PingFederate Server

Enabling JWT authorization

PingFederate clients can gain access to the administrative API endpoint by providing a JSON Web Token (JWT). The <pf_install>/pingfederate/bin/jwt.properties file contains settings that allow you to configure information required to interact with one or more authorization servers as a client.

JWT Admin API authorization currently does not support encrypted JWTs. The OAuth2 authorization method can accept encrypted JWTs.

Steps

  1. In the <pf_install>/pingfederate/bin/jwt.properties file, set the value of the pf.admin.api.authentication property to JWT.

    You can configure PingFederate to support both JWT authorization and a basic authentication method by specifying two values separated with a comma. For example, specify pf.admin.api.authentication=JWT,LDAP. The basic authentication methods are native, LDAP, JWT, and RADIUS. Supporting two authentication methods is helpful when you want to change applications from one method to another. You can find more information about supporting two authentication methods in the description of pf.admin.api.authentication in Configuring PingFederate properties.

  2. In the <pf_install>/pingfederate/bin/jwt.properties file, change the property values as needed. You can find instructions and additional information in the comments in the file.

    Assign at least one of the PingFederate administrative roles, as indicated in the properties file. You can find more information about permissions attached to the PingFederate roles in the PingFederate User Access Control table in Configure access to the administrative API.

  3. Restart PingFederate.

    In a clustered PingFederate environment, you only need to modify run.properties and oauth2.properties on the console node.