--- title: Configuring access management for FAPI description: "Configure PingOne Advanced Identity Cloud and PingAM settings for FAPI: trusted certificates, OpenID provider, validation service, and OAuth 2.0 client account" component: pinggateway version: 2026 page_id: pinggateway:fapi:aic-am canonical_url: https://docs.pingidentity.com/pinggateway/2026/fapi/aic-am.html revdate: 2025-09-08T17:46:50Z section_ids: before_you_begin: Before you begin trusted_certificates: Trusted certificates openid_provider: OpenID provider validation_service: Validation service create-oauth2-client: Create an OAuth 2.0 client account --- # Configuring access management for FAPI FAPI requires specific settings for the OpenID Provider and related services. This page explains how to configure those settings for a PingOne Advanced Identity Cloud tenant through the Advanced Identity Cloud admin UI and AM admin UI. | | | | - | -------------------------------------------------------------------------------------------------------------- | | | If you're configuring a self-managed PingAM deployment, FAPI functionality requires AM version 8.0.2 or later. | ## Before you begin 1. Sign on to the Advanced Identity Cloud admin UI as an administrator. 2. Switch to the realm you use for FAPI. This tutorial uses the `alpha` realm. Adapt the realm name to your deployment. ## Trusted certificates FAPI permits [mutual TLS](https://www.rfc-editor.org/rfc/rfc8705.html) as one of the OAuth 2.0 client authentication methods. For mutual TLS to work, PingOne Advanced Identity Cloud must trust the certificate authority (CA) who signed the client's certificate. This involves storing the trusted certificates as a secret and mapping the secret to a specific label: 1. Get the CA certificates in PEM format for all the clients using mutual TLS. 2. Concatenate the CA certificates into a single PEM format file. 3. [Create an ESV secret](https://docs.pingidentity.com/pingoneaic/tenants/esvs-manage-ui.html#create_secrets) named `esv-am-oauth2-ca-certs` whose value is the base64-encoded content of the trusted CA certificate PEM file. 4. In the Advanced Identity Cloud admin UI, click [icon: open_in_new, set=material, size=inline] Native Consoles > Access Management to open the AM admin UI. 5. Go to Secret Stores > ESV > Mappings and click + Add Mapping. 6. Add the following settings and click Create: * Secret Label `am.services.oauth2.tls.client.cert.authentication` * aliases `esv-am-oauth2-ca-certs` You have successfully trusted the CA certificates for mutual TLS. ## OpenID provider 1. In the Advanced Identity Cloud admin UI, click [icon: open_in_new, set=material, size=inline] Native Consoles > Access Management to open the AM admin UI. 2. Go to Services > OAuth2 Provider. 3. For each of the categories, update the following settings and click Save Changes before changing categories. Adapt `https://gateway.example.com:8443` in these settings for your deployment and accept the defaults for all settings not listed: | Category | Setting | Use | | --------------------------- | ------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | Core | Access Token Lifetime (seconds) | `360000` | | Advanced | Additional Audience Values | `https://gateway.example.com:8443/am/oauth2/realms/root/realms/alpha/access_token``https://gateway.example.com:8443/am/oauth2/realms/root/realms/alpha/par` | | | Client Registration Scope Allowlist | Keep only `openid`. | | | Default Client Scopes | Remove the default settings and leave this empty. | | | OAuth2 Token Signing Algorithm | `PS256` | | | Trusted TLS Client Certificate Header | `ssl-client-cert` | | | Require exp claim in Request Object | Enable this setting. | | | Require nbf claim in Request Object | Enable this setting. | | | Max nbf and exp difference | `60` | | Client Dynamic Registration | Require Software Statement for Dynamic Client Registration | Enable this setting. | | | Required Software Statement Attested Attributes | Remove the default settings and leave this empty. | | OpenID Connect | ID Token Signing Algorithms supported | Keep only `PS256`. | | | Supported Claims | `acr` | | Advanced OpenID Connect | Enable "claims\_parameter\_supported" | Enable this setting. | | | Request Parameter Signing Algorithms Supported | Keep only `PS256`. | | | Supported Token Endpoint JWS Signing Algorithms | Keep only `PS256`. | | | UserInfo Signing Algorithms Supported | Set to `ES256` and `PS256`. | | | Token Introspection Response Signing Algorithms Supported | Keep only `PS256`. | | | Authorization Response Signing Algorithms Supported | Keep only `PS256`. | | Consent | Allow Clients to Skip Consent | Disable this setting. | | | Remote Consent Service Request Signing Algorithms Supported | Keep only `PS256`. | | | Remote Consent Service Response Signing Algorithms Supported | Keep only `PS256`. | You have successfully configured the OpenID provider services to support FAPI. ## Validation service 1. In the Advanced Identity Cloud admin UI, click [icon: open_in_new, set=material, size=inline] Native Consoles > Access Management to open the AM admin UI. 2. Go to Services > Validation Service, add the following Valid goto URL Resources setting, and click Save Changes: `https://gateway.example.com:8443/am/*`\ `https://gateway.example.com:8443/am/*?*` You have successfully configured the validation service to support FAPI. ## Create an OAuth 2.0 client account PingGateway uses this account to get access tokens to read API client information. 1. In the Advanced Identity Cloud admin UI, go to [icon: apps, set=material, size=inline] Applications > [icon: plus, set=fa]Custom Application. 2. Select OIDC - OpenID Connect and click Next. 3. Select Service and click Next. 4. Use the hints in the following table to create the OAuth 2.0 client account: | Field | Description | Example | | ---------------------- | --------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | | Name | A unique name for the OAuth 2.0 client account. | `gateway-oauth2-client` | | Owners | The application owner to contact about this OAuth 2.0 client account. | `gateway-idm-user` | | Client Secret | A strong password for PingGateway to connect as a resource server. | `password` (base64-encoding: `cGFzc3dvcmQ=`) | | Sign On > Sign-in URLs | The redirect endpoint. | `https://httpbin.org/anything` | | Sign On > Grant Types | The OAuth 2.0 grant types PingGateway uses to connect as a resource server. | `Authorization Code`, `Client Credentials`, `Resource Owner Password Credentials` | | Sign On > Scopes | The OAuth 2.0 grant types PingGateway uses to connect as a resource server. | `dynamic_client_registration`, `trusted_gateway` | In production deployments, use a secret store to manage the client secret. 5. Click Save. You have successfully created the OAuth 2.0 client account for PingGateway.