PingCentral

Configuring the Access Token Manager for PingCentral

About this task

The access token manager associated with the OpenID Connect (OIDC) Policy must support signed JSON Web Token (JWT) tokens. To validate the token signature, PingCentral must be able to access a JSON Web Key Set (JWKS) endpoint URL in PingFederate. See Configuring JSON-token management in the PingFederate Server guide for additional information.

Signing certificates and JSON Web Encryption (JWE) encryption (symmetric or asymmetric) are not currently supported.

Steps

  1. In PingFederate, go to Applications → OAuth → Access Token Management and click Create New Instance.

  2. On the Instance Configuration tab, add one or more symmetric keys, signing certificates, or both.

    1. Click Add a new row to…​ or click Update to modify an existing entry.

      The Key ID field values must be unique across all JSON-token management instances, including child instances.

    2. If you have not yet created or imported your certificate into PingFederate, click Manage Signing Certificates and complete the task.

      To use an RSA-based algorithm for JSON Web Signature (JWS), the key size of the signing certificate must be at least 2,048 bits. For an EC-based JWS algorithm, the key size depends on the chosen algorithm.

  3. On the Instance Configuration tab, select the Use Centralized Signing Key option.

    This image displays this option with this description:
  4. Select Show Advanced Fields and specify the path in the JWKS Endpoint Path field. This setp is optional when an algorithm is selected in the JWE Algorithm list.

    This image displays this option with this description: Path on PingFederate server to publish a JWKS with the keys and certificates that the partners can use for signature verification. If specified, the path must begin with a forward slash, such as /oauth/jwks. The resulting URL is https://<pf_host>:<pf.https.port>/ext/<JWKS Endpoint Path>. The path must be unique across all plugin instances, including any child instances.

    This path must be explicitly configured in PingCentral. See Configuring resource server functionality.

  5. If you define either or both of the issuer or audience claim values within the access token manager, you can configure PingCentral to validate them.

    These claim values are also defined in the Issuer Claim Value andAudience Claim Value fields.