--- title: Configuring access token management description: The OpenID Connect (OIDC) response needs to include an access token. component: pingid page_id: pingid:pingid_integrations:pid_configuring_access_token_management canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_configuring_access_token_management.html revdate: January 27, 2024 section_ids: about-this-task: About this task steps: Steps choose-from: Choose from: result: Result: --- # Configuring access token management The OpenID Connect (OIDC) response needs to include an access token. ## About this task To create an access token: * Configure an access token management instance. * Create the relevant access token mappings. ## Steps 1. In PingFederate, create an Access Token Management Instance: ### Choose from: * PingFederate 10.1 or later: Go to **Applications → OAuth** and then click **Access Token Management** * PingFederate 10 or earlier: On the **OAuth Server** tab, in the **Token Mapping** section, click **Access Token Management** 2. Click **Create New Instance** and then on the **Type** tab, enter the following information, and then click **Next**: * **Instance Name**: The name you want to use to identify the Access Token Management instance. * **Instance ID:** The Access Token Management ID. This ID is for internal use and cannot contain spaces or non-alphanumeric characters. * **Type**: From the **Type** list, select **JSON Web Tokens**. 3. On the **Instance Configuration**tab, do the following: 1. Click **Add a new row to 'Symmetric Keys'** and in the new row enter the following information and then click **Update** * **Key ID**: Enter a unique identifier for the key. * **Key**: Enter the encoded symmetrical key. You can find this in the `use_base64_key` attribute in the PingID Properties file that you used to create the PingID Adapter instance earlier. * **Encoding**: From the **Encoding** list, select **Base64\[url]**. 2. In the**JWS Algorithm** field, select **HMAC using SHA-256** as the signing algorithm you want to use to protect the integrity of the token. 3. In the **Active Symmetric Key ID** field, select the new symmetric key that you created, and then click **Next**. 4. On the **Session Validation** tab, click **Next** 5. On the **Access Token Attribute Contract** tab: 1. In the **Extend the Contract** field, add the following attributes and then click **Add**: * **subject** * **winlogin.auth.response** 2. From the **Subject Attribute Name** list, select **subject**, and then click **Next**. 6. On the **Resource URIs** tab, click **Next**. 7. On the**Access Control** tab, click **Next**. 8. On the **Summary** tab, click **Save**. 9. Go to the **Access Token Mappings** window: 1. Do the following: * PingFederate 10.1 or later: Go to **Applications → OAuth** and then click **Access Token Mappings**. * PingFederate 10 or earlier: On the **OAuth Server** tab, in the **Token Mapping** section, click **Access Token Mappings**. 2. From the **Context** list, select the Windows login authentication policy contract that you created earlier. 3. From the **Access Token Manager** list, select the access token manager instance that you created earlier, and click **Add Mapping**. 4. On the **Attribute Sources & User Lookup** tab, click **Next**. 5. On the **Contract Fulfillment** tab, do the following and then click **Next**: * In the **subject** row: In the **Source** field, select **Authentication Policy Contract**, and in the **Value** field, select **subject**. * In the **winlogin.auth.response** row: In the **Source** field, select **Authentication Policy Contract**, and in the **Value** field, select **winlogin.auth.response**. 6. On the **Issuance Criteria** tab, click **Next**. 7. On the **Summary** tab, click **Save**. ### Result: The Access Token Mappings are saved