When receiving OAuth-protected API calls, PingAccess acts as an OAuth resource server, checking with the PingFederate OAuth authorization server on the validity of the bearer access token it receives from a client.
If you plan to use Mutual TLS, you must make two changes to the PingFederate configuration.
- Enable the use of the secondary HTTPS port in PingFederate by editing the
file and setting the
pf.secondary.https.portvalue to a port value. For more information, see the PingFederate documentation.
- Modify the openid-configuration.template.json to add the
mtls_endpoint_aliasesobject, with content defined by RFC-8705. For more information about this file, see the PingFederate documentation.
To validate the bearer access token, a valid OAuth client must exist within the PingFederate OAuth authorization server.
This configuration is optional and needed only if you plan to validate PingFederate OAuth access tokens.
- Click Settings and then go to .
Enter the OAuth Client ID you defined when creating the
PingAccess OAuth client in PingFederate.
When you configure an OAuth client in PingFederate, select Access Token Validation as the allowed grant type. For more information, see Configuring a Client in the PingFederate Administrator's Manual.
Select a Client Credentials Type, then provide the
information required for the selected credential type.
- Secret – Enter the Client Secret assigned when you created the PingAccess OAuth client in PingFederate.
- Mutual TLS – Select a configured Key Pair to use for Mutual TLS client authentication.
- Private Key JWT – Select this option to use Private Key JSON web token (JWT). No additional information is required.
Select Cache Tokens to retain token details for
This option reduces the communication between PingAccess and PingFederate
- If Cache Tokens is enabled, specify the Token Time To Live by entering the number of seconds to cache the access token. The default value of -1 caches the token as long as the token is valid.
In the Subject Attribute Name field, enter the attribute
you want to use from the OAuth access token as the subject for auditing
purposes, such as
username.At runtime, the attribute’s value is used as the Subject field in audit log entries for API Resources with policies that validate access tokens. The attribute must align with an attribute in the OAuth access token attribute contract defined within PingFederate.
If multiple Access Token Managers are configured in PingFederate, select the
Send Audience option to send the URI the user
requested as the
audOAuth parameter to select an Access Token Manager.Note:
Use of this option requires that the Access Token Management instances be configured with appropriate Resource URIs. Matching of the Resource URI is performed on a most-specific match basis.
- Optional: To disable the use of OAuth 2.0 token introspection, clear the Use Token Introspection Endpoint option.
- To save your changes, click Save.