PingGateway

Configuring access management for FAPI

FAPI requires specific settings for the OpenID Provider and related services.

This page explains how to configure those settings for a PingOne Advanced Identity Cloud tenant through the Advanced Identity Cloud admin UI and AM admin UI.

Before you begin

  1. Sign on to the Advanced Identity Cloud admin UI as an administrator.

  2. Switch to the realm you use for FAPI.

    This tutorial uses the alpha realm. Adapt the realm name to your deployment.

Trusted certificates

FAPI permits mutual TLS as one of the OAuth 2.0 client authentication methods. For mutual TLS to work, PingOne Advanced Identity Cloud must trust the certificate authority (CA) who signed the client’s certificate. This involves storing the trusted certificates as a secret and mapping the secret to a specific label:

  1. Get the CA certificates in PEM format for all the clients using mutual TLS.

  2. Concatenate the CA certificates into a single PEM format file.

  3. Create an ESV secret named esv-am-oauth2-ca-certs whose value is the base64-encoded content of the trusted CA certificate PEM file.

  4. In the Advanced Identity Cloud admin UI, click open_in_new Native Consoles > Access Management to open the AM admin UI.

  5. Go to Secret Stores > ESV > Mappings and click + Add Mapping.

  6. Add the following settings and click Create:

    Secret Label

    am.services.oauth2.tls.client.cert.authentication

    aliases

    esv-am-oauth2-ca-certs

You have successfully trusted the CA certificates for mutual TLS.

OpenID provider

  1. In the Advanced Identity Cloud admin UI, click open_in_new Native Consoles > Access Management to open the AM admin UI.

  2. Go to Services > OAuth2 Provider.

  3. For each of the categories, update the following settings and click Save Changes before changing categories.

    Adapt https://gateway.example.com:8443 in these settings for your deployment and accept the defaults for all settings not listed:

    Category Setting Use

    Core

    Access Token Lifetime (seconds)

    360000

    Advanced

    Additional Audience Values

    https://gateway.example.com:8443/am/oauth2/realms/root/realms/alpha/access_token

    https://gateway.example.com:8443/am/oauth2/realms/root/realms/alpha/par

    Client Registration Scope Allowlist

    Keep only openid.

    Default Client Scopes

    Remove the default settings and leave this empty.

    OAuth2 Token Signing Algorithm

    PS256

    Trusted TLS Client Certificate Header

    ssl-client-cert

    Require exp claim in Request Object

    Enable this setting.

    Require nbf claim in Request Object

    Enable this setting.

    Max nbf and exp difference

    60

    Client Dynamic Registration

    Require Software Statement for Dynamic Client Registration

    Enable this setting.

    Required Software Statement Attested Attributes

    Remove the default settings and leave this empty.

    OpenID Connect

    ID Token Signing Algorithms supported

    Keep only PS256.

    Supported Claims

    acr

    Advanced OpenID Connect

    Enable "claims_parameter_supported"

    Enable this setting.

    Request Parameter Signing Algorithms Supported

    Keep only PS256.

    Supported Token Endpoint JWS Signing Algorithms

    Keep only PS256.

    UserInfo Signing Algorithms Supported

    Set to ES256 and PS256.

    Token Introspection Response Signing Algorithms Supported

    Keep only PS256.

    Authorization Response Signing Algorithms Supported

    Keep only PS256.

    Consent

    Allow Clients to Skip Consent

    Disable this setting.

    Remote Consent Service Request Signing Algorithms Supported

    Keep only PS256.

    Remote Consent Service Response Signing Algorithms Supported

    Keep only PS256.

You have successfully configured the OpenID provider services to support FAPI.

Validation service

  1. In the Advanced Identity Cloud admin UI, click open_in_new Native Consoles > Access Management to open the AM admin UI.

  2. Go to Services > Validation Service, add the following Valid goto URL Resources setting, and click Save Changes:

    https://gateway.example.com:8443/am/*
    https://gateway.example.com:8443/am/\*?*

You have successfully configured the validation service to support FAPI.

Create an OAuth 2.0 client account

PingGateway uses this account to get access tokens to read API client information.

  1. In the Advanced Identity Cloud admin UI, go to apps Applications > Custom Application.

  2. Select OIDC - OpenID Connect and click Next.

  3. Select Service and click Next.

  4. Use the hints in the following table to create the OAuth 2.0 client account:

    Field Description Example

    Name

    A unique name for the OAuth 2.0 client account.

    gateway-oauth2-client

    Owners

    The application owner to contact about this OAuth 2.0 client account.

    gateway-idm-user

    Client Secret

    A strong password for PingGateway to connect as a resource server.

    password (base64-encoding: cGFzc3dvcmQ=)

    Sign On > Sign-in URLs

    The redirect endpoint.

    Sign On > Grant Types

    The OAuth 2.0 grant types PingGateway uses to connect as a resource server.

    Authorization Code, Client Credentials, Resource Owner Password Credentials

    Sign On > Scopes

    The OAuth 2.0 grant types PingGateway uses to connect as a resource server.

    dynamic_client_registration, trusted_gateway

    In production deployments, use a secret store to manage the client secret.

  5. Click Save.

You have successfully created the OAuth 2.0 client account for PingGateway.