---
description: Configure PingFederate to authorize external access through tokens to the PingAuthorize Policy Editor.
component: pingauthorize
version: 10.1
page_id: pingauthorize:installing_and_uninstalling_pingauthorize:paz_config_pf_authentication_paz
canonical_url: https://docs.pingidentity.com/pingauthorize/10.1/installing_and_uninstalling_pingauthorize/paz_config_pf_authentication_paz.html
section_ids:
  configuring-pingfederate-for-pingauthorize: Configuring PingFederate for PingAuthorize
  about-this-task: About this task
  steps: Steps
  result: Result
  next-steps: Next steps
---

# Configuring PingFederate for PingAuthorize

Configure PingFederate to authorize external access through tokens to the PingAuthorize Policy Editor.

## About this task

You can also use PingAccess to authorize external access through rules. Learn more in [Rule Creation in PingAccess](https://docs.pingidentity.com/pingaccess/latest/pingaccess_user_interface_reference_guide/pa_access_control_rules.html) in the PingAccess documentation.

The following example configuration assumes that any authenticated user can access the PingAuthorize Policy Editor. You can find more informarion about limiting access to members of a specific group in [Configuring PingFederate group access for PingAuthorize](paz_config_authn_server_openid_connect.html#paz_config_pf_group_access).

## Steps

1. In the PingFederate administrative console, go to **System > Data & Credential Stores > Data Stores**.

2. Click **Add New Data Store**.

3. On the **Data Store Type** tab, in the **Name** field, enter a name for the datastore.

4. In the **Type** list, select **Directory (LDAP)**, and then click **Next**.

5. On the **LDAP Configuration** tab, enter the address and authentication information for PingFederate to use when accessing PingDirectory, and then click **Next**.

6. On the **Summary** tab, review your configuration. Click **Save**.

   ![Screen capture of the Summary tab in the Data Stores window, displaying the specified data store configuration](_images/wwt1637687448525.png)

7. Go to **Authentication > Policies > Sessions** and enable authentication sessions. The following example enables authentication sessions for all sources. Make the appropriate change for your environment, and then click **Save**.

   ![Screen capture of the Sessions window with the Track Revoked Sessions on Logout and Enable Authentication Sessions For All Sources checkboxes selected](_images/vdd1639000440193.png)

8. Go to **Security > Certificate & Key Management > SSL Client Keys & Certificates** and import your JWT signing certificate. Click **Save**.

   |   |                                                                                     |
   | - | ----------------------------------------------------------------------------------- |
   |   | PingFederate expects the certificate chain and keys to be encoded in PKCS12 format. |

9. Configure your OAuth server using the OpenID Connect protocol.

   1. Go to **System > OAuth Settings > Scope Management** and create scopes.

   2. In the **Scope Value** field, enter the `email`, `openid`, and `profile` scopes and click **Add** after each entry. Click **Save**.

      ![Screen capture of the Common Scopes tab on the Scope Management window, displaying the values of email, openid, and profile added to the Scope Value list](_images/pf_common_scopes_management.png)

   3. Go to **Applications > OAuth > Access Token Management** and click **Create New Instance**.

   4. On the **Type** tab, in the **Type** list, select **JSON Web Tokens**. In the **Parent Instance** list, select **None**. Click **Next**.

   5. On the **Instance Configuration** tab, click **Add a new row to 'Certificates'** and add the previously imported signing certificate. Select the desired signing algorithm and token timeout, and then click **Next**.

   6. On the **Session Validation** tab, enable the session validation options.

      ![Screen capture of the Session Validation tab on the Access Token Management window showing all checkboxes selected](_images/qbu1637792563517.png)

   7. On the **Access Token Attribute Contract** tab, add the attributes to be included in the OAuth access token. This example extends the contract with `cn`, `email`, `scope`, `sub`, and `uid` attributes.

      ![Screen capture of the Access Token Attribute Contract tab on the Access Token Management window, displaying the values of cn, email, scope, sub, and uid added to the Extend the Contract list](_images/mfm1637793365075.png)

   8. Click **Next** until you reach the **Summary** tab. Click **Save**. Accept the default values for the **Resources URIs** and **Access Control** settings.

   9. Go to **Applications > OAuth > Access Token Mappings** to create an Access Token Mapping in the **Default** context for the Access Token Manager you just created. Click **Add Mapping**, and then click **Add Attribute Source**.

   10. In the **Active Data Store** list, select the PingDirectory datastore that you created in step 2. Click **Next**.

       ![Screen capture of the Data Store tab on the Access Token Mappings window, displaying the PingDirectory datastore selected in the Active Data Store list](_images/dcz1637796417045.png)

   11. On the **LDAP Directory Search** tab, in the **Base DN** field, enter the base DN for the PingDirectory data that provides your identities.

   12. In the **Attributes to return from search** section, click **Add Attribute** and enter the attributes to be retrieved.

       The sample data uses `ou=People,dc=example,dc=com`, and the configuration shown in the following image retrieves the `cn`, `mail`, and `uid` attributes.

       ![Screen capture of the LDAP Directory Search tab on the Access Token Attribute Mapping window, with the Base DN set to ou=People,dc=example,dc=com and the attributes cn, mail, and uid added to the Attribute list](_images/seo1638916833093.png)

   13. On the **LDAP Filter** tab, in the **Filter** field, enter `uid=${USER_KEY}` to match the PingDirectory sample data with the authenticating user information.

       ![Screen capture of the LDAP Filter tab on the Access Token Attribute Mapping window with a Filter field entry of uid=${USER\_KEY}](_images/sta1638917408619.png)

   14. On the **Summary** tab, click **Next** and **Save**.

   15. On the **Contract Fulfillment** tab, fulfill the contract with the LDAP attributes from the PingDirectory datastore. Leave the remaining settings as their defaults and click **Save**.

       The scope attribute is fulfilled from the OAuth context.

       ![Screen capture of the Contract Fulfillment tab on the Access Token Attribute Mapping window, with the cn, email, sub, and uid contracts configured for a Source of LDAP (PingDirectory) and Values of cn, mail, uid, and uid, respectively. The scope contract has a source of Context and a Value of Scope.](_images/nbo1638917948586.png)

   16. Go to **Applications > OAuth > OpenID Connect Policy Management** and click **Add Policy**.

   17. On the **Manage Policy** tab, from the **Access Token Manager** list, select the access token manager you created previously.

   18. Ensure that the **Include User Info in ID Token** checkbox is selected. Click **Next**.

   19. On the **Attribute Contract** tab, extend the policy contract with the `email` and `name` attributes. Click **Next**.

   20. On the **Attribute Scopes** tab, map the previously defined `email` and `profile` scopes to the `email` and `name` ID token attributes. Click **Next**.

       ![Screen capture of the Attribute Scopes tab on the Policy Management window, with the email attribute mapped to the email scope, and the name attribute mapped to the profile scope](_images/txo1638952158647.png)

   21. On the **Contract Fulfillment** tab, fulfill the contract with the values in the access token. Click **Next** until you reach the **Summary** tab, and then click **Save**.

       ![Screen capture of the Contract Fulfillment tab on the OpenID Connect Policy Management window, with the Attribute Contracts of email, name, and sub set to a Source of Access Token and Value selections of email, cn, and sub, respectively.](_images/hvu1638951288581.png)

   22. Click **Set as Default** to set the newly created policy as the default policy.

   23. Go to **Applications > OAuth > Clients** and click **Add Client**.

       To provide the Policy Editor with appropriate defaults, configure PingFederate with a **Client ID** of `pingauthorize-pap` and select the **Authorization Code** checkbox in the **Allowed Grant Types** section. In the **Default Access Token Manager** list, select the JWT Manager created earlier, and in the **Redirection URIs** field, add the correct callback URL for the Policy Editor, such as https\://pap.example.com:9443/idp-callback.

       Click **Save**.

   24. Go to **Authentication > OAuth > IdP Adapter Grant Mapping** and create a new Form Adapter Mapping, fulfilling the contracts for `USER_NAME` and `USER_KEY` with the **username** form field. Click **Next** and **Save** on the **Summary** tab.

       ![Screen capture of the Contract Fulfillment tab on the IdP Adapter Grant Mapping window, with the USER\_KEY and USER\_NAME contracts set to a Source of Adapter and a Value of username](_images/rjp1638944892132.png)

   25. Because this PingFederate instance uses a different domain from the Policy Editor, you must modify the PingFederate CORS settings. Go to **System > OAuth Settings > Authorization Server Settings**. In the **Cross-Origin Resource Sharing Settings** section, enter the domain for the Policy Editor in the **Allowed Origin** field. Click **Add** and then **Save**.

       ![Screen capture of the Cross-Origin Resource Sharing Settings section showing a URL of https://pap.example.com:8080 added to the Allowed Origin field](_images/hdm1576709957649.png)

       ### Result

       PingFederate is configured to handle OpenID Connect (OIDC) requests.

## Next steps

[Configuring PingAuthorize Policy Editor to use PingFederate](paz_config_paz_authentication_pf.html)