Configure an existing PingFederate environment as the token provider for PingAccess.
For information on configuring PingFederate as an OAuth authorization server, see Enabling the OAuth AS and Authorization Server Settings in the PingFederate documentation.
Before configuring a secure connection to the PingFederate runtime, export the PingFederate certificate and import it into a trusted certificate group in PingAccess:
Select the tab for your environment configuration to continue. If your PingFederate instance is proxied by the PingAccess engines, use the proxied runtime procedure. Otherwise, choose one of the standard runtime procedures.
The steps that display on the Standard Runtime tab in the PingAccess administrative console depend on what PingAccess version you're using:
- If you're using PingAccess 5.3 or later, some of the PingFederate configuration information is imported automatically from the PingFederate well-known endpoint. Use the standard runtime procedure.
- If you upgrade from PingAccess 5.2 or
earlier and have an existing token provider configuration, you must provide the
PingFederate configuration information
manually. Use the original standard runtime procedure.Tip:
If you perform an upgrade from PingAccess 5.2 or earlier and want to see the updated version of the Token Provider page in the administrative console, configure the token provider using the
/pingfederate/runtime
API endpoint. For more information, see Administrative API Endpoints.Important:Configuring PingFederate as a token provider using the
/pingfederate/runtime
endpoint overwrites the existing PingFederate configuration.
Configuring a standard PingFederate runtime
Configure a secure connection to the PingFederate runtime in PingAccess:
After you save the PingFederate runtime connection, PingAccess tests the connection to PingFederate. If the connection can't be made, a warning displays in the admin console, and the PingFederate runtime won't save.
After you save this configuration and perform the steps in Configuring OAuth resource servers, a PingFederate access validator is available for selection when you define OAuth-type rules in the policy manager.
After you configure the token provider, click View Metadata to display the metadata provided by the token provider. To update the metadata, click Refresh Metadata.
Configuring a standard PingFederate runtime (original workflow)
If you've upgraded your PingAccess deployment
from version 5.2 or earlier with an existing token provider configuration and
haven't configured a token provider using the /pingfederate/runtime
API endpoint, use this workflow to configure a PingFederate runtime.
After you save the PingFederate runtime connection, PingAccess tests the connection to PingFederate. If the connection can't be made, a warning displays in the admin console, and the PingFederate runtime won't save.
After you save this configuration and perform the steps in Configuring OAuth resource servers, a PingFederate access validator is available for selection when you define OAuth-type rules in the policy manager.
After you configure the token provider, click View Metadata to display the metadata provided by the token provider. To update the metadata, click Refresh Metadata.
Configuring a proxied PingFederate runtime
Configure a secure connection to the proxied PingFederate runtime in PingAccess:
After you save the PingFederate runtime connection, PingAccess tests the connection to PingFederate. If the connection can't be made, a warning displays in the admin console, and the PingFederate runtime won't save.
After you save this configuration and perform the steps in Configuring OAuth resource servers, a PingFederate access validator is available for selection when you define OAuth-type rules in the policy manager.
After you configure the token provider, click View Metadata to display the metadata provided by the token provider. To update the metadata, click Refresh Metadata.