Configuring access management for FAPI
FAPI requires specific settings for the OpenID Provider and related services.
This page explains how to configure those settings for a PingOne Advanced Identity Cloud tenant through the Advanced Identity Cloud admin UI and AM admin UI.
Before you begin
-
Sign on to the Advanced Identity Cloud admin UI as an administrator.
-
Switch to the realm you use for FAPI.
This tutorial uses the
alpha
realm. Adapt the realm name to your deployment.
Trusted certificates
FAPI permits mutual TLS as one of the OAuth 2.0 client authentication methods. For mutual TLS to work, PingOne Advanced Identity Cloud must trust the certificate authority (CA) who signed the client’s certificate. This involves storing the trusted certificates as a secret and mapping the secret to a specific label:
-
Get the CA certificates in PEM format for all the clients using mutual TLS.
-
Concatenate the CA certificates into a single PEM format file.
-
Create an ESV secret named
esv-am-oauth2-ca-certs
whose value is the base64-encoded content of the trusted CA certificate PEM file. -
In the Advanced Identity Cloud admin UI, click Native Consoles > Access Management to open the AM admin UI.
-
Go to Secret Stores > ESV > Mappings and click + Add Mapping.
-
Add the following settings and click Create:
- Secret Label
-
am.services.oauth2.tls.client.cert.authentication
- aliases
-
esv-am-oauth2-ca-certs
You have successfully trusted the CA certificates for mutual TLS.
OpenID provider
-
In the Advanced Identity Cloud admin UI, click Native Consoles > Access Management to open the AM admin UI.
-
Go to Services > OAuth2 Provider.
-
For each of the categories, update the following settings and click Save Changes before changing categories.
Adapt
https://gateway.example.com:8443
in these settings for your deployment and accept the defaults for all settings not listed:Category Setting Use Core
Access Token Lifetime (seconds)
360000
Advanced
Additional Audience Values
https://gateway.example.com:8443/am/oauth2/realms/root/realms/alpha/access_token
https://gateway.example.com:8443/am/oauth2/realms/root/realms/alpha/par
Client Registration Scope Allowlist
Keep only
openid
.Default Client Scopes
Remove the default settings and leave this empty.
OAuth2 Token Signing Algorithm
PS256
Trusted TLS Client Certificate Header
ssl-client-cert
Require exp claim in Request Object
Enable this setting.
Require nbf claim in Request Object
Enable this setting.
Max nbf and exp difference
60
Client Dynamic Registration
Require Software Statement for Dynamic Client Registration
Enable this setting.
Required Software Statement Attested Attributes
Remove the default settings and leave this empty.
OpenID Connect
ID Token Signing Algorithms supported
Keep only
PS256
.Supported Claims
acr
Advanced OpenID Connect
Enable "claims_parameter_supported"
Enable this setting.
Request Parameter Signing Algorithms Supported
Keep only
PS256
.Supported Token Endpoint JWS Signing Algorithms
Keep only
PS256
.UserInfo Signing Algorithms Supported
Set to
ES256
andPS256
.Token Introspection Response Signing Algorithms Supported
Keep only
PS256
.Authorization Response Signing Algorithms Supported
Keep only
PS256
.Consent
Allow Clients to Skip Consent
Disable this setting.
Remote Consent Service Request Signing Algorithms Supported
Keep only
PS256
.Remote Consent Service Response Signing Algorithms Supported
Keep only
PS256
.
You have successfully configured the OpenID provider services to support FAPI.
Validation service
-
In the Advanced Identity Cloud admin UI, click Native Consoles > Access Management to open the AM admin UI.
-
Go to Services > Validation Service, add the following Valid goto URL Resources setting, and click Save Changes:
https://gateway.example.com:8443/am/*
https://gateway.example.com:8443/am/\*?*
You have successfully configured the validation service to support FAPI.
Create an OAuth 2.0 client account
PingGateway uses this account to get access tokens to read API client information.
-
In the Advanced Identity Cloud admin UI, go to Applications > Custom Application.
-
Select OIDC - OpenID Connect and click Next.
-
Select Service and click Next.
-
Use the hints in the following table to create the OAuth 2.0 client account:
Field Description Example Name
A unique name for the OAuth 2.0 client account.
gateway-oauth2-client
Owners
The application owner to contact about this OAuth 2.0 client account.
gateway-idm-user
Client Secret
A strong password for PingGateway to connect as a resource server.
password
(base64-encoding:cGFzc3dvcmQ=
)Sign On > Sign-in URLs
The redirect endpoint.
Sign On > Grant Types
The OAuth 2.0 grant types PingGateway uses to connect as a resource server.
Authorization Code
,Client Credentials
,Resource Owner Password Credentials
Sign On > Scopes
The OAuth 2.0 grant types PingGateway uses to connect as a resource server.
dynamic_client_registration
,trusted_gateway
In production deployments, use a secret store to manage the client secret.
-
Click Save.
You have successfully created the OAuth 2.0 client account for PingGateway.