If your PingAccess deployment is upgraded from version 5.2 or earlier with an
existing token provider configuration, and you have not configured a token provider using
/pingfederate/runtime API endpoint, use this workflow to configure a
Before configuring a secure connection to the PingFederate runtime, export the PingFederate certificate and import it into a trusted certificate group in PingAccess. Perform the following steps:
- In PingFederate, export the certificate active for the Runtime Server. For more information, see SSL Server Certificates in the PingFederate Administrator's Manual.
- Import the certificate into PingAccess.
- Create a Trusted Certificate Group if one does not already exist.
- Add the certificate to a Trusted Certificate Group.
For information on setting up PingFederate as an OAuth authorization server, see Enabling the OAuth AS and Authorization Server Settings.
- Click Settings and then go to .
- Select Standard Token Provider.
- In the Host field, enter the PingFederate runtime host name or IP address for the PingFederate runtime.
- In the Port field, enter the PingFederate runtime port number.
- Optional: In the Base Path field, enter the base path, if needed, for the PingFederate runtime. The base path must start with a slash, such as /federation.
Select the Audit Level check box to log information
about the transaction to the audit store.
PingAccess audit logs record a selected subset of transaction log information at runtime and are located in the /logs directory of your PingAccess installation.
- Select the Secure check box if PingFederate is expecting HTTPS connections.
From the Trusted Certificate Group list, select the
certificate group the PingFederate certificate is in.
This field is available only if you select Secure in the previous step.
To configure advanced settings, click Show
- Click Add Back Channel Server.
- In the Back Channel Servers list, enter one or more <hostname:port> pairs.
If the back channel uses HTTPS, enable the Back Channel
This option becomes available when at least one back channel server is defined.
- If the back channel uses an alternate base path, enter the path in the Back Channel Base Path field.
- If hostname verification for secure connections is not required for either the Runtime or the Back Channel Servers, enable the Skip Hostname Verification option.
- If hostname verification is required, enter the host name PingAccess should expect in the Expected Hostname field.
To use a configured proxy for back channel requests, select the
Use Proxy check box.
Note: If the node is not configured with a proxy, requests are made directly to PingFederate. See Adding proxies for more information about creating proxies.
Select Use Single-Logout to enable single logout
To use this feature, SLO must be configured on the OpenID Connect (OIDC) provider.
After you save this configuration and Configuring OAuth resource servers, a PingFederate access validator is available for selection when you define OAuth-type rules in Policy Manager.
After you save the PingFederate runtime connection, PingAccess will test the connection to PingFederate. If the connection cannot be made, a warning will display in the admin interface, and the PingFederate runtime will not save.
After you configure the token provider, click View Metadata to display the metadata provided by the token provider. To update the metadata, click Refresh Metadata.