Configuring access token management
The OpenID Connect (OIDC) response needs to include an access token.
About this task
To create an access token:
-
Configure an access token management instance.
-
Create the relevant access token mappings.
Steps
-
In PingFederate, create an Access Token Management Instance:
Choose from:
-
PingFederate 10.1 or later: Go to Applications → OAuth and then click Access Token Management
-
PingFederate 10 or earlier: On the OAuth Server tab, in the Token Mapping section, click Access Token Management
-
-
Click Create New Instance and then on the Type tab, enter the following information, and then click Next:
-
Instance Name: The name you want to use to identify the Access Token Management instance.
-
Instance ID: The Access Token Management ID. This ID is for internal use and cannot contain spaces or non-alphanumeric characters.
-
Type: From the Type list, select JSON Web Tokens.
-
-
On the Instance Configurationtab, do the following:
-
Click Add a new row to 'Symmetric Keys' and in the new row enter the following information and then click Update
-
Key ID: Enter a unique identifier for the key.
-
Key: Enter the encoded symmetrical key. You can find this in the
use_base64_key
attribute in the PingID Properties file that you used to create the PingID Adapter instance earlier. -
Encoding: From the Encoding list, select Base64[url].
-
-
In theJWS Algorithm field, select HMAC using SHA-256 as the signing algorithm you want to use to protect the integrity of the token.
-
In the Active Symmetric Key ID field, select the new symmetric key that you created, and then click Next.
-
-
On the Session Validation tab, click Next
-
On the Access Token Attribute Contract tab:
-
In the Extend the Contract field, add the following attributes and then click Add:
-
subject
-
winlogin.auth.response
-
-
From the Subject Attribute Name list, select subject, and then click Next.
-
-
On the Resource URIs tab, click Next.
-
On theAccess Control tab, click Next.
-
On the Summary tab, click Save.
-
Go to the Access Token Mappings window:
-
Do the following:
-
PingFederate 10.1 or later: Go to Applications → OAuth and then click Access Token Mappings.
-
PingFederate 10 or earlier: On the OAuth Server tab, in the Token Mapping section, click Access Token Mappings.
-
-
From the Context list, select the Windows login authentication policy contract that you created earlier.
-
From the Access Token Manager list, select the access token manager instance that you created earlier, and click Add Mapping.
-
On the Attribute Sources & User Lookup tab, click Next.
-
On the Contract Fulfillment tab, do the following and then click Next:
-
In the subject row: In the Source field, select Authentication Policy Contract, and in the Value field, select subject.
-
In the winlogin.auth.response row: In the Source field, select Authentication Policy Contract, and in the Value field, select winlogin.auth.response.
-
-
On the Issuance Criteria tab, click Next.
-
On the Summary tab, click Save.
Result:
The Access Token Mappings are saved
-