Configuring the OAuth server
The following task configures the PingFederate server for OAuth and OpenID Connect (OIDC) authentication.
Steps
-
Sign on to the PingFederate administrative console.
-
Set the identity provider (IdP) adapter mapping:
-
Go to Authentication > OAuth > IdP Adapter Grant Mapping.
-
From the Source Adapter Instance list, select the IdP adapter you created in Configuring PingFederate as the identity provider and click Add Mapping.
-
Click Next.
No attribute source is needed.
-
On the Contract Fulfillment tab, set the contracts as shown in the following table:
Contract Source Value USER_KEY
Adapter
entryUUID
USER_NAME
Adapter
cn
-
Click Next and then click Next again.
-
Click Save.
-
-
Set up Access Token Management.
Select an existing instance or click Applications > OAuth > Access Token Management > Create New Instance.
Choose from:
-
If selecting an existing instance, click the Instance Configuration tab.
With an existing instance, a JSON Web Token (JWT) is configured automatically.
-
If creating a new instance, specify the required fields and set Type to JSON Web Tokens.
Take note of your new instance name. You’ll need that information later.
-
Use symmetric encryption for the JWT by adding a row in the Symmetric Keys section using 32 bytes or 64 characters of hex.
This encryption only requires a symmetric key, not a certificate and private key. This step requires the client to validate the token by hitting the validation endpoint on the server.
-
Set JWS Algorithm to HMAC Using SHA-256.
-
Set Active Symmetric Key ID to your symmetric key and click Next.
-
On the Session Validation tab, select all options and click Next.
-
On the Access Token Attribute Contract tab, list at least one attribute to be defined in the access token, add
sub
, click Next until you reach the last section, and then click Save.
-
-
-
Set up access token mapping:
-
Go to Applications > OAuth > Access Token Mappings.
-
Set Context to Default, set Access Token Manager to the access token manager you created in the last step, and click Add Mapping.
-
Click Next in the Attribute Source & User Lookup section to go to the Contract Fulfillment section.
-
In the sub row, make the following selections:
-
In the Source list, select Persistent Grant.
-
In the Value list, select USER_KEY.
-
-
Click Next until you reach the Summary section. Click Save.
-
-
Set up the OpenID Connect policy:
-
Go to Applications > OAuth > OpenID Connect Policy Management.
-
Click Add Policy.
-
Specify a Policy ID.
-
Specify a Name.
-
Choose the previously created access token manager and click Next.
-
Delete all extended contract attributes except
sub
.Other scopes are defined, if configured.
-
Click Next to reach the Contract Fulfillment section.
-
Fulfill the OpenID Connect (OIDC) contract sub with the access token attribute
sub
. -
Click Next and then click Done.
-
If a default OIDC policy is not already defined, set this new policy as the default and click Save.
-
-
Add scopes for PingDirectory server APIs:
-
Go to System > OAuth Settings > Scope Management.
-
Click the Exclusive Scopes tab.
-
Add a scope with a Scope Value of
urn:pingidentity:directory-delegated-admin
and a Scope Description ofDAScope
. -
Click Save.
-