PingAccess

Adding access token validators

Add an access token validator to verify signed or encrypted access tokens in PingAccess.

Steps

  1. Click Access, then go to Token Validation > Access Token Validators.

  2. Click Add Access Token Validator.

  3. In the Name field, enter a name for the token validator.

  4. In the Type list, select the type of key you want to validate.

    The token provider configuration specifies which type of key. You can find information about configuring PingFederate as the token provider in Configuring JSON token management.

  5. (Optional) In the Description field, enter a description for the token validator.

  6. In the Path field, specify the endpoint path to verify the signature.

    This entry must start with a forward slash (/), and must not end with a forward slash (/). PingFederate token provider configuration informs the host and port. PingAccess permits query strings in the path.

  7. (Optional) In the Subject Attribute Name field, enter the attribute expected as the subject.

    If this value is configured and the specified subject attribute name isn’t present in the token, validation fails.

  8. (Optional) In the Issuer field, enter the expected value of the issuer to include in the access token.

    If this value is configured and the specified issuer isn’t present in the token, validation fails.

  9. (Optional) In the Audience field, specify the audience value to include in the access token.

    If this value is configured and the specified audience isn’t present in the token, validation fails.

  10. If you don’t want to validate access tokens for an audience value, you must select the Skip Audience Validation checkbox.

  11. Click Save.

Adding multiple JWKS endpoint access token validators

Add a Multiple JSON Web Key Set (JWKS) Endpoint access token validator to define multiple endpoints or issuers.

Steps

  1. Click Access, then go to Token Validation > Access Token Validators.

  2. Click Add Access Token Validator.

  3. In the Name field, enter a name for the token validator.

  4. In the Type list, select Select Multiple JSON Web Key Set (JWKS) Endpoint.

  5. (Optional) In the Description field, enter a description for the token validator.

  6. In the Path field, specify the endpoint path to verify the signature.

    This entry must start with a forward slash (/), and must not end with a forward slash (/). PingFederate token provider configuration informs the host and port. PingAccess permits query strings in the path.

  7. (Optional) In the Subject Attribute Name field, enter the attribute expected as the subject.

    If this value is configured and the specified subject attribute name isn’t present in the token, validation fails.

  8. (Optional) In the Issuer field, enter the expected value of the issuer to include in the access token.

    If this value is configured and the specified issuer isn’t present in the token, validation fails.

    A Multiple JSON Web Key Set (JWKS) Endpoint access token validator (ATV) processes each JWKS with the matching issuer from the access token. The issuer value is looked at first, if it’s present.

    If a matching issuer isn’t configured, the ATV cycles through all the JWKS endpoints until it finds the one that works.

  9. (Optional) In the Audience field, specify the audience value to include in the access token.

    If this value is configured and the specified audience isn’t present in the token, validation fails.

  10. If you don’t want to validate access tokens for an audience value, you must select the Skip Audience Validation checkbox.

  11. Click + Add Row and repeat steps 6 - 10 for any additional endpoints.

  12. Click Save.