Configure authentication for the administrative API in PingAccess.
For more information on the PingAccess Administrative API, see Administrative API Endpoints.
You can configure roles for Administrative API users. Each role grants access to specific features.
- The Administrator role has full read and write access to the Admin API, unless
the Platform Administrator role is enabled. If the Platform Administrator role
is enabled, the Administrator only has read access to the Admin API endpoints
/environmentpaths, and has both read and write access to all other endpoints.
- The Platform Administrator role has full read and write access to the Admin API. This role can be used with the Administrator role to grant full access to most features without the possibility of accidental lockout, with only the Platform Administrator able to change authorization configurations.
- The Auditor role has read access to all Admin API endpoints except for the
- Click Settings and then go to .
- Go to .
- To enable API OAuth authentication, select OAuth.
- Click the Properties tab.
From the Access Token Validator Type list, select a
local access token validator to use instead of remote token validation for Admin
If you select a local access token validator, the OAuth configuration does not require client credentials or a subject attribute name.
Enter the Client ID assigned to you when you created the
OAuth client for validating OAuth access tokens.
For more information about configuring a client ID in PingFederate, see Configuring a Client.
Select a Client Credentials Type, then enter the
information for the selected credential type.
- Secret – Enter the Client Secret you were assigned when you created the PingAccess OAuth client in the token provider.
- Mutual TLS – Select a configured Key Pair to use for Mutual TLS client authentication.
- Private Key JWT – Select this option to use Private Key JSON web token (JWT). No additional information is required.
Enter the Subject Attribute Name you want to use from
the OAuth access token as the subject for auditing purposes.
At runtime, the attribute's value is used as the
Subjectfield in audit log entries for the admin API.
- Select the Scope required to successfully access the API. For more information about defining scopes in PingFederate, see Authorization Server Settings.
If you want to enable role-based authorization, perform
the following steps:
- Click the Roles tab.
- To enable role-based authentication, select Enable Roles.
In the Administrator section, click
Add Required Attribute as many times as you
For a role to be granted, all configured attribute values must match.
Enter an Attribute Name and Attribute
Value for each required attribute.
If you are using PingFederate as a token provider, the attribute name is defined in PingFederate under as an extension to the contract. The value you use depends on the configuration of the Contract Fulfillment tab for the policy.The attribute named
groupin your attribute contract can be mapped to an LDAP server attribute source that contains a
groupMembershipattribute. A valid group membership for the administrator might be the group
cn=pingaccess-admins,o=myorg. In this example, you should use
groupas the Attribute Name and
cn=pingaccess-admins,o=myorgas the Attribute Value.
- Optional: If you want to add platform administrators, select Enable Platform Administrator Role, then enter an Attribute Name and Attribute Value for each required attribute. Click Add Required Attribute to add a new attribute.
- Optional: If you want to add auditors, select Enable Auditor Role, then enter an Attribute Name and Attribute Value for each required attribute. Click Add Required Attribute to add a new attribute.
- To activate API authentication, click Save.