Configuring static decryption keys
You can specify whether PingFederate should use static or dynamically rotating keys to decrypt asymmetrically-encrypted ID tokens.
About this task
When static keys are enabled, you must also select an active signing key for the RSA key type. |
Steps
-
Go to Security → Certificate & Key Management → OAuth & OpenID Connect Keys.
-
Select the Enable Static Keys check box to use static keys for OAuth and OpenID Connect.
Clear this check box to let PingFederate generate and rotate keys automatically for OAuth and OpenID Connect. The Enable Static Keys check box is not selected by default.
Result:
Once selected, the administrative console displays the following fields under "Decryption Keys".
Key Type Active Previous Publish Certificate EC with P-256 curve
Optional
Optional
Optional
EC with P-384 curve
Optional
Optional
Optional
EC with P-521 curve
Optional
Optional
Optional
RSA
Optional
Optional
Optional
-
Follow these steps to configure "Decryption Keys".
-
For each applicable key type, select an active decryption key and optionally a previous decryption key.
If the desired decryption key is not found, click Manage Certificates to create it. Alternatively, complete the configuration, create the desired decryption keys later, and then update the configuration afterward. There is no default selection.
Result:
The active decryption key is published at the PingFederate JSON Web Key Set (JWKS) endpoint
/pf/JWKS
. -
Optional: For any key type for which you have selected an active decryption key (with or without a previous decryption key), select the Publish Certificate check box to publish the certificates associated with the active decryption key at the PingFederate JWKS endpoint
/pf/JWKS
.Each applicable decryption key’s associated chain of certificates is published as the
x5c
parameter value.
The Publish Certificate check boxes are not selected by default.
-
-
Under "Signing Keys", select an active key for the RSA key type.
If the desired key is not found, click Manage Certificates to create it. There is no default selection.
Result:
The active signing key is published at the PingFederate JWKS endpoint
/pf/JWKS
. -
Click Save.
Result
When static keys are enabled, PingFederate uses only static decryption keys to decrypt asymmetrically-encrypted ID tokens it receives from OpenID providers. Dynamic keys are not used and are not returned by the PingFederate JWKS endpoint |
The following snippet illustrates a sample response returned by the PingFederate JWKS endpoint when dynamic keys are used.
$ curl -s https://localhost:8031/pf/JWKS |python -m json.tool
{
"keys": [
...
{
"kty": "EC",
"kid": "I-ZbqeLPG2O5qxSf3n8yKmcGbWI",
"use": "enc",
"x": "AUSx-2vdfCjU90KohVs1peISnNUeDmGo3m0_x42PucBr-Gd-mHKXQ8EjTeYgLhFB5SYMV5tntKiezayWkUt9Dodc",
"y": "AIE6vQYcKdOfyQYzENYQ86MIAwSUo4GR_-dn7m2MvRReXkotWOsFT1WKXi_KjamqJIV2AwAUZL-IQj5mew45lSTM",
"crv": "P-521"
},
{
"kty": "EC",
"kid": "S2BbNNK9PtG0nA-EhU5BGpZ-OG8",
"use": "enc",
"x": "IKXASh9aDPJ1YaeXUww1YZnZ3kum_WLKvZe8xiNW6W8",
"y": "7_zp2AuY8MY4WEuneHEzV0cqW0buqcmMGVzRANQ0r2I",
"crv": "P-256"
},
{
"kty": "EC",
"kid": "t4-jKfmhEHn3mRc-08Oh3WKA2zE",
"use": "enc",
"x": "RiQkv_ArGS7Zc8XsXp0VQpEWz9ZUlbLUWA0VbTcUjWIbOByceGhg-tAj6dlFiorq",
"y": "aHPQlrJPscdcuHtHokyr-70yBo4nUK-BjWrJgisDxnKJQFLP6YK_dfuOpuVYhFJ5",
"crv": "P-384"
},
{
"kty": "RSA",
"kid": "tVP7otNKgIWYep8LPBR3wD3tPNE",
"use": "enc",
"n": "hvHfiamhV4wGC9JHppJZjdKG5K3MvhWwo6PBsSQowGOTeILAbzO8Jfmp7nRxuujTE6k83RXNeWUvTwamGqShXvHzGYJlE2gsc0Az_w5xm-vjoNZD8Cv0Y9C3R4Ckj6dBL70Osk_NfBR7MYmRA6dV0PJ5k4Lt_vQveXMkylD9XuLFP-gqooMXkB6FCCLqZZAi0voi3WQ7ECzSta3ke9F5VFl7-4zVjRtJHjM9gGEhd5OkaZioqs9xBHeOrwhPbiPTsIA7ve3No5AlGCgZw654s17zr2Ly4q8QZE7LmM30kRJnu-dpl_dKixFTdQYIBMmIWGUyuB43XYq106z9CWoOcw",
"e": "AQAB"
},
...
]
}
When static keys are used, the PingFederate JWKS endpoint /pf/JWKS
returns only the configured active keys. The following snippet illustrates a sample response returned by the PingFederate JWKS endpoint when an active key was selected for the EC with P-384 curve and EC with P-521 curve key types.
$ curl -s https://localhost:8031/pf/JWKS |python -m json.tool
{
"keys": [
...
{
"kty": "EC",
"kid": "7xKkiMb-YpcK2PcrTUoTrYF8EOI",
"use": "enc",
"x": "4p_fZluiHS9qLXQi-cqol1LP5nBrFPcXRKQN5yR3Tz51E0xfY9tmOzLqMQwKfDIh",
"y": "kWh3up-U2mMYOuhzx4Ba7UX0P03EPLr82PdCUG6E3V53Pgnd2QU6ShWu9lH4-ugw",
"crv": "P-384"
},
{
"kty": "EC",
"kid": "pE1XwX8Z6QYhAC7mjZ0OCn4DXAk",
"use": "enc",
"x": "ATCOsxg6ce437qMVlrqCyHPDE76hC0wP7Wwb7V8heai60LIDDvIJt-evxTOGn7Iolo9PYET8-Bjhu5Zg5MNxOkF-",
"y": "AdvUA2YD2kn7COLkFIG2vL2k34CMv7VPxsvbgOJBL2exSziMGPw6YJp2eafuHlBom7bkjv3iFy5dTuGB7B28Zc7A",
"crv": "P-521"
},
...
]
}