Option 1: PingFederate via OpenID Connect (Recommended)
Goodworld's PingOne SSO integration supports PingFederate's OpenID Connect provider. This is the simplest path if your PingFederate instance has an OIDC-enabled OAuth authorization server.
Prerequisites
You need a PingFederate environment with an OpenID Connect-enabled OAuth Authorization Server configured. PingFederate must expose a standard OIDC discovery endpoint. Goodworld discovers your configuration automatically from:
https://sso.connect.pingidentity.com/{Client ID}/.well-known/openid-configuration
Before configuring the OAuth client, ensure that openid, profile, and email are defined as common scopes in your PingFederate authorization server. You can verify or add these under System > OAuth Settings > Scope Management. These scopes are not configured on the client record itself — they must exist at the authorization server level before the client can request them.
Step 1: Create an OAuth Client in PingFederate
In your PingFederate administration console, go to Applications > OAuth > Clients and click Add Client. Configure the client with the following settings:
Field | Value |
Client Authentication | Client Secret |
Allowed Grant Types | Implicit |
Restrict Response Types | Enable this checkbox, then select id_token |
Redirection URIs | Provided by Goodworld (see Step 2) |
Note on Response Types: You must first check the Restrict Response Types checkbox to enable the response type selection list, then select id_token from the available options.
Note on Response Mode: Goodworld's integration sends response_mode=form_post in its authorization requests at runtime. This is handled automatically — no additional configuration is required on the PingFederate client record for this.
Note on PKCE: If your organization has policies requiring Proof Key for Code Exchange (PKCE), be aware that Goodworld's integration uses the Implicit grant and does not use PKCE. The Require Proof Key for Code Exchange checkbox on the client screen applies only to the Authorization Code grant type and can be left at its default (unchecked).
Take note of the Client ID and Client Secret generated by PingFederate.
Step 2: Configure PingOne SSO in the Goodworld Dashboard
Navigate to your Company or Organization settings in the Goodworld dashboard.
Go to the Single Sign-On section.
Find the PingOne card and click Connect.
Fill in the following fields:
Field | Description |
Client ID | The OAuth Client ID from PingFederate |
Client Secret | The OAuth Client Secret from PingFederate |
Login Redirect URL (optional) | Where users should be redirected after authenticating when they access from the PingOne portal (e.g., https://your-app.example.com/p/homepage) |
Step 3: Copy Values Back into PingFederate
After entering your Client ID and Client Secret, the Goodworld dashboard will display two read-only fields that you need to copy back into your PingFederate OAuth client configuration:
Initiate Login URI — Set this as the application's login initiation URL in PingFederate. It follows the pattern:
{API_URL}/oauth/authorization-url/ping_one?callbackResponseType=redirect&platformId={platformId}
Callback URL — Set this as an allowed Redirection URI in your PingFederate OAuth client. It follows the pattern:
{API_URL}/oauth/callback/ping_one
Click Save to complete the setup.
Important Notes for PingFederate OIDC
The integration uses the Implicit grant with id_token response type and form_post response mode. Ensure your PingFederate authorization server policy permits the Implicit grant type.
Goodworld extracts user profile information (sub, name/nickname, email, picture) from the ID token claims. Ensure your PingFederate OIDC policy is configured to include these claims in the ID token.
Unlike some other OIDC providers (e.g., Okta), the PingOne integration does not require a separate Issuer URL field — it is derived automatically from the Client ID.
If your PingFederate instance has CORS restrictions configured, ensure Goodworld's domain is added to the Allowed Origins list under System > OAuth Settings > Authorization Server Settings. This is required if Goodworld's integration makes browser-side requests to PingFederate endpoints such as /.well-known/openid-configuration.
Option 2: PingFederate via SAML
If your organization prefers SAML, or if your PingFederate instance does not have OIDC enabled, you can use Goodworld's Custom SAML SSO integration. This works with any SAML 2.0 identity provider, including PingFederate.
Step 1: Export SAML Metadata from PingFederate
In your PingFederate admin console, locate the SAML metadata URL for your SP connection, or export the metadata as XML. The metadata URL typically looks like:
Step 2: Configure Custom SAML in the Goodworld Dashboard
Navigate to your Company or Organization settings.
Go to the Single Sign-On section.
Find the SAML card and click Connect, then Configure.
Fill in the configuration across four tabs:
Metadata Tab
Choose Metadata URL and paste your PingFederate metadata URL, or choose Metadata XML and paste the raw XML. Goodworld will automatically derive the issuer, entity ID, SSO endpoints, and certificates from the metadata.
Branding Tab
Display Name — The label shown on the SSO login button for donors (e.g., "Acme Corp SSO").
Logo URL (optional) — A logo to display alongside the button.
Attribute Mapping Tab
Email (required) — At least one SAML attribute that maps to the user's email address.
First Name, Last Name, Display Name, Profile Picture (optional) — Additional attributes in priority order.
Security Tab
Require signed authentication requests (default: on)
Require signed assertions (default: on)
Require signed responses (default: on)
Clock Skew — Maximum allowed clock difference in seconds (default: 0, max: 3600).
Requested AuthnContext (optional) — One value per line.
Note on signed assertions and responses: Goodworld expects PingFederate to send signed assertions and signed responses by default. Make sure your PingFederate SP connection is configured to sign both. You can verify this in PingFederate under the SP connection's Protocol Settings > Signature Policy.
Step 3: Configure PingFederate with Goodworld's SP Metadata
After saving, the Goodworld dashboard will display:
Goodworld Metadata URL — Point PingFederate to this URL to import Goodworld's Service Provider metadata. The URL follows the pattern: {API_URL}/saml/metadata/{providerId}
ACS (Assertion Consumer Service) URL — {API_URL}/saml/acs/{providerId}
Import this metadata into PingFederate as a new SP connection.
Which Option Should I Choose?
| OpenID Connect (PingOne) | SAML (Custom SAML) |
Setup complexity | Simpler — only Client ID and Client Secret needed | More involved — metadata, attribute mapping, security settings |
Branding customization | Fixed "PingOne" label and logo | Fully customizable button label and logo for donors |
PingFederate requirement | OIDC-enabled OAuth Authorization Server | Standard SAML 2.0 SP connection |
Best for | Quick setup when OIDC is available | Full control, or when OIDC is not available |
Troubleshooting
"Invalid provider" error — Ensure the SSO provider is configured for the correct company or platform in the dashboard.
Discovery failures (OIDC) — Verify that https://sso.connect.pingidentity.com/{clientId}/.well-known/openid-configuration is reachable and returns a valid OIDC discovery document. If your PingFederate instance uses a different discovery URL, the OIDC option may not work — use SAML instead.
Missing claims (OIDC) — The integration reads sub, name, nickname, email, and picture from the ID token. Configure your PingFederate OIDC policy to include these claims.
Scope errors (OIDC) — If users encounter scope-related errors during login, verify that openid, profile, and email are defined as common scopes under System > OAuth Settings > Scope Management in PingFederate.
Certificate expiration (SAML) — The dashboard shows certificate expiration dates. Re-import metadata when certificates are rotated.
Signed assertion or response errors (SAML) — If Goodworld rejects the SAML response, verify that your PingFederate SP connection is configured to sign both assertions and responses, as Goodworld requires both by default.
Need help?
Schedule a technical support chat, if needed.