Configuring PingFederate to use the Microsoft EAM IdP adapter
Steps
-
Enable static signing keys in the OAuth and OpenID Connect (OIDC) key configuration:
Learn more in configuring static signing keys.
-
Go to Security > Certificate & Key Management > OAuth & OpenID Connect keys and select Enable Static Keys.
-
In the Signing Keys section, go to the RSA Key Type, select an Active Signing Certificate, and select the Publish Certificate checkbox.
-
Click Save.
-
-
Configure centralized signing keys in the access token manager (ATM) configuration:
Learn more on the JSON token management tab.
-
Go to Applications > Access Token Management and open the ATM configuration that you plan to use.
-
On the Instance Configuration tab, select the Use Centralized Signing Keys checkbox.
-
Click Save.
-
-
Make the following adjustments to the OIDC policy configuration:
Learn more in configuring policy and ID token settings. Use the following settings:
-
Go to Applications > OpenID Connect Policy Management and open the policy configuration that you plan to use.
-
On the Manage Policy tab, in the Access Token Manager list, select the ATM that you configured in the previous step.
-
On the Manage Policy tab, select the Include x.509 Thumbprint Header in ID token checkbox.
-
Configure the OIDC policy to expose the X5T header when PingFederate issues the id_token for Microsoft Entra ID.
-
Click Save.
-
-
Go to Applications > OAuth Clients and register an OAuth Client for Microsoft Entra ID in PingFederate.
Learn more in configuring OAuth clients. Use the following settings:
-
In the Redirect URIs section, in the Redirection URIs field, enter
https://login.microsoftonline.com/common/federation/externalauthprovider
and click Add. -
Select the Bypass Authorization Approval checkbox.
-
In the Allowed Grant Types section, select
Implicit
. -
Confirm that
id_token
is a valid response type. -
In the Default Access Token Manager list, select the ATM that you configured in step 2.
-
In the OpenID Connect section, in the Policy list, select the OIDC policy that you configured in step 3.
-
-
If you are using PingID for MFA, make the following adjustments to the authentication policy configuration:
-
If the PingID adapter follows the Microsoft EAM IdP Adapter in the authentication policy, set the Microsoft EAM IdP Adapter’s
Sub
attribute as theUser ID Authenticated
for PingID.-
On the PingID adapter step, click Options.
-
In the Source list, select the Microsoft EAM IdP Adapter.
-
In the Attribute list, select
Sub
. -
Select the User ID Authenticated checkbox.
-
Click Done.
-
-
If the PingID adapter follows the Microsoft EAM IdP Adapter in the authentication policy and the flow ends in a policy contract, select PingID’s
amr
attribute as the Source for the Contract Mapping.-
Learn more in configuring contract mapping.
-
-