Validating FAPI with PingGateway

Validate your FAPI deployment using the two API clients you registered and the FAPI conformance test suite.

The FAPI conformance tests use DNS to access PingGateway URLs.

Make sure the PingGateway deployment is accessible over the internet.

Before you begin

Before you begin, make sure you have:

Configured CORS settings in the PingOne Advanced Identity Cloud tenant
Configured access management settings in the PingOne Advanced Identity Cloud tenant
Configured identity management settings in the PingOne Advanced Identity Cloud tenant
Configured PingGateway for FAPI
Completed DCR for two API clients using the test trusted directory
Saved the DCR responses for both API clients
Saved the PEM-format certificates and private keys for both API clients
Saved the PEM-format CA certificate for the test trusted directory

Review the test documentation

The OpenID foundation provides conformance tests accessible online through a Google or GitLab account.

Read the instructions for the conformance tests.

This tutorial focuses on FAPI 1.0 Part 2 Advanced Final tests.

Prepare the test plan

Go to the OpenID certification site.
Sign on with your Google or GitLab account.

Create a test plan.

Add the high-level settings:

Setting Use

Setting	Use
Test Plan	`FAPI1-Advanced-Final: Authorization server test`
Client Authentication Type	`private_key_jwt`
Request Object Method	`by_value`
FAPI Profile	`plain_fapi`
FAPI Response Mode	`plain_response`

Test Plan

FAPI1-Advanced-Final: Authorization server test

Client Authentication Type

private_key_jwt

Request Object Method

by_value

FAPI Profile

plain_fapi

FAPI Response Mode

plain_response

Configure the specific settings for your deployment using the hints provided in the test plan page.

Use the following additional hints to complete the configuration:

Setting Use

Setting	Use
alias	The alias you chose to customize the client `software_redirect_uris`.
discoveryUrl	The OpenID Provider well-known endpoint accessed through PingGateway, `https://<gateway-host:port>/am/oauth2/realms/root/realms/alpha/.well-known/openid-configuration`.
Client settings	The fields in the DCR responses and the PEM-format certificates and private keys you saved.
resourceUrl	The OpenID Provider well-known endpoint accessed through PingGateway, `https://<gateway-host:port>/rs/fapi/api`.

alias

The alias you chose to customize the client software_redirect_uris.

discoveryUrl

The OpenID Provider well-known endpoint accessed through PingGateway, https://<gateway-host:port>/am/oauth2/realms/root/realms/alpha/.well-known/openid-configuration.

Client settings

The fields in the DCR responses and the PEM-format certificates and private keys you saved.

resourceUrl

The OpenID Provider well-known endpoint accessed through PingGateway, https://<gateway-host:port>/rs/fapi/api.

Click Create Test Plan to access the tests.

Run the tests

Run each test in the plan and correct any issues that arise.

You have successfully demonstrated FAPI compliance using PingGateway.