Configuring an admin token provider
Configure a token provider to use when accessing the PingAccess user interface if you have enabled admin UI single sign-on or admin application programming interface (API) OAuth.
About this task
If you do not configure an admin token provider, the system token provider is used for both the PingAccess user interface and for end users.
Steps
-
Click Settings and then go to Admin Authentication → Admin Token Provider.
-
In the Admin Token Provider section, select Admin.
-
In the Issuer field, enter the issuer ID.
-
Optional: In the Description field, enter a description for the token provider.
-
In the Trusted Certificate Group list, select a trusted certificate group that PingAccess will use when authenticating to the admin token provider.
-
Optional: To configure the connection to use a configured proxy, click Show Advanced Settings and select Use Proxy.
For more information about creating proxies, see Adding proxies.
-
To configure OAuth 2.0 Demonstrating Proof of Possession (DPoP) settings, click Show Advanced Settings:
-
In the DPoP Type list, select the level of DPoP support that you want to enable for access token validation:
-
Off (default): PingAccess doesn’t accept DPoP-bound access tokens, only bearer tokens.
-
Enabled: PingAccess accepts both bearer tokens and DPoP-bound access tokens.
-
Required: PingAccess doesn’t accept bearer tokens, only DPoP-bound access tokens.
-
-
To require each DPoP proof to contain a nonce value during validation that was provided by PingAccess when the access token was created, per RFC 9449 section 9, select Require Nonce.
This check box is cleared by default.
-
In the DPoP Proof Lifetime (SEC.) field, enter the duration, in seconds, that a DPoP proof should be considered valid after it’s issued.
As a security best practice, keep this value low and consistent with the DPoP implementation of your API client. The default value is 120 seconds.
-
-
Click Save.