PingID Administration Guide

Configuring access token management

The OpenID Connect (OIDC) response needs to include an access token.

About this task

To create an access token:

  • Configure an access token management instance.

  • Create the relevant access token mappings.

Steps

  1. In PingFederate, create an Access Token Management Instance:

    Choose from:

    • PingFederate 10.1 or later: Go to Applications → OAuth and then click Access Token Management

    • PingFederate 10 or earlier: On the OAuth Server tab, in the Token Mapping section, click Access Token Management

  2. Click Create New Instance and then on the Type tab, enter the following information, and then click Next:

    • Instance Name: The name you want to use to identify the Access Token Management instance.

    • Instance ID: The Access Token Management ID. This ID is for internal use and cannot contain spaces or non-alphanumeric characters.

    • Type: From the Type list, select JSON Web Tokens.

  3. On the Instance Configurationtab, do the following:

    1. Click Add a new row to 'Symmetric Keys' and in the new row enter the following information and then click Update

      • Key ID: Enter a unique identifier for the key.

      • Key: Enter the encoded symmetrical key. You can find this in the use_base64_key attribute in the PingID Properties file that you used to create the PingID Adapter instance earlier.

      • Encoding: From the Encoding list, select Base64[url].

    2. In theJWS Algorithm field, select HMAC using SHA-256 as the signing algorithm you want to use to protect the integrity of the token.

    3. In the Active Symmetric Key ID field, select the new symmetric key that you created, and then click Next.

  4. On the Session Validation tab, click Next

  5. On the Access Token Attribute Contract tab:

    1. In the Extend the Contract field, add the following attributes and then click Add:

      • subject

      • winlogin.auth.response

    2. From the Subject Attribute Name list, select subject, and then click Next.

  6. On the Resource URIs tab, click Next.

  7. On theAccess Control tab, click Next.

  8. On the Summary tab, click Save.

  9. Go to the Access Token Mappings window:

    1. Do the following:

      • PingFederate 10.1 or later: Go to Applications → OAuth and then click Access Token Mappings.

      • PingFederate 10 or earlier: On the OAuth Server tab, in the Token Mapping section, click Access Token Mappings.

    2. From the Context list, select the Windows login authentication policy contract that you created earlier.

    3. From the Access Token Manager list, select the access token manager instance that you created earlier, and click Add Mapping.

    4. On the Attribute Sources & User Lookup tab, click Next.

    5. On the Contract Fulfillment tab, do the following and then click Next:

      • In the subject row: In the Source field, select Authentication Policy Contract, and in the Value field, select subject.

      • In the winlogin.auth.response row: In the Source field, select Authentication Policy Contract, and in the Value field, select winlogin.auth.response.

    6. On the Issuance Criteria tab, click Next.

    7. On the Summary tab, click Save.

      Result:

      The Access Token Mappings are saved