PingAccess

Configuring PingOne Advanced Identity Cloud or PingAM as the token provider

Configure PingOne Advanced Identity Cloud or PingAM as a token provider and OAuth authorization server in PingAccess.

About this task

Limitations:

  • Single logout (SLO) isn’t supported globally because PingOne Advanced Identity Cloud and PingAM require the id_token_hint parameter. The following workaround is available on a per application basis:

    1. Create a virtual logout resource and use the SLO and ID_TOKEN variables in the Post-Logout Redirect URL. For example:

      1. In the PingAccess administrative console, go to Applications > Applications and open the associated application.

      2. On the Resources tab, click + Add Resource.

      3. In the Name field, enter a unique identifier for the resource.

      4. In the Path Patterns field, enter the path to which you want to redirect users to initiate logout.

        Redirect users to this logout resource when signing them out instead of the /pa/oidc/logout endpoint.

        For example: /logout

      5. In the Resource Authentication section, click Standard.

      6. (Optional) Select the Audit checkbox.

      7. In the Resource Type list, select Virtual.

      8. In the Response Generators section, in the Type list, select Logout.

      9. In the Post-Logout Redirect URL field, enter a redirect URL to the token provider’s end_session endpoint. Include an id_token_hint.

        For example: $(SLO)?id_token_hint=$(ID_TOKEN)

        You can add more query parameters, such as post_logout_redirect_uri, as necessary.

      10. (Optional) Select the Encode URL checkbox.

      11. Click Save.

    2. Complete the following procedure and make sure to select the Track id_token checkbox in step 11. This appends the id token to the associated PingAccess web session.

Steps

  1. In the PingAccess administrative console, click Settings, then go to System > Token Provider. Select PingOne Advanced Identity Cloud / PingAM.

  2. In the Issuer field, enter the PingOne Advanced Identity Cloud or PingAM issuer.

  3. (Optional) In the Description field, enter a description for the PingOne Advanced Identity Cloud or PingAM token provider.

  4. In the Trusted Certificate Group list, select the certificate group that the PingOne Advanced Identity Cloud or PingAM certificate is in.

    PingAccess requires the certificate in use by the OpenID Connect (OIDC) provider to anchor to a certificate in the associated trusted certificate group.

    1. Java Trust Store (default): Uses the Java Trust Store for certificate authentication. Learn more in Certificates.

    2. Trust Any: Allows client authentication with any certificate, including self-signed certificates.

      If you use the Trust Any method in production, you should log client certificates in the audit log.

  5. In the Client ID field, enter the client ID of the OAuth client that will validate the OAuth access tokens.

  6. Select a Client Credentials Type, then provide the information required for the selected credential type:

    Choose from:

    • Click Secret to use a client secret. This is the default selection. In the Client Secret field, enter the client secret assigned when you created the PingAccess OAuth client in PingOne Advanced Identity Cloud or PingAM.

    • Click Mutual TLS to use Mutual TLS client authentication. In the Key Pair list, select a configured key pair to use for Mutual TLS client authentication.

    • Click Private Key JWT to use JSON Web Token (JWT). No additional information is required.

  7. To retain token details for subsequent requests, in the Cache Tokens section, click Yes.

    This option reduces communication between PingAccess and PingOne Advanced Identity Cloud or PingAM.

    1. In the Token Time to Live (Sec.) field, enter the number of seconds to cache the access token.

      The default value is -1, which means no limit.

      Enter a value that’s less than the PingOne Advanced Identity Cloud or PingAM access token lifetime.

  8. In the Subject Attribute Name field, enter an attribute from the OAuth access token that you want to track as the subject for auditing purposes.

    At runtime, this attribute’s value is used as the subject field in audit log entries for API resources with policies that validate access tokens.

  9. To send the URI that the user requested as the PingAccess audience OAuth parameter to PingOne Advanced Identity Cloud or PingAM, select the Send Audience checkbox.

    This checkbox is cleared by default.

  10. If requests made to PingOne Advanced Identity Cloud or PingAM should use a proxy, click Show Advanced Settings and select the Use Proxy checkbox.

    This checkbox is cleared by default.

    If the node is not configured with a proxy, requests are made directly to the token provider. Learn more about creating proxies in Adding proxies.

  11. To track the id_token that the authorization server provides after authentication within the PingAccess session cookie, click Show Advanced Settings and select the Track id_token checkbox.

    This checkbox is cleared by default.

    You must select Track id_token to use the id_token attribute when Creating header identity mappings. You can then use this header to pass along the id_token to other Identity mappings, virtual logout resources, or Rules.

    Token providers can use the id_token attribute to identify and locate a user’s session. PingOne Advanced Identity Cloud and PingAM require the id_token_hint parameter to identify and locate a user’s session when performing SLO.

    Tracking the id_token attribute increases the PingAccess cookie’s size. This could make the cookie exceed the browser’s limit. Learn more in Minimizing the PingAccess cookie size.

  12. Click Save.

Next steps

  1. After you configure the token provider, click View Metadata to display the metadata provided by the token provider.

  2. To update the metadata, click View Metadata > Refresh Metadata.