--- title: Configuring PingFederate administration description: Configure your PingFederate administration settings in the PingAccess administrative console. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_configuring_pf_administration canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_configuring_pf_administration.html revdate: August 9, 2023 section_ids: about-this-task: About this task steps: Steps example: Example: --- # Configuring PingFederate administration Configure your PingFederate administration settings in the PingAccess administrative console. ## About this task For information on the PingFederate administration application programming interface (API) *(tooltip: \
\

A specification of interactions available for building software to access an application or service.\

\
)*, see [PingFederate administrative API](https://docs.pingidentity.com/pingfederate/latest/developers_reference_guide/pf_admin_api.html). When you save the PingFederate administration configuration, PingAccess will test the connection to PingFederate. If PingAccess can't make a connection, an error will display in the administrative console and the configuration won't save. ## Steps 1. Click **Settings**, then go to **System > Token Provider > PingFederate > Administration**. 2. Enter the **Host** name or IP address for access to the PingFederate administrative API. 3. Enter the **Port** number for access to the PingFederate runtime. 4. If necessary, enter the **Base Path** for the PingFederate runtime. The **Base Path** must start with a slash (/). ### Example: `/path`. 5. If the PingFederate administrative API requires native authentication, click **Basic**. 1. Enter the **Admin Username**. This username only requires auditor (read-only) permission in PingFederate. 2. Enter the **Admin Password**. 6. If the PingFederate administrative API requires OAuth 2.0 authentication, click **OAuth**. 1. In the **Configured Authorization Server** list, choose from: * **PingFederate Runtime** * **Admin Token Provider** (will only display if configured) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The API endpoint `/pingfederate/admin` allows you to select additional options for the configured authorization server.You can configure the following authorization servers in the PingAccess administrative console:- **PingFederate Runtime**. For more information, see [Configuring a PingFederate runtime](pa_pf_runtime.html). - **Admin token provider**. For more information, see [Configuring an admin token provider](pa_configuring_an_admin_token_provider.html). - **Common**. For more information, see [Configuring OAuth authorization servers](pa_configuring_oauth_authz_servers.html). - **PingOne**. For more information, see [PingOne](pa_p1.html). | 2. In the **Client ID** field, enter a client ID for the OAuth client configured in the token provider. Choose a client that is configured with the client credentials grant type. 3. In the **Client Credentials Type** field, select the credentials for the OAuth client configured in the token provider. 4. In the **Scopes** field, enter the required scopes of validated access tokens that are authorized to call the PingFederate administrative API. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Scopes can be input as an array of case-sensitive strings. For a full list of the required scopes, see PingFederate's `required.scopes` section of the `oauth2.properties` file. | 7. To log information about the transaction to the audit store, select **Audit**. PingAccess audit logs record a selected subset of transaction log information at runtime and are located in the `/logs` directory of your PingAccess installation. 8. In the **Secure** section of the **Administration** tab, click **Yes** if PingFederate is expecting HTTPS connections. Otherwise, click **No**. 9. From the **Trusted Certificate Group** list, select the group of certificates to use when authenticating to PingFederate. PingAccess requires the certificate that PingFederate is using to anchor to a certificate in the associated trusted certificate group. This field is available only if you enable **Secure** connections in step 8. 10. **Optional:** To configure advanced settings, click **Show Advanced**. 1. Select **Skip Hostname Verification** to not perform hostname verification of the certificate. 2. Enter an **Expected Certificate Hostname** to verify the certificate with the specified name instead of the **Host** name. 3. To use a configured proxy for API requests, select the **Use Proxy** check box. | | | | - | -------------------------------------------------------------------------------------- | | | If the node isn't configured with a proxy, requests are made directly to PingFederate. | 11. Click **Save**. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | To view OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* metadata provided by the token provider, click **View Metadata** after saving the token provider configuration. |