--- title: Configuring the OAuth server description: The following task configures the PingFederate server for OAuth and OpenID Connect (OIDC) authentication. component: pingdirectory version: 11.0 page_id: pingdirectory:delegated_admin_application_guide:pd_da_config_oauth_server canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/delegated_admin_application_guide/pd_da_config_oauth_server.html revdate: October 3, 2023 section_ids: steps: Steps choose-from: Choose from: --- # Configuring the OAuth server The following task configures the PingFederate server for OAuth and OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* authentication. ## Steps 1. Sign on to the PingFederate admin console. 2. Set the identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)* adapter mapping: 1. Go to **Authentication > OAuth > IdP Adapter Grant Mapping**. 2. From the **Source Adapter Instance** list, select the IdP adapter you created in [Configuring PingFederate as the identity provider](pd_da_config_pf_as_idp.html) and click **Add Mapping**. 3. Click **Next**. | | | | - | ------------------------------ | | | No attribute source is needed. | 4. On the **Contract Fulfillment** tab, set the contracts as shown in the following table: | Contract | Source | Value | | -------------- | ----------- | ------------- | | **USER\_KEY** | **Adapter** | **entryUUID** | | **USER\_NAME** | **Adapter** | **cn** | 5. Click **Next** and then click **Next** again. 6. Click **Save**. 3. Set up Access Token Management. Select an existing instance or click **Applications > OAuth > Access Token Management > Create New Instance**. ### Choose from: * If selecting an existing instance, click the **Instance Configuration** tab. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | With an existing instance, a JSON Web Token (JWT) *(tooltip: \
\

An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. You can find the industry standard in \RFC 7519\.\

\
)* is configured automatically. | * If creating a new instance, specify the required fields and set **Type** to **JSON Web Tokens**. | | | | - | ------------------------------------------------------------------------ | | | Take note of your new instance name. You'll need that information later. | 1. Use symmetric encryption for the JWT by adding a row in the **Symmetric Keys** section using 32 bytes or 64 characters of hex. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This encryption only requires a symmetric key, not a certificate and private key. This step requires the client to validate the token by hitting the validation endpoint on the server. | 2. Set **JWS Algorithm** to **HMAC Using SHA-256**. 3. Set **Active Symmetric Key ID** to your symmetric key and click **Next**. 4. On the **Session Validation** tab, select all options and click **Next**. 5. On the **Access Token Attribute Contract** tab, list at least one attribute to be defined in the access token, add `sub`, click **Next** until you reach the last section, and then click **Save**. 4. Set up access token mapping: 1. Go to **Applications > OAuth > Access Token Mappings**. 2. Set **Context** to **Default**, set **Access Token Manager** to the access token manager you created in the last step, and click **Add Mapping**. 3. Click **Next** in the **Attribute Source & User Lookup** section to go to the **Contract Fulfillment** section. 4. In the **sub** row, make the following selections: * In the **Source** list, select **Persistent Grant**. * In the **Value** list, select **USER\_KEY**. 5. Click **Next** until you reach the **Summary** section. Click **Save**. 5. Set up the OpenID Connect policy: 1. Go to **Applications > OAuth > OpenID Connect Policy Management**. 2. Click **Add Policy**. 3. Specify a **Policy ID**. 4. Specify a **Name**. 5. Choose the previously created access token manager and click **Next**. 6. Delete all extended contract attributes except `sub`. Other scopes are defined, if configured. 7. Click **Next** to reach the **Contract Fulfillment** section. 8. Fulfill the OpenID Connect (OIDC) contract **sub** with the access token attribute `sub`. 9. Click **Next** and then click **Done**. 10. If a default OIDC policy is not already defined, set this new policy as the default and click **Save**. 6. Add scopes for PingDirectory server APIs: 1. Go to **System > OAuth Settings > Scope Management**. 2. Click the **Exclusive Scopes** tab. 3. Add a scope with a **Scope Value** of `urn:pingidentity:directory-delegated-admin` and a **Scope Description** of `DAScope`. 4. Click **Save**.