Migrating external OAuth clients into PingFederate
You can migrate OAuth clients from other identity providers into PingFederate by temporarily defining additional valid audience values for authentication and authorization requests.
You can define valid audience values using the AdditionalAllowedAudiences parameter in the org.sourceid.oauth20.domain.AuthzServerManagerImpl.xml.
The expanded audience values affect the following request types:
-
Private key JSON Web Token (JWT) or client secret JWT authentication requests on the Token endpoint
-
requestJWTs on the Authorization endpoint -
Requests initiated from the Pushed authorization requests endpoint
|
Expanding allowed audience values can introduce significant security risks to your authentication and authorization clients. By allowing PingFederate to grant access to JWTs with additional audience values you risk granting unintended access to restricted services. You should only use this feature as a temporary measure while migrating clients into PingFederate, and remove expanded audience values after the migration is complete. |
Steps
-
Open the
<pingfed-install>/pingfederate/server/default/data/config-store/org.sourceid.oauth20.domain.AuthzServerManagerImpl.xmlfile. -
Under the
<c:list name=”AdditionalAllowedAudiences”>parameter, uncomment the<c:ListItem>line and replace the example value with a domain to authorize. -
(Optional) For each additional audience value you want to authorize, add a new
<c:ListItem>line. -
After you’ve added all desired audience values, save and close the file.
-
Create new clients in PingFederate.
Learn more in Configuring OAuth clients.
-
Migrate your external OAuth clients into PingFederate.
This process varies depending on your existing issuer.
-
After your migration is complete, open the
org.sourceid.oauth20.domain.AuthzServerManagerImpl.xmlfile. -
Delete or comment out the
<c:ListItem>lines you previously added. -
Save and close the file.