For information on the PingFederate administration API, see PingFederate Administrative API.

When you save the PingFederate administration configuration, PingAccess will test the connection to PingFederate. If PingAccess can't make a connection, an error will display in the administrative console and the configuration won't save.

  1. Click Settings and then go to System > Token Provider > PingFederate > Administration.
  2. Enter the Host name or IP address for access to the PingFederate administrative API.
  3. Enter the Port number for access to the PingFederate runtime.
  4. If necessary, enter the Base Path for the PingFederate runtime.

    The Base Path must start with a slash (/).

    /path.

  5. If the PingFederate administrative API requires native authentication, click Basic.
    1. Enter the Admin Username.

      This username only requires auditor (read-only) permission in PingFederate.

    2. Enter the Admin Password.
  6. If the PingFederate administrative API requires OAuth 2.0 authentication, click OAuth.
    1. In the Configured Authorization Server list, choose from:
      • PingFederate Runtime
      • Admin Token Provider (will only display if configured)
      Note:

      The API endpoint /pingfederate/admin allows you to select additional options for the configured authorization server.

      You can configure the following authorization servers in the PingAccess administrative console:

    2. In the Client ID field, enter a client ID for the OAuth client configured in the token provider.

      Choose a client that is configured with the client credentials grant type.

    3. In the Client Credentials Type field, select the credentials for the OAuth client configured in the token provider.
    4. In the Scopes field, enter the required scopes of validated access tokens that are authorized to call the PingFederate administrative API.
      Note:

      Scopes can be input as an array of case-sensitive strings. For a full list of the required scopes, see PingFederate's required.scopes section of the oauth2.properties file.

  7. To log information about the transaction to the audit store, select Audit.

    PingAccess audit logs record a selected subset of transaction log information at runtime and are located in the /logs directory of your PingAccess installation.

  8. In the Secure section of the Administration tab, click Yes if PingFederate is expecting HTTPS connections.

    Otherwise, click No.

  9. From the Trusted Certificate Group list, select the group of certificates to use when authenticating to PingFederate.

    PingAccess requires the certificate that PingFederate is using to anchor to a certificate in the associated trusted certificate group.

    This field is available only if you enable Secure connections in step 8.

  10. Optional: To configure advanced settings, click Show Advanced.
    1. Select Skip Hostname Verification to not perform hostname verification of the certificate.
    2. Enter an Expected Certificate Hostname to verify the certificate with the specified name instead of the Host name.
    3. To use a configured proxy for API requests, select the Use Proxy check box.
      Note:

      If the node isn't configured with a proxy, requests are made directly to PingFederate.

  11. Click Save.
    Tip:

    To view OpenID Connect (OIDC) metadata provided by the token provider, click View Metadata after saving the token provider configuration.