PingAuthorize

Configuring the PingAuthorize OAuth subject search

Configure PingAuthorize Server to search the user store for OAuth token subjects.

Steps

  • To configure the PingAuthorize Server to mock OAuth access token validation, run the dsconfig create-access-token-validator command.

    Example:

    {pingauthorize}/bin/dsconfig create-access-token-validator \
      --no-prompt --port 8636 --useSSL --trustAll \
      --bindDN "cn=directory manager" \
      --bindPassword <your-pingauthorize-password> \
      --validator-name "Mock Access Token Validator" \
      --type mock --set enabled:true --set subject-claim-name:sub

    The Mock Access Token Validator accepts tokens without authenticating them and is used only for demonstration and testing purposes. To use an authorization server like PingFederate, see Access token validators.

  • To configure PingAuthorize Server to search the user store and retrieve the identity attributes of the OAuth token subject so the attributes can be evaluated in a policy, run the dsconfig create-token-resource-lookup-method command.

    Example:

    {pingauthorize}/bin/dsconfig create-token-resource-lookup-method \
      --no-prompt --port 8636 --useSSL --trustAll \
      --bindDN "cn=directory manager" \
      --bindPassword <your-pingauthorize-password> \
      --validator-name "Mock Access Token Validator" \
      --method-name "User by uid" \
      --type 'scim' \
      --set scim-resource-type:Users \
      --set 'match-filter:uid eq "%_subject_claim_name%"' \
      --set evaluation-order-index:100

    A token resource lookup method defines the expression that is used to search System for Cross-domain Identity Management (SCIM) resources by the access token subject or additional claims. In this example, the value of the access token subject claim is used to search the uid attribute value of the SCIM user resource.