--- title: Configuring a proxied PingFederate runtime description: Configure a secure connection to the proxied PingFederate runtime in PingAccess: component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_configuring_a_proxied_pf_runtime canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_configuring_a_proxied_pf_runtime.html revdate: August 25, 2023 section_ids: about-this-task: About this task steps: Steps result: Result next-steps: Next steps --- # Configuring a proxied PingFederate runtime ## About this task Configure a secure connection to the proxied PingFederate runtime in PingAccess: ## Steps 1. Click **Settings**, then go to **System > Token Provider > PingFederate > Runtime**. 2. Click **Proxied Token Provider (PingFederate Runtime Application)**. 3. In the **Primary Virtual Host** field, enter the virtual host to use for the PingFederate application. If you haven't created the virtual host, click **[icon: plus, set=fa]Create**. For more information, see [Creating new virtual hosts](pa_creating_new_virtual_hosts.html). This virtual host is used by default for front-channel redirects to the PingFederate token provider when an application-specific OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* issuer isn't defined. 4. **Optional:** In the **Additional Virtual Hosts** field, enter one or more virtual hosts that can be used for the PingFederate application. If you haven't created the virtual host, click **[icon: plus, set=fa]Create**. For more information, see [Creating new virtual hosts](pa_creating_new_virtual_hosts.html). 5. In the **Targets** field, enter a `hostname:port` pair used to access the PingFederate runtime servers. Click **[icon: plus, set=fa]Add Target** to add additional **Targets** fields. 6. In the **Secure** section, click **Yes** if the PingFederate runtime expects HTTPS connections. 7. In the **Trusted Certificate Group** list, select the certificate group the PingFederate certificate is in. | | | | - | ------------------------------------------------------------- | | | This field is available only if you select **Yes** in step 6. | 8. In the **Availability Profile** list, select the [availability profile](pa_availability_profiles.html) that the PingFederate runtime should use. To create a new availability profile, click **[icon: plus, set=fa]Create**. 9. To record requests to PingFederate to the audit store, select the **Audit** check box. This check box is selected by default. 10. **Optional:** To configure advanced settings, click **Show Advanced**. | Option | Description | | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Context Root** | Enter the first part of the URL path for the PingFederate application and its resources.The context root must begin with a slash. It can contain additional slashes, but cannot end with one. It must match the path defined by the base URL in PingFederate. | | **Case Sensitive** | Select this check box to make the context root and resource path matching case sensitive. | | **Client Certificate Header Name** | In this section, click **[icon: plus, set=fa]Add Client Certificate Header Name** and enter one or more header names to which PingAccess should map client certificates found in the request.The position of the header name in the list correlates to the index in the client certificate chain, with the first header mapped to the leaf certificate. | | **Policy** | In this section, add one or more [rules](pa_rule_management.html), [rule sets](pa_adding_rule_sets.html), or [rule set groups](pa_adding_rule_set_groups.html) to run when making requests to the PingFederate runtime.- Click **Rules**, **Rule Sets**, or **Rule Set Groups**, then drag one or more selections from the **Available** column to the **Selected Policy** column. Valid rule types are Groovy script, cross-origin request, and rewrite rules. - Create new rules, rule sets, or rule set groups by clicking **[icon: plus, set=fa]Create Rule**, **[icon: plus, set=fa]Create Rule Set**, or **[icon: plus, set=fa]Create Rule Set Group**. | | **Load Balancing Strategy** | In this list, select a [load balancing strategy](pa_load_balancing_strategies.html) to use for requests to the PingFederate runtime.If you specify multiple target servers for a proxied PingFederate runtime but don't apply a load balancing strategy, PingAccessuses the first target server in the list until it fails. Secondary target servers are only used if the first target server is not available.PingAccess uses the **Failed Retry Timeout** from the runtime's [availability profile settings](pa_creating_availability_profiles.html) to determine when to mark the first target server as available again. | | **Expected Certificate Hostname** | Enter the host name expected in the certificate.If this field isn't specified, certificates are verified using the target host names. | | **Skip Hostname Verification** | Click to stop the backchannel servers from performing host name verification of the certificate. | | **Use Proxy** | Click to make backchannel requests to PingFederate use the proxy configured on the PingAccess nodes. | | **Use Single-Logout** | Click to enable single logout if it's configured for the OpenID Provider (OP) *(tooltip: \
\

In OAuth terms, an authorization server (AS). The OP/AS issues access tokens to protected resources for approved clients (relying parties). The clients use the access token to access the protected resources hosted by the OAuth resource server.\

\
)*. | 11. Click **Save**. | | | | - | ----------------------------------------------------------------------------------------------------------- | | | Saving a new PingFederate runtime configuration overwrites any existing PingFederate runtime configuration. | ## Result After you save the PingFederate runtime connection, PingAccess tests the connection to PingFederate. If the connection can't be made, a warning displays in the admin console, and the PingFederate runtime won't save. ## Next steps After you save this configuration and perform the steps in [Configuring OAuth resource servers](pa_configuring_oauth_resource_servers.html), a PingFederate access validator is available for selection when you define OAuth-type rules in the policy manager. After you configure the token provider, click **View Metadata** to display the metadata provided by the token provider. To update the metadata, click **Refresh Metadata**.