OpenID Connect endpoints - PingAccess

OpenID Connect endpoints - PingAccess - 7.3

PingAccess

bundle

pingaccess-73

ft:publication_title

PingAccess

Product_Version_ce

PingAccess 7.3

category

Product

pa-73

pingaccess

ContentType_ce

Specific endpoints are needed for PingFederate or another token provider to interface with PingAccess using the OpenID Connect (OIDC)OpenID Connect (OIDC)OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management. protocol.

These endpoints are available on the engine.http.port and agent.http.port ports defined in the <PA_HOME>/conf/run.properties file.

Note:

If you selected the Use context root as reserved resource base path check box on your PingAccess application, this feature creates an instance of any reserved PingAccess resources under the application’s context root. As such, the context root of the application needs to prepend the reserved context application root (/pa by default) in any file paths that reference it.

If the context root of your application is myApp, the paths to the OIDC endpoints would be:

/myApp/pa/oidc/logout
/myApp/pa/oidc/cb
/myApp/pa/oidc/JWKS
/myApp/pa/oidc/logout.png

/pa/oidc/logout

The pa/oidc/logoutendpoint clears the browser cookie containing the PingAccess token. This enables end users to trigger the removal of their own PingAccess cookie from the browser that they're using, which redirects them to the logged out page.

You can modify the logged out page template in the <PA_INSTALL>/conf/template/general.loggedout.page.template.html file.

Note:

This endpoint does not retain any server-side state to denote log off. Additionally, unless single logout (SLO)single logout (SLO)SLO The process of signing a user out of multiple sites where the user has started a single sign-on (SSO) session. is selected for the token provider, this endpoint clears the cookie only from the requested host or domain. This means that the cookie might still exist in requests bound for other hosts or domains.

If you selected the Use Single-Logout option when configuring the token provider, this endpoint also sends a logout request to the token provider, which completes a full SLO flow.

/pa/oidc/cb

The /pa/oidc/cb endpoint, along with the application virtual host, becomes the redirect URIURIURI (Uniform Resource Identifier) Identifies a web resource with a string of characters conforming to a specified format. for the token provider configuration on the client.

/pa/oidc/JWKS

The /pa/oidc/JWKS endpoint is used by the token provider's JSON Web Token (JWT)JSON Web Token (JWT)JWT An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. To read the industry standard, see RFC 7519 token processor for signature verification. This endpoint must be used in conjunction with the configuration of a JWT token processor instance in the token provider. For more information on configuring a JWT in PingFederate, see the PingFederate documentation.

/pa/oidc/logout.png

The /pa/oidc/logout.png endpoint is used by the token provider to initiate a logout from PingAccess in conjunction with SLO functionality, terminating the PingAccess tokens across domains.