Configuring the OAuth server
The following task configures the PingFederate server for OAuth and OpenID Connect (OIDC) authentication.
Steps
-
Sign on to the PingFederate administrative console.
-
Set the identity provider (IdP) adapter mapping:
-
Go to Authentication → OAuth → IdP Adapter Grant Mapping.
-
From the Source Adapter Instance list, select the IdP adapter you created in Configuring PingFederate as the identity provider and click Add Mapping.
-
Click Next.
No attribute source is needed.
-
On the Contract Fulfillment tab, set the contracts as shown in the following table:
Contract Source Value USER_KEY
Adapter
entryUUID
USER_NAME
Adapter
cn
-
Click Next and then click Next again.
-
Click Save.
-
-
Set up Access Token Management.
Select an existing instance or click Applications → OAuth → Access Token Management → Create New Instance.
Choose from:
-
If selecting an existing instance, click the Instance Configuration tab.
With an existing instance, a JSON Web Token (JWT) is configured automatically.
-
If creating a new instance, specify the required fields and set Type to JSON Web Tokens.
Take note of your new instance name. You’ll need that information later.
-
Use symmetric encryption for JWT by adding a row in the Symmetric Keys section, using 32 bytes or 64 chars of hex.
This encryption only requires a symmetric key, not a certificate and private key. This step requires the client to validate the token by hitting the validation endpoint on the server.
-
Set JWS Algorithm to HMAC Using SHA-256.
-
Set Active Symmetric Key ID to your symmetric key and click Next.
-
On the Session Validation tab, select all options and click Next.
-
On the Access Token Attribute Contract tab, list at least one attribute to be defined in the access token, add
sub
, click Next until you reach the last section, and then click Save.
-
-
-
Set up access token mapping:
-
Go to Applications → OAuth → Access Token Mappings.
-
Set Context to Default, set Access Token Manager to the access token manager you created in the last step, and click Add Mapping.
-
Click Next in the Attribute Source & User Lookup section to go to the Contract Fulfillment section.
-
In the sub row, make the following selections:
-
In the Source list, select Persistent Grant.
-
In the Value list, select USER_KEY.
-
-
Click Next until you reach the Summary section. Click Save.
-
-
Set up the OpenID Connect policy:
-
Go to Applications → OAuth → OpenID Connect Policy Management.
-
Click Add Policy.
-
Specify a Policy ID.
-
Specify a Name.
-
Choose the previously created access token manager and click Next.
-
Delete all extended contract attributes except
sub
.Other scopes are defined, if configured.
-
Click Next to reach the Contract Fulfillment section.
-
Fulfill the OpenID Connect (OIDC) contract
sub
with the access token attributesub
. -
Click Next and then click Done.
-
If a default OIDC policy is not already defined, set this new policy as the default and click Save.
-
-
Add scopes for PingDirectory server APIs:
-
Go to System → OAuth Settings → Scope Management.
-
Click the Exclusive Scopes tab.
-
Add a scope with the value and description given below.
-
Scope Value
urn:pingidentity:directory-delegated-admin
-
Scope Description
DAScope
-
-
Click Save.
-