PingFederate Server

Mapping ID token signing keys to virtual issuers

You can create sets of ID token signing keys in PingFederate, and map each set to one or more virtual issuers for OpenID Connect.

Before you begin

Before you map token signing keys to virtual issuers, configure the necessary static signing keys and virtual issuers. For more information, see Configuring static signing keys and Adding virtual issuers for OpenID Connect.

About this task

When minting an ID token, PingFederate signs the ID token with a key from the right key set based on the authorization request, virtual issuers configuration, and token signing keys configuration. Because of these features, you do not need multiple PingFederate environments to support multiple brands, which especially helps if you participate in Open Banking in the UK or have similar requirements.

Steps

  1. Go to Security → Certificate & Key Management → Token Signing Keys.

  2. Click Add Key Set.

  3. Enter the key set’s Name and optional Description. Click Next.

  4. Select at least one Issuer.

  5. Select at an RSA signing key in the Active column.

  6. Optional: Select one or more EC (elliptic curve) signing keys in the Active column.

  7. Optional: Select Previous signing keys next to any of the Active keys.

  8. Optional: Select the Publish Certificate check box next to the Active signing keys. PingFederate publishes the certificates associated with these active signing keys and previous signing keys (if selected) at the /pf/JWKS endpoint.

  9. Click Save.