Setting up an OpenID Connect (OIDC) authentication flow for Hyperspace Metaverse Platform with PingOne

Jump to:

Setting up an OpenID Connect (OIDC) authentication flow for Hyperspace Metaverse Platform with PingOne

Overview

1. Creating the OpenID Connect application

Step 1: App profile

Step 2: Configure

Step 3: Grant Resource Access

Step 4: Map Attributes

2. Configuring the application

3. Providing Hyperspace with authentication details

Overview

Ping Identity is an Identity and Access Management (IAM) solution that enables associates from organizations to login to the Hyperspace Metaverse Platform using their existing organization credentials.

Given a simple link to a meeting, event, training or a corporate metaverse users can join frictionlessly through one login. Immersive experiences can now be woven into the flow of work without living in an “application silo”.

1. Creating the OpenID Connect application

The following configuration can be accessed by filling your account information on https://www.pingidentity.com/en/account/sign-on.html.

After selecting the correct account you will be brought to a login screen, where you can log in using your administrator credentials.

First, navigate to the correct environment – this might be different for each company, but the default environment provisioned by PingIdentity is called “Administrators”, and is the one that will appear for the rest of this guide.

Click on Connections in the menu on the left.

At this point you should see a list of applications already created in the environment. If you don’t, click on Applications in the sub-menu that opened on the left. When you see the list, click on the blue + sign at the top.

Select WEB APP.

A new section will open asking whether to create a SAML or an OIDC connection. In this case we want to use OpenID Connect (OIDC), and will therefore click Configure in the OIDC section.

You will be brought to a form with 4 steps.

Step 1: App profile

In the Application name field, write “UniversalAvatars”, then click Next at the bottom 

Step 2: Configure

In the Redirect URLs field, write the redirect URL you have been given by Hyperspace. They will be similar to https://auth.universalavatars.com/sso/oidc/SSO_ID/login, where SSO_ID is replaced by your company’s SSO ID.

This ID is usually the company’s common name in lowercase: for example, the SSO ID of LearnBrite might be learnbrite, and thus the redirect URL would be

https://auth.universalavatars.com/sso/oidc/learnbrite/login

If you do not know or cannot find your company’s SSO ID, please reach out to your Hyperspace contact or through our support channel.

Once you’re done, click Save and Continue at the bottom.

Step 3: Grant Resource Access

In this page we configure the type of information that will be available to the UniversalAvatars application, specifically the user’s email and profile data such as their first and last name.

First, click on ALL, close to “Filtered by” (see screenshot). A dropdown menu will appear, and openid should be selected in order to only show the fields we’re interested in.

In the reduced list of fields, click on the + icon on the right of “email” and “profile”.

You should now see both fields in the list on the right. If so, click Save and continue at the bottom.

Step 4: Map Attributes

In this page you can select how information is provided to the UniversalAvatars application, and it is crucial to configure each field exactly as described further down. You can add new fields by clicking on the “Add Attribute” button

Following are the settings for each of the attributes. Note that you can easily find each outgoing value by starting to write in the “Outgoing value” field, which will reduce the number of options in the list.

• sub

• Application attribute: sub (cannot be changed)
• Outgoing value: Email Address
• Required: yes (cannot be changed)

• email

• Application attribute: email
• Outgoing value: Email Address
• Required: yes

• first_name

• Application attribute: first_name
• Outgoing value: Given Name
• Required: yes
  

• last_name

• Application attribute: last_name
• Outgoing value: Family Name
• Required: yes

After this configuration, the list of attributes should look like the following

Click Save and Close at the bottom to finish creating the application.

2. Configuring the application

Once the application has been created, you will be immediately shown its configuration on the right side of the screen.

You can also open this menu from the list of Applications (see the first part of “Creating the OpenID Connect application”) by left-clicking on the application.

Select the Configuration tab, then click on the pencil icon on the right

In the “General” section, make sure Client Credentials (under the “Grant Type” heading) is checked, then click Save

Finally, click toggle at the top right to enable the application

3. Providing Hyperspace with authentication details

The last step in setting up the SSO integration is to provide Hyperspace with certain details of your application.

Open the application’s details, and select the Configuration tab. Unfold both the URL and General section by clicking on them.

You will need to provide Hyperspace with everything in the “URL” section (see note below about the easiest way to do this), as well as the Client ID and Client Secret in the “General” section. You can reveal the “client secret” by clicking on the eye icon on its right.

Note: the easiest way to share the information in the URL section is to provide Hyperspace with the URL listed as “OIDC discovery endpoint”. Client ID and Client secret are not included in that URL, however, so please remember to provide them as well.

Once setup has been completed on the Hyperspace side, you will be able to use this method to sign in on UniversalAvatars (and by extension the Hyperspace ecosystem).