A web session specifies the details of how user information is stored.
For more information about this procedure, including optional steps that aren't included here, see Creating web sessions.
- Click Access and then go to Web Sessions > Web Sessions.
- Click + Add Web Session.
- In the Name field, enter a unique name for the web session, up to 64 characters, including special characters and spaces.
- In the Cookie Type list, select Encrypted JWT.
-
In the Audience field, enter the audience that the
PingAccess token is applicable to,
represented as a short, unique identifier between 1 and 32 characters.
Note:
PingAccess rejects requests that contain a PingAccess token with an audience that differs from what is configured in the web session associated with the target application.
-
In the OpenID Connect Login Type list, select
Code.
Note:
The Code login type is recommended for maximum security and standards interoperability, but other options are available. For information on the available profiles, see OpenID Connect login types.
-
In the Client ID field, enter the unique identifier
(client ID) that was assigned when you created the OAuth Relying Party client
within the token provider.
For more information, see Configuring a Client in the PingFederate documentation.
-
In the Client Credentials Typelist, select a client
credentials type.
Selecting a client credentials type is required when configuring the Code login type.
- Secret
- Mutual TLS
- Private Key JWT
Note:The OAuth client you use with PingAccess web sessions must have an OpenID Connect policy specified.
For more information see Configuring OpenID Connect Policies.
-
Provide the information required for the selected credential type.
- Secret – Enter the Client Secret assigned when you created the OAuth relying party client in the token provider.
- Mutual TLS – Select a configured Key Pair to use for Mutual TLS client authentication.
- Private Key JWT – No additional information is required.
-
In the Idle Timeout field, specify the amount of time,
in minutes, that the PingAccess token
remains active when no activity is detected by the user.
The default is
60
minutes.Note:If there is an existing valid PingFederate session for the user, an idle timeout of the PingAccess session might result in its re-establishment without forcing the user to sign on again.
-
In the Max Timeout field, specify the amount of time, in
minutes, that the PingAccess token remains
active before expiring.
The default is
240
minutes. - Click Save.