When receiving OAuth-protected API calls, PingAccess acts as an OAuth resource server, checking with the PingFederate OAuth authorization server on the validity of the bearer access token it receives from a client.
If you plan to use Mutual TLS, you must make two changes to the PingFederate configuration.
- Enable the use of the secondary HTTPS port in PingFederate by editing the
<PF_HOME>/pingfederate/bin/run.properties
file and setting the
pf.secondary.https.port
value to a port value. For more information, see the PingFederate documentation. - Modify the openid-configuration.template.json to add the
mtls_endpoint_aliases
object, with content defined by RFC-8705. For more information about this file, see the PingFederate documentation.
To validate the bearer access token, a valid OAuth client must exist within the PingFederate OAuth authorization server.
Note:
This configuration is optional and needed only if you plan to validate PingFederate OAuth access tokens.