PingFederate Server

Configuring static signing keys

Determine when to use static and dynamically rotating keys to sign tokens as needed.

About this task

Specify whether PingFederate should use static or dynamically rotating keys to sign self-contained access tokens, ID tokens, JSON web tokens (JWTs) for client authentication, and JWTs for OpenID Connect request objects.

Steps

  1. Go to Security → Certificate & Key Management → OAuth & OpenID Connect Keys.

  2. Select the Enable Static Keys check box to use static keys for OAuth and OpenID Connect.

    Clear this check box to let PingFederate generate and rotate keys automatically for OAuth and OpenID Connect.

    The Enable Static Keys check box is not selected by default.

    Result:

    Once selected, the administrative console displays the following fields under the Signing Keys heading.

    Key Type Active Previous Publish Certificate

    EC with P-256 curve

    Optional

    Optional

    Optional

    EC with P-384 curve

    Optional

    Optional

    Optional

    EC with P-521 curve

    Optional

    Optional

    Optional

    RSA

    Required

    Optional

    Optional

  3. Follow these steps to complete the configuration under Signing Keys.

    1. For the RSA key type, select an active signing key and optionally a previous signing key.

      If you don’t find the desired signing key, click Manage Certificates to create it.

      There is no default selection.

      Result:

      The active signing key and the previous signing key (if configured) are published at the PingFederate JSON Web Key (JWK) Set endpoint /pf/JWKS.

    2. For each applicable EC (elliptic curve) key type, select an active signing key and optionally a previous signing key.

      If you don’t find the desired signing key, click Manage Certificates to create it. Alternatively, complete the configuration, create the desired signing keys later, and then update the configuration afterward.

      There is no default selection.

      Result:

      The active signing key and the previous signing key (if configured) are published at the PingFederate JWKS endpoint /pf/JWKS.

    3. Optional: For any key type for which you have selected an active signing key (with or without a previous signing key), select the Publish Certificate check box to publish the certificates associated with the active signing key and the previous signing key (if configured) at the PingFederate JWKS endpoint /pf/JWKS.

      For each applicable signing key, its associated chain of certificates is published as the x5c parameter value.

    The Publish Certificate check boxes are not selected by default.

  4. Click Save.

Result

When static keys are enabled, PingFederate uses only static signing keys to sign ID tokens for OAuth clients or to sign JWTs for authentication or request objects (or both) for authorization servers; dynamic keys are not used and are not returned by the PingFederate JWKS endpoint /pf/JWKS. Signing algorithms associated with EC key types not configured with an active static signing key are hidden.

For existing clients and identity provider (IdP) connections, if you have previously selected a certain signing algorithm associated with an EC key type (for example, ECDSA using P256 Curve and SHA-256) without enabling static keys and then subsequently decide to enable static keys without selecting an active signing key for such EC key type (EC with P-256 curve in this example), transactions that involve that signing algorithm will fail. When you revisit the configuration, the administrative console displays an error message. Your options are as follows:

OAuth clients
  • Click Save to update the value of the ID Token Signing Algorithm setting to Default, which is the equivalent of selecting RSA using SHA-256 from the list.

  • Select a different value from the ID Token Signing Algorithm list and save the configuration.

  • Ignore the error and click Cancel without updating the configuration. Note that runtime errors persist until the configuration issue is resolved.

These options are applicable to individual clients on the Client window and the default setting configured for all clients created via the Dynamic Client Registration protocol on the Client Configuration Defaults window.

OpenID Connect IdP connections
  • Select a different value from the Authentication Signing Algorithm list or the Request Signing Algorithm list (or both) and save the configuration.

  • Ignore the error and click Cancel without updating the configuration. Runtime errors persist until the configuration issue is resolved.

These options are applicable to individual OpenID Connect IdP connections on the OpenID Provider Info window.