Before configuring a secure connection to the PingFederate runtime, export the PingFederate certificate and import it into a trusted certificate group in PingAccess. Perform the following steps:

  1. In PingFederate, export the certificate active for the runtime server. For more information, see SSL Server Certificates in the PingFederate documentation.
  2. Import the certificate into PingAccess.
  3. Create a Trusted Certificate Group if one does not already exist.
  4. Add the certificate to a Trusted Certificate Group.

For information on configuring PingFederate as an OAuth authorization server, see Enabling the OAuth AS and Authorization Server Settings in the PingFederate documentation.

After you save the PingFederate runtime connection, PingAccess will test the connection to PingFederate. If the connection cannot be made, an error will display in the administrative interface, and the PingFederate runtime will not save.

After you successfully configure the token provider, click View Metadata to display the metadata provided by the token provider. To update the metadata, click Refresh Metadata.

  1. Click Settings and then go to System > Token Provider > PingFederate > Runtime.
  2. Click Proxied Token Provider (PingFederate Runtime Application).
  3. In the Primary Virtual Host field, enter the virtual host to use for the PingFederate application.

    This virtual host is used by default for front channel redirects to the PingFederate token provider when an application-specific OpenID Connect Issuer is not defined.

    1. If you have not created the virtual host, click + Create. For more information, see Creating new virtual hosts.
  4. Optional: In the Additional Virtual Hosts field, enter one or more virtual hosts that can be used for the PingFederate application.
    1. If you have not created the virtual hosts, click + Create. For more information, see Creating new virtual hosts.
  5. In the Targets field, enter a hostname:port pair used to access the PingFederate runtime servers.
    Click + Add Target to add additional Targets fields.
  6. Optional: In the Secure section, click Yes if the PingFederate runtime expects HTTPS connections.
  7. Optional: To configure advanced settings, click Show Advanced.
    Context Root

    Enter the first part of the URL path for the PingFederate application and its resources.

    The context root must begin with a slash. It can contain additional slashes, but cannot end with one. It must match the path defined by the base URL in PingFederate.

    Case Sensitive Select to make the context root and resource path matching case sensitive.
    Client Certificate Header Name

    In this section, click + Add Client Certificate Header Name and enter one or more header names to which client certificates found in the request should be mapped.

    The position of the header name in the list correlates to the index in the client certificate chain, with the first header mapped to the leaf certificate.


    In this section, add one or more rules, rule sets, or rule set groups to be run when making requests to the PingFederate runtime. Click Rules, Rule Sets, or Rule Set Groups, then drag one or more rules, rule sets, or rule set groups from the Available column to the Selected Policy column.

    The valid rule types are Groovy script, cross-origin request, and rewrite rules.

    Create new rules, rule sets, or rule set groups by clicking + Create Rule, + Create Rule Set, or + Create Rule Set Group. For more information, see Rule Management, Adding rule sets, and Adding rule set groups.

    Load Balancing Strategy

    From this list, select a load balancing strategy to use for requests to the PingFederate runtime.

    Expected Certificate Hostname

    Enter the host name expected in the certificate.

    If this field is not specified, the certificates are verified using the target host names.

    Skip Hostname Verification

    Click to stop the back channel servers from performing host name verification of the certificate.

    Use Proxy Click to make back channel requests to PingFederate use the proxy configured on the PingAccess nodes.
    Use Single-Logout Click to enable single logout if it is configured for the OIDC provider.
  8. Click Save.

    Saving a new PingFederate runtime configuration overwrites any existing PingFederate runtime configuration.

After you save this configuration and perform the steps in Configuring OAuth resource servers, a PingFederate access validator is available for selection when you define OAuth-type rules in Policy Manager.