PingFederate Server

Configuring OAuth use cases

Administrators can configure PingFederate to support the OAuth grant types that applications require.

Steps

  1. To configure the authorization server settings, go to System → OAuth Settings → Authorization Server Settings. For more information, see Configuring authorization server settings.

  2. Define any number of optional common scopes and exclusive scopes, create scope groups from optional scopes as needed, and enter an optional description for the default scope in the System → OAuth Settings → Scope Management window.

  3. Create one or more access token management instances in the Applications → OAuth → Access Token Management window.

    You can also define the access token attribute contract for an access token management instance in this window.

  4. Configure one or more entries to map attributes from authentication sources to the persistent grants.

    Authorization Code or Implicit
    • Map attributes from an identity provider (IdP) adapter instance to the persistent grants in Authentication → OAuth → IdP Adapter Grant Mapping.

    • Map attributes from an IdP connection to the persistent grants in IdP Connection → Browser SSO → OAuth Attribute Mapping.

    • Create an authentication policy contract (APC) using the Policy Contracts window, define an authentication policy to map attributes from the authentication sources (IdP adapter instances, IdP connections, or both) to the APC, and map attributes from the APC to the persistent grants using the Authentication Policy Contract Grant Mapping window.

      If you are using a combination of authentication policies, APCs, and APC mappings, you can skip the IdP Adapter Grant Mapping and OAuth Attribute Mapping configurations.

    Resource Owner Password Credentials
    • Map attributes from a password credential validator instance to the persistent grants using the Authentication → OAuth → Resource Owner Credentials Grant Mapping configuration wizard.

      This is the first stage of the two-stage access token mapping process through the persistent grants.

  5. Configure one or more entries to map attributes from the persistent grants (or the authentication sources directly) to the attribute contract of your access token management instances in the Applications → OAuth → Access Token Mapping window. Additionally, you can configure a mapping for clients using the client credential grant type.

    This is the second stage of the two-stage access token mapping process through the persistent grants. For more information about the access token mapping process, see Mapping OAuth attributes.

  6. For the client-initiated backchannel authentication (CIBA) flow, configure one or more CIBA authenticator instances and then one or more CIBA request policies.

  7. For the JSON web token (JWT) Bearer or SAML 2.0 Bear assertion grants flow, configure a mapping in IdP Connection → OAuth Assertion Grant Attribute Mapping.

    This use case exchanges a JWT or a SAML assertion for an OAuth access token.

  8. Define one or more OpenID Connect policies using the Applications → OAuth → OpenID Connect Policy Management window if you support OpenID Connect use cases.

  9. Go to Applications → OAuth → Clients and create one or more OAuth clients in the Client window.

  10. Optional: Configure client settings and registration policies for dynamic client registration.

  11. Optional: Configure client session management settings.