PingFederate Server

Configure CIMD policies

On the CIMD Policies page, configure the rules that determine which URLs from the CIMD request’s client_id PingFederate accepts and which default settings PingFederate applies to CIMD clients created by that policy.

Steps

  1. In the PingFederate admin console, go to System > OAuth Settings > CIMD Policies.

  2. Click Add CIMD Policy.

General Info

  1. (Required) In the ID field, enter a unique identifier for the CIMD policy.

  2. (Required) In the Name field, enter a descriptive name for the CIMD policy.

  3. In the Description field, enter a description for the policy.

  4. (Required) In the Metadata URL field, enter the URL pattern that PingFederate uses to determine whether the policy applies to an incoming CIMD request.

    • Use restrictive patterns whenever possible.

    • The metadata URL pattern supports wildcard characters (*).

    • The input must include a valid protocol scheme and host before a wildcard can be used.

      If an incoming client_id value does not match any enabled CIMD policy, PingFederate rejects the request.

  5. Select the Allow Loopback Redirect URIs checkbox to allow PingFederate to resolve CIMD clients created by this CIMD policy when they use loopback redirect URIs, such as localhost, 127.0.0.1, or ::1, when required by your use case.

    PingFederate blocks loopback redirect URIs and metadata locations by default to help protect against server-side request forgery (SSRF). Enable this setting only when necessary.

    If this checkbox is selected and the redirect URI is a loopback address, PingFederate does not perform the same-origin check between the redirect URI and the client_id.

    To allow metadata locations that contain a loopback address, PingFederate must also be running on a loopback address, and the resolved address must match the same loopback interface.

  6. Select the Replay Prevention checkbox to require replay-prevention handling for supported signed request processing in CIMD clients created by this CIMD policy.

  7. In the Issuer list, select an issuer when your deployment requires issuer-specific behavior for CIMD clients created by this CIMD policy.

  8. In the Tags list, click Selected Tags. In the Tags Selection window, move the tags to apply from Available Tags to Selected Tags. Click Done.

    Learn more in Tag Management.

In the following settings sections, when you select Use Global Setting, PingFederate uses the corresponding global value configured on the Authorization Server Settings page, unless otherwise noted.

OAuth settings

These settings work like the corresponding settings on the Configuring OAuth clients page. For CIMD, PingFederate applies them as defaults for dynamically created clients rather than to manually registered clients.

  1. For Require Scope=Offline_Access to Issue Refresh Tokens, select whether to require the authorization server to issue refresh tokens when the offline_access scope is requested.

    Select one of the following:

    • Use Global Setting is the default.

    • Yes requires the authorization server to issue refresh tokens and opens the Offline_Access Require Consent Prompt dialog.

    • No doesn’t require the authorization server to issue refresh tokens.

  2. If you clicked Yes, select whether to require the prompt parameter value to be set to consent when the offline_access scope is requested.

    • Use Global Setting is the default.

    • Yes requires the consent prompt.

    • No doesn’t require the consent prompt.

  3. In the ID Token Signing Algorithm list, select the algorithm that PingFederate uses to sign ID tokens for CIMD clients created by this CIMD policy.

  4. In the OpenID Connect Policy list, select a policy to apply to CIMD clients created by this CIMD policy.

    Learn more in Configuring OpenID Connect policies.

  5. Select the Require Proof Key for Code Exchange (PKCE) checkbox to require CIMD clients created by this CIMD policy to use PKCE.

  6. Select the Require JWT Secured Authorization Response Mode (JARM) checkbox to require CIMD clients created by this CIMD policy to use JARM.

    JARM enhances the security of the authorization response by supporting signing and encryption. Learn more in the JARM specification.

  7. Select the Require Signed Requests checkbox to require CIMD clients created by this CIMD policy to transmit request parameters in a signed request object.

    Learn more about shared OAuth client request-object settings in Configuring OAuth clients.

Token manager, grant, and session settings

  1. In the Default Access Token Manager list, select the access token manager to use for CIMD clients created by this CIMD policy.

  2. Select the Restrict to Default Access Token Manager checkbox to restrict CIMD clients created by this CIMD policy to using only the selected access token manager.

  3. For Persistent Grants Max Lifetime, choose one of the following:

    • Use Global Setting is the default.

    • Grants Do Not Expire allows persistent grants to remain valid until they are revoked or removed.

    • Enter an integer in the field and select a time unit to define the lifetime of persistent grants.

  4. For Persistent Grants Idle Timeout, choose one of the following:

    • Use Global Setting is the default.

    • Grants Do Not Timeout Due To Inactivity allows persistent grants to remain valid until they are revoked, removed, or expire for another reason.

    • Enter an integer in the field and select a time unit to define how long persistent grants can remain inactive before they time out.

  5. For Refresh Token Rolling Policy, choose one of the following:

    • Use Global Setting is the default.

    • Don’t Roll continues using the current refresh token until it becomes invalid.

    • Roll generates a new refresh token when a new access token is issued.

  6. For Refresh Token Rolling Interval, choose one of the following:

    • Use Global Setting is the default.

    • Enter an integer in the field and select a time unit to define the minimum time that must pass before a new refresh token can be issued.

  7. For Refresh Token Rolling Grace Period (Seconds), choose one of the following:

    • Use Global Setting is the default.

    • Enter an integer in the field to define how long a rolled refresh token remains valid if the client does not receive the updated refresh token.

Demonstrate Proof of Possession (DPoP) settings

  1. For Require DPoP JWT Nonce, choose one of the following:

    • Use Global Setting is the default.

    • Yes requires a nonce in the DPoP JWT.

    • No does not require a nonce in the DPoP JWT.

  2. For DPoP JWT Lifetime (Seconds), choose Use Global Setting or enter the lifetime of the DPoP JWT in seconds.

  3. For Enforce DPoP JWT Replay Prevention, choose one of the following:

    • Use Global Setting is the default.

    • Yes requires a unique signed DPoP JWT for each request.

    • No does not require a unique signed DPoP JWT for each request.

Device authorization grant settings

  1. For Device Authorization Grant, select Use Global Setting to use the corresponding global setting or Override.

  2. If Device Authorization Grant is set to Override, configure the following settings:

    • In the User Authorization URL field, enter the URL for device user authorization used by CIMD clients created by this CIMD policy.

    • In the Pending Authorization Timeout (Seconds) field, enter the maximum time that a device authorization request can remain pending.

    • In the Device Polling Interval (Seconds) field, enter how often a device polls for authorization status.

    • Select the Bypass Activation Code Confirmation checkbox to allow CIMD clients created by this CIMD policy to bypass activation code confirmation.

Client Initiated Backchannel Authentication (CIBA) settings

  1. In the Polling Interval (Seconds) field, enter how often a CIMD client created by this CIMD policy can poll for a CIBA result.

  2. In the CIBA Request Policy list, select the request policy to apply to CIMD clients created by this CIMD policy.

    Learn more in Client Initiated Backchannel Authentication (CIBA).

  3. Select the Require CIBA Signed Requests checkbox to require CIMD clients created by this CIMD policy to sign CIBA requests.

Token exchange settings

  1. In the Token Exchange Processor Policy list, select the token exchange processor policy to apply to CIMD clients created by this CIMD policy.

Advanced settings

  1. For Malicious Actions Count For Lockout, choose one of the following:

    • Use Global Setting uses the global lockout setting. You can configure the global setting using the MaxMaliciousActions parameter in the <pingfed-install>/pingfederate/server/default/data/config-store/com.pingidentity.common.security.AccountLockingService.xml file.

    • Do Not Lockout disables lockout for malicious actions.

    • Enter an integer in the field to define the number of malicious actions that PingFederate allows before it locks out the client.

  2. When you are done configuring the policy, click Save.

Result

PingFederate uses the enabled CIMD policy whose metadata URL best matches the incoming client_id to determine whether the request is allowed. It then applies that policy’s default OAuth client settings to the CIMD client created for the request. If no enabled CIMD policy matches the incoming client_id, PingFederate rejects the request.