PingAccess

Adding access token validators

Add an access token validator to verify signed or encrypted access tokens in PingAccess.

Before you begin

If you want to validate access tokens with your own JWKS endpoint, create a third-party service for the JWKS endpoint before configuring an access token validator.

Steps

  1. Click Access, then go to Token Validation > Access Token Validators.

  2. Click Add Access Token Validator.

  3. In the Name field, enter a name for the token validator.

  4. In the Type list, select the type of key you want to validate.

    The token provider configuration specifies which type of key. You can find information about configuring PingFederate as the token provider in Configuring JSON token management.

  5. (Optional) In the Description field, enter a description for the token validator.

  6. To validate access tokens with your own JWKS endpoint, in the Third-Party Service list, select a JWKS endpoint you configured as a third-party service previously.

    The third-party service’s target is used as a host. If you select a third-party service in this list, that service acts as the primary access token validator and overrides any other configured token provider for the application associated with this third-party service.

  7. In the Path field, specify the endpoint path to verify the signature.

    This entry must start with a forward slash (/), and must not end with a forward slash (/). PingFederate token provider configuration informs the host and port. PingAccess permits query strings in the path.

  8. (Optional) In the Subject Attribute Name field, enter the attribute expected as the subject.

    If this value is configured and the specified subject attribute name isn’t present in the token, validation fails.

  9. (Optional) In the Issuer field, enter the expected value of the issuer to include in the access token.

    If this value is configured and the specified issuer isn’t present in the token, validation fails.

  10. (Optional) In the Audience field, specify the audience value to include in the access token.

    If this value is configured and the specified audience isn’t present in the token, validation fails.

  11. If you don’t want to validate access tokens for an audience value, you must select the Skip Audience Validation checkbox.

  12. Click Save.

Adding multiple JWKS endpoint access token validators

Add a Multiple JSON Web Key Set (JWKS) Endpoint access token validator to define multiple endpoints or issuers.

Before you begin

If you want to validate access tokens with your own JWKS endpoint, create a third-party service for the JWKS endpoint before configuring an access token validator.

Steps

  1. Click Access, then go to Token Validation > Access Token Validators.

  2. Click Add Access Token Validator.

  3. In the Name field, enter a name for the token validator.

  4. In the Type list, select Multiple JSON Web Key Set (JWKS) Endpoint.

  5. (Optional) In the Description field, enter a description for the token validator.

  6. In the Third-Party Service list, select a JWKS endpoint you configured as a third-party service previously to validate access tokens with.

    The third-party service’s target is used as a host. If you select a third-party service in this list, that service acts as the primary access token validator and overrides any other configured token provider for the application associated with this third-party service.

  7. In the Path field, specify the endpoint path to verify the signature.

    This entry must start with a forward slash (/), and must not end with a forward slash (/). PingFederate token provider configuration informs the host and port. PingAccess permits query strings in the path.

  8. (Optional) In the Subject Attribute Name field, enter the attribute expected as the subject.

    If this value is configured and the specified subject attribute name isn’t present in the token, validation fails.

  9. (Optional) In the Issuer field, enter the expected value of the issuer to include in the access token.

    If this value is configured and the specified issuer isn’t present in the token, validation fails.

    A Multiple JSON Web Key Set (JWKS) Endpoint access token validator (ATV) processes each JWKS with the matching issuer from the access token. The issuer value is looked at first, if it’s present.

    If a matching issuer isn’t configured, the ATV cycles through all the JWKS endpoints until it finds the one that works.

  10. (Optional) In the Audience field, specify the audience value to include in the access token.

    If this value is configured and the specified audience isn’t present in the token, validation fails.

  11. If you don’t want to validate access tokens for an audience value, you must select the Skip Audience Validation checkbox.

  12. Click + Add Row and repeat steps 6 - 11 for any additional endpoints.

  13. Click Save.