Defining token exchange processor policies
To exchange security tokens, the OAuth authorization server needs at least one token exchange processor policy.
Before you begin
Before you define a token exchange processor policy, create the necessary token processor instances. Learn more in Managing token processors.
About this task
In the PingFederate admin console, go to the Token Exchange Processor Policy Management page to define token exchange processor policies.
Steps
-
Go to Applications > Token Exchange > Processor Policies.
-
Click Add Processor Policy.
-
On the Manage Processor Policy tab, enter the policy ID and Name. To require both a subject token and an actor token in client token exchange requests, select the Actor Token Required checkbox. Click Next.
-
On the Attribute Contract tab, add attributes to the attribute contract as needed. Click Next.
-
On the Token Processor Mapping tab, map a token processor to each subject token type, or each combination of subject token type and actor token type:
-
Click Map New Token Processor.
-
On the Token Types tab, in the Subject Token Processor list, select the instance.
-
In the Subject Token Type field, enter the identifier.
-
If an actor token processor is required, in the Actor Token Processor list, select the instance.
-
In the Actor Token Type field, enter the identifier. Click Next.
-
On the Attribute Sources & User Lookup tab, add additional attribute sources for contract fulfillment as needed. Click Next.
-
On the Contract Fulfillment tab, select the Source and Value for each attribute. Click Next.
-
On the Issuance Criteria tab, specify conditions that attributes must satisfy for PingFederate to exchange the token. Click Next.
-
On the Summary tab, review the token processor mapping. Click Done.
-
-
On the Summary tab, review the policy. Click Done.
-
To make the new token exchange processor policy the default policy, click Set as Default on the corresponding row in the table.
-
Click Save.