This page provides information on how to configure Corporate Sign in in Chaos services with PingFederate.


In this section we explore how you can integrate your PingFederate identity provider with Chaos, so that your employees benefit from the Corporate Sign In functionality

Before doing the steps in this section, make sure to reach out to Chaos first to request the Corporate Sign In feature.

Chaos to PingFederate communication

The communication link between Chaos and PingFederate goes over a TLS connection. In order for this communication to be successful PingFederate must present a trusted SSL certificate.

PingFederate configuration

The following sections assume you have PingFederate installed and Outbound Provisioning enabled. This setup has been verified against PingFederate version 10.

In addition to the basic installation you need to install Ping’s official SCIM Connector. PingFederate only supports SCIM version 1.1 which is not compatible with SCIM version 2.0 that Chaos uses. The connector will add support for SCIM version 2 to PingFederate Outbound provisioning capabilities.

Please consult PingFederate’s installation and configuration documentation in case you need help.


Configure OpenID-Connect policy

This step is needed so that the returned OAuth tokens contain the required claims with the information, taken from the correct LDAP attributes.

In PingFederate’s administrative UI go to Applications > OAuth > OpenID Connect Policy Management and click Add Policy.


Policy ID

A unique identifier of the policy


A unique and recognizable name for this policy

Access Token Manager

JSON Web Tokens


✅ Checked


Click Next.

Under Attribute Contract leave only email, family_name and given_name:



Click Next.

Under Attribute Scopes add profile and select the email attribute manually. Don’t forget to press Add.



Click Next.

Under Attribute Sources & User Lookup, click Add Attribute Source. Fill in the following information for the attribute source datastore:


Attribute Source ID
A unique identifier of the attribute source
Attribute Source Description
A description for the attribute source
Active Data Store
This will automatically fill in the store type as LDAP.

Click Next.
Under LDAP Directory Search tab fill in the following: 
Base DN
Attributes to return from search:
Select <Show all attributes> and add the following attributes:
Click Next.
Under LDAP Filter put the following as filter: 
Click Done.
Back on the OIDC Policy management under Contract Fulfillment select the source to take the corresponding OAuth claims from as follows:
Go to Summary page and click Save.
Creating an OAuth client in PingFederate

Open PingFederate’s administrative UI, go to Applications > OAuth > Clients and create a New Client.
Fill in the following fields:


Client ID

The <client id>


A unique and recognizable name

Client Authentication


After selecting this option a new field called Client Secret will be displayed underneath

Client Secret

The <client secret>

Allowed Grant Types

Authorization Code

OpenID Connect > Policy

The policy, created in the previous section

The <client id> and <client secret> are provided by Chaos during the onboarding process.

Click Save.

Configure User datastore

In this guide we are using Ping Identity’s own LDAP solution - PingDirectory.

If your setup depends on another user repository type, some steps may be different. To start with LDAP navigate to System > Data & Credential Stores > Data Stores and Add New Data Store. 

Pick a unique name and select LDAP as store type. Follow the instructions in PingFederate’s documentation on how to configure an LDAP connection.


Create a SCIM SP Connection

In Applications > Integration > SP Connections click Create Connection.

Select Do not use a template for this connection and click Next.

On the Connection Type tab select Outbound Provisioning and from the new drop-down menu select Type: SCIM Connector.

The SCIM Connector type will only show if you’ve successfully installed the SCIM Connector from the PingFederate configuration section above and restarted PingFederate after doing so. Using SCIM 1.1 Service Provider will not work.


Click Next.

In the General Info tab fill in:


Partner’s Entity ID

A unique ID identifying the partner connection

Connection Name

A unique and recognizable name for this connection


Click Next

On the Outbound Provisioning click Configure Provisioning.

In the Target tab fill in the following:


SCIM URL<tenant id>/v2

SCIM Version


Authentication Method

OAuth 2 Bearer Token

Access Token

<access token>

Unique User Identifier


Users API Path


Provisioning Options


  • User Create

  • User Update

  • User Disable/Delete

Remove User Action

Possible options are:

  • Delete: When a user is deleted from the PingFederate’s user repository they are also deleted from Chaos’ repository

  • Disable: When a user is deleted from PingFederate’s user repository they are only disabled in Chaos’ repository

Chaos recommends picking Delete User

The <tenant id>, part of the SCIM URL and the <access token> are provided by Chaos during the onboarding process.


Click Next. In the Manage Channels tab press the Create button.

Pick a unique and recognizable Channel Name.

Click Next.

In the Source tab select the DataStore, configured earlier in this guide. Click Next

In the Source Settings tab fill in the following:


Entity GUID Attribute




Group Member Attribute


User Object Class


Group Object Class


Changed Users/Groups Algorithm

Timestamp No Negation

Timestamp Attribute


Account Status Attribute


Account Status Algorithm


Default Status


Flag Comparison Value


Note that this value is case sensitive. If the attribute value is set as TRUE in LDAP, the comparison here will not pass and the account won’t be locked.

Flag Comparison Status


These settings are only applicable in case you are using PingDirectory (Ping Identity’s LDAP server) as a user repository. Consult PingFederate’s documentation if you are using a different User repository datastore.


Click Next.

In the Source Location tab fill in:


Base DN


Users Filter



Click Next.

In the Attribute Mapping tab configure:










Configure any additional fields, listed in Basics > SCIM as per your schema definition and needs.



The required active field is automatically calculated based on the configuration, defined in the Source Settings tab earlier. It depends on the Account Status Attribute and Account Status Algorithm and the flag combinations set in that section.

An excerpt from the PingFederate’s official documentation reads:

"Flag Comparison Status:

Indicates whether the user is enabled or disabled when the flag has the value specified in the Flag Comparison Value field. Setting the value to true equals enabled, while setting the value to false equals disabled.


if the Account Status Attribute is set to nsaccountlock, and the Flag Comparison Value is set to true, and the Flag Comparison Status is set to false, then any users with nsaccountlock=true are disabled."


Click Save to save the SP Connection.