Configure a secure connection to the PingFederate runtime in PingAccess.
Before configuring a secure connection to the PingFederate runtime, export the PingFederate certificate and import it into a trusted certificate group in PingAccess. Perform the following steps:
- In PingFederate, export the certificate active for the runtime server. See SSL Server Certificates in the PingFederate Administrator's Manual for more information.
- Import the certificate into PingAccess.
- Create a Trusted Certificate Group if one does not already exist.
- Add the certificate to a Trusted Certificate Group.
After you save the PingFederate runtime connection, PingAccess will test the connection to PingFederate. If the connection cannot be made, an error will display in the administrative interface, and the PingFederate runtime will not save.
The steps that display depend on your environment. In a new deployment, some of the
PingFederate configuration information is imported automatically from the
PingFederate well-known endpoint. If you upgrade from PingAccess 5.2 or earlier and
have an existing token provider configuration, this information is provided
manually. If you perform an upgrade and want to see the new version of this page,
configure the token provider using the
endpoint. For more information, see Administrative API Endpoints.
Configuring PingFederate as a token provider using the
/pingfederate/runtime overwrites the existing PingFederate
After you successfully configure the token provider, click View Metadata to display the metadata provided by the token provider. To update the metadata, click Refresh Metadata.
- Click Settings and then go to .
- Select Standard Token Provider.
- In the Issuer field, enter the PingFederate issuer name.
- Optional: In the Descriptions field, enter a description for the PingFederate instance.
From the Trusted Certificate Group list, select the
certificate group the PingFederate certificate is in.
This list is available only if you select Secure.
To configure advanced settings, click Show
- If hostname verification for secure connections is not required for either the runtime or the back channel servers, select the Skip Hostname Verification check box.
To use a configured proxy for back channel requests, select the
Use Proxy check box.
If the node is not configured with a proxy, requests are made directly to PingFederate.See Adding proxies for more information about creating proxies.
Select Use Single-Logout to enable single logout
(SLO) when the /pa/oidc/logout/ endpoint is
accessed to clear the cookie containing the PingAccess token.
If you select this option, PingAccess sends a sign off request to PingFederate, which completes a full SLO flow.
To use this feature, SLO must be configured on the OpenID Connect (OIDC) provider.
Enter the STS Token Exchange Endpoint to be used
for token mediation if it is different from the default value of
Note: Saving a new PingFederate runtime configuration overwrites any existing PingFederate runtime configuration.
After you save this configuration and Configuring OAuth resource servers, a PingFederate access validator is available for selection when you define OAuth-type rules in Policy Manager.<issuer>