Before configuring a secure connection to the PingFederate runtime, export the PingFederate certificate and import it into a trusted certificate group in PingAccess. Perform the following steps:

  1. In PingFederate, export the certificate active for the runtime server. See SSL Server Certificates in the PingFederate Administrator's Manual for more information.
  2. Import the certificate into PingAccess.
  3. Create a Trusted Certificate Group if one does not already exist.
  4. Add the certificate to a Trusted Certificate Group.

For information on configuring PingFederate as an OAuth authorization server, see Enabling the OAuth AS and Authorization Server Settings in the PingFederate documentation.

After you save the PingFederate runtime connection, PingAccess will test the connection to PingFederate. If the connection cannot be made, an error will display in the administrative interface, and the PingFederate runtime will not save.

The steps that display depend on your environment. In a new deployment, some of the PingFederate configuration information is imported automatically from the PingFederate well-known endpoint. If you upgrade from PingAccess 5.2 or earlier and have an existing token provider configuration, this information is provided manually. If you perform an upgrade and want to see the new version of this page, configure the token provider using the /pingfederate/runtime API endpoint. For more information, see Administrative API Endpoints.


Configuring PingFederate as a token provider using the /pingfederate/runtime overwrites the existing PingFederate configuration.

After you successfully configure the token provider, click View Metadata to display the metadata provided by the token provider. To update the metadata, click Refresh Metadata.

  1. Click Settings and then go to System > Token Provider > PingFederate > Runtime.
  2. Select Standard Token Provider.
  3. In the Issuer field, enter the PingFederate issuer name.
  4. Optional: In the Descriptions field, enter a description for the PingFederate instance.
  5. From the Trusted Certificate Group list, select the certificate group the PingFederate certificate is in.

    This list is available only if you select Secure.

  6. To configure advanced settings, click Show Advanced.
    1. If hostname verification for secure connections is not required for either the runtime or the back channel servers, select the Skip Hostname Verification check box.
    2. To use a configured proxy for back channel requests, select the Use Proxy check box.

      If the node is not configured with a proxy, requests are made directly to PingFederate.

      See Adding proxies for more information about creating proxies.
    3. Select Use Single-Logout to enable single logout (SLO) when the /pa/oidc/logout/ endpoint is accessed to clear the cookie containing the PingAccess token.

      If you select this option, PingAccess sends a sign off request to PingFederate, which completes a full SLO flow.

      To use this feature, SLO must be configured on the OpenID Connect (OIDC) provider.

    4. Enter the STS Token Exchange Endpoint to be used for token mediation if it is different from the default value of /pf/sts.wst.
  7. Click Save.
    Note: Saving a new PingFederate runtime configuration overwrites any existing PingFederate runtime configuration.

After you save this configuration and Configuring OAuth resource servers, a PingFederate access validator is available for selection when you define OAuth-type rules in Policy Manager.<issuer>