Social Authentication in PingAM 8.0.2 allows users to log in using identities from external providers like Google, Apple, or LinkedIn. This process relies on PingAM acting as an OAuth2 Client or OpenID Connect Relying Party (RP) toward the social provider.
According to the PingAM "Social Authentication" and "Social Identity Provider Client Configuration" documentation, for PingAM to successfully hand off authentication to a social provider, you must configure anOAuth2 Client(specifically a Social Identity Provider client) within the PingAM realm. This configuration includes:
Client ID and Client Secret: Obtained from the social provider's developer console (e.g., Google Cloud Console).
Endpoints: The authorization, token, and UserInfo endpoints of the social provider.
Scopes: The permissions PingAM is requesting (e.g., openid, profile, email).
Once this "Social Client" is configured, it is used by aSocial Provider Handler node(or the legacy Social Authentication module) within an authentication tree. When the user clicks "Login with Google," PingAM uses these client credentials to initiate the OIDC flow with Google.
Why other options are not the primary requirement:
While aData Store (A)is eventually used to save the linked user profile, themechanismof social auth itself is driven by the OAuth2 client configuration.
A realm service (B)is too broad; while social auth is a service within a realm, the specific configuration object required is the client.
A realm policy (D)governs authorizationafterlogin, but does not enable the social login process itself. Therefore, theOAuth2 clientconfiguration is the technical prerequisite for establishing the trust relationship with the external provider.
