLY AI.

What’s next

Your users can now use their PingOne identity to sign up and log in to your MOSTLY AI deployment by clicking the Log in with PingOne button on the landing page 🎉

HuggingFace - Create a Read token

You can also create organizations to control access to synthetic data resources via roles and permissions. Users can also create their own organizations to keep resources private or share them by changing their visibility to public.