Microsoft EAM Integration Kit

Configuring PingFederate to use the Microsoft EAM IdP adapter

Steps

  1. Enable static signing keys in the OAuth and OpenID Connect (OIDC) key configuration:

    Learn more in configuring static signing keys.

    1. Go to Security > Certificate & Key Management > OAuth & OpenID Connect keys and select Enable Static Keys.

    2. In the Signing Keys section, go to the RSA Key Type, select an Active Signing Certificate, and select the Publish Certificate checkbox.

    3. Click Save.

  2. Configure centralized signing keys in the access token manager (ATM) configuration:

    Learn more on the JSON token management tab.

    1. Go to Applications > Access Token Management and open the ATM configuration that you plan to use.

    2. On the Instance Configuration tab, select the Use Centralized Signing Keys checkbox.

    3. Click Save.

  3. Make the following adjustments to the OIDC policy configuration:

    Learn more in configuring policy and ID token settings. Use the following settings:

    1. Go to Applications > OpenID Connect Policy Management and open the policy configuration that you plan to use.

    2. On the Manage Policy tab, in the Access Token Manager list, select the ATM that you configured in the previous step.

    3. On the Manage Policy tab, select the Include x.509 Thumbprint Header in ID token checkbox.

    4. Configure the OIDC policy to expose the X5T header when PingFederate issues the id_token for Microsoft Entra ID.

    5. Click Save.

  4. Go to Applications > OAuth Clients and register an OAuth Client for Microsoft Entra ID in PingFederate.

    Learn more in configuring OAuth clients. Use the following settings:

    • In the Redirect URIs section, in the Redirection URIs field, enter https://login.microsoftonline.com/common/federation/externalauthprovider and click Add.

    • Select the Bypass Authorization Approval checkbox.

    • In the Allowed Grant Types section, select Implicit.

    • Confirm that id_token is a valid response type.

    • In the Default Access Token Manager list, select the ATM that you configured in step 2.

    • In the OpenID Connect section, in the Policy list, select the OIDC policy that you configured in step 3.

  5. If you are using PingID for MFA, make the following adjustments to the authentication policy configuration:

    1. If the PingID adapter follows the Microsoft EAM IdP Adapter in the authentication policy, set the Microsoft EAM IdP Adapter’s Sub attribute as the User ID Authenticated for PingID.

      1. On the PingID adapter step, click Options.

      2. In the Source list, select the Microsoft EAM IdP Adapter.

      3. In the Attribute list, select Sub.

      4. Select the User ID Authenticated checkbox.

      5. Click Done.

    2. If the PingID adapter follows the Microsoft EAM IdP Adapter in the authentication policy and the flow ends in a policy contract, select PingID’s amr attribute as the Source for the Contract Mapping.