Configure Microsoft Azure AD to mint access tokens that can be validated locally when PingAccess is protecting an API application.
Make sure that you've configured an application in Microsoft Azure AD. If you haven't, see creating Azure AD Graph API applications.
If you're using PingAccess to
protect an API application and want to use Azure AD as the common token provider,
you must complete this task. Because Microsoft Azure AD doesn't have an
introspection
endpoint to validate access tokens remotely, you
must use a key from the JSON Web Key Set (JWKS) endpoint to validate access tokens
locally. This task prevents Azure AD from adding a nonce value to the access token
after it's been signed because adding the nonce value blocks PingAccess's ability to validate
the access token.
However, if you're protecting a web application with PingAccess and want to configure
Azure AD as the common token provider, see configuring token provider-specific options instead. You don't need to
complete this task when PingAccess is protecting a web application because the
userinfo
endpoint in Azure AD can use the nonce value that
Azure AD inserts into the access token and validate the access token remotely.
To configure Azure AD to mint an access token that can be validated locally:
-
In your Azure AD environment, create a scope for the API application that you
want to protect:
-
In the PingAccess
administrative console, set up Azure AD as a common token provider:
- Go to Common Token Provider . and select
- Fill out the OpenID Connect tab according to the configuring PingAccess to use Azure AD as the token provider and configuring token provider-specific options procedures.
- Fill out the OAuth Authorization tab according to the configuring OAuth authorization servers procedure.
Note:If you've configured a remote token access validator on your PingAccess application and try to remove the Introspection Endpoint or save without configuring it on the OAuth Authorization Server tab, you get the following error message:
Introspection endpoint is required as there are applications that use remote token validation.
Remove the remote access token validator before filling out your configuration on the OAuth Authorization Server tab.
-
In your PingAccess application, set up a JWKS endpoint
validator to perform local validation in Azure AD:
-
Add the scope that you set up in Azure AD to your PingAccess
web session:
- In your Azure AD application, go to Scopes section, copy the full path of the scope that you set up in step 1b. and in the
- In PingAccess, go to , click the Expand icon to view more details about the web session associated with your API application, then click the Pencil icon.
- Click Show Advanced Settings, then in the Scopes field, paste the full path of the scope that you copied in step 4a.
- Click Save.
You now have an access token that PingAccess can validate and have finished configuring your PingAccess application, web session, and access token validator to use Azure AD as the common token provider.