---
title: Mapping ID token signing keys to virtual issuers
description: You can create sets of ID token signing keys in PingFederate, and map each set to one or more virtual issuers for OpenID Connect.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_mapping_id_token_signing_keys_virtual_issuers
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_mapping_id_token_signing_keys_virtual_issuers.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 10, 2024
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
---

# Mapping ID token signing keys to virtual issuers

You can create sets of ID token signing keys in PingFederate, and map each set to one or more virtual issuers for OpenID Connect.

## Before you begin

Before you map token signing keys to virtual issuers, configure the necessary static signing keys and virtual issuers. For more information, see [Configuring static signing keys](pf_config_static_signing_keys.html) and [Adding virtual issuers for OpenID Connect](pf_adding_virtual_issuers_openid_connect.html).

## About this task

When minting an ID token, PingFederate signs the ID token with a key from the right key set based on the authorization request, virtual issuers configuration, and token signing keys configuration. Because of these features, you do not need multiple PingFederate environments to support multiple brands, which especially helps if you participate in Open Banking in the UK or have similar requirements.

## Steps

1. Go to **Security > Certificate & Key Management > Token Signing Keys**.

2. Click **Add Key Set**.

3. Enter the key set's **Name** and optional **Description**. Click **Next**.

4. Select at least one **Issuer**.

5. Select at an **RSA** signing key in the **Active** column.

6. Optional: Select one or more EC (elliptic curve) signing keys in the **Active** column.

7. Optional: Select **Previous** signing keys next to any of the **Active** keys.

8. Optional: Select the **Publish Certificate** checkbox next to the **Active** signing keys. PingFederate publishes the certificates associated with these active signing keys and previous signing keys (if selected) at the `/pf/JWKS` endpoint.

9. Click **Save**.