PingFederate Server

OpenID Connect

As an extension of OAuth capabilities, PingFederate supports an optional configuration for OpenID Connect, a modern protocol for secure, lightweight transfer of authentication and user attributes.

OpenID Provider support

As an OpenID Provider (OP), PingFederate supports both the Basic Client and Implicit Client profiles defined in the standard. In both profiles, the end result releases an ID token and an OAuth access token; however, depending on associated grant types, PingFederate might also release a refresh token.

The ID token is an integrity-secured, self-contained token in JSON Web Token (JWT) format containing claims about the user. A client uses the ID token to identify the user accessing the client application through an OP. A client may subsequently use the OAuth access token to retrieve additional claims about the user, such as a complete profile containing full name, email, phone, and other schema elements defined in an OpenID Connect policy from the Userinfo endpoint (/idp/userinfo.openid).

For session management, PingFederate provides a front-channel endpoint for OAuth clients using the OpenID Connect protocol to close other associated sessions at /idp/startSLO.ping and a back-channel web service for clients to revoke end-user sessions at /pfws/rest/sessionMgmt/revokedSris.As an OP, PingFederate optionally accepts request parameters through self-contained, signed JWTs. This capability enables PingFederate to validate the integrity of the request parameters it receives before processing the request further. PingFederate also includes a state hash (s_hash) in the ID token to protect the integrity of the state parameter.

Relying Party support

As a Relying Party (RP), PingFederate is capable of leveraging identities from OPs to complete browser-based SSO requests. In this use case, PingFederate is the requesting OAuth client application.

The setup involves establishing an IdP connection to the OP. PingFederate retrieves identity information from the OP and passes the end-user claims, which are user attributes in an ID token, to one or more target applications. This configuration allows administrators to take advantage of their existing last-mile integration and expand the horizon of their applications to additional partners using the OpenID Connect protocol.

PingFederate is also capable of sending request parameters through self-contained, signed JWTs, thus adding a layer of security to the transmission of the request parameters. Additionally, if the ID token contains a state hash, PingFederate validates it.