Configure static keys for use in private key
- In your token provider configuration, make sure that you've set up an
OAuth client. OAuth client The application in an OAuth framework that requests access to resources. If the request is approved by the authorization server, the client is issued an access token for the resources.
If you haven't set up an OAuth client and are using PingFederate as the token provider, see managing OAuth clients.
- In PingAccess, make sure that you've
generated or imported a
key pairand then assigned it to a virtual host or HTTPS listener. key pair The private key and public key represented by a certificate.
Static and dynamically rotating keys are used to sign self-contained access tokens, ID tokens, and JWTs for client authentication and OIDC request objects.
You must make changes in both PingAccess and the token provider to modify your signing key configuration. Make these changes as soon as possible to reduce potential disruptions.
- Dynamically rotating keys (default)
- PingAccess generates
and rotates keys automatically for OAuth and OpenID Connect.Note:
PingAccess uses the Signing Algorithm configured on the OAuth Key Management page for dynamic key rotation unless you have configured the signing algorithm on your web session. A signing algorithm configured on a web session takes priority over one configured on the OAuth Key Management page.
- Static keys
- Manually configure and rotate keys for OAuth and OpenID Connect to gain more control over key rotation.
To configure static signing keys:
- In PingAccess, go to .
Select the Enable Static Keys check box to use static
keys for OAuth and OpenID Connect.
This check box is cleared by default.
In the Signing Keys section, fill out the relevant
information for your static key configuration.
The Active and Previous lists only display signing keys that you've configured on the Key Pairs page that match the listed key type.
For the RSA using SHA-256 key type, select a
signing key in the Active list.
There are no default selections for the signing key lists. If you don't find the signing key that you want, go to the Key Pairs page and generate or import the desired type of key pair.
In the Previous list, select a signing key that
you'd previously selected in the Active list if
you still want the token provider to validate it.
If you select a certificate in the Previous list, that certificate will appear in the JWT, but only the Active certificate is actually used in a JWT signing flow.
- Optional: Repeat steps 3a and 3b for each additional key type that you want to use.
For any key type for which you have selected an
Active signing key, select the
Publish Certificate check box to publish the
certificates associated with the active signing key and the previous
signing key (if configured) at the
When you select the Publish Certificate check box for a key type, the associated chain of certificates is published as the x5c parameter value. This enables the OIDC provider to validate a certificate if it's been revoked.
- Click Save.
The active signing key and the previous signing key (if configured) are published at the PingAccess static key JSON Web Key Set (JWKS) endpoint,
- For the RSA using SHA-256 key type, select a signing key in the Active list.
Prepare the token provider to validate the signed JWT that it will receive from
Switching between dynamically rotating and static keys in PingAccess doesn't work the same way as it does in PingFederate. If you change a dynamically rotating key to a static key in PingAccess, you can't use the previous JWKS URL value generated for the dynamically rotating key. This is because static keys and dynamically rotating keys use different JWKS endpoints in PingAccess. These endpoints generate values that overwrite each other.
on the Static OAuth & OpenID Connect Keys page,
click View Metadata, then click
Click View Metadata at any time to check the JWKS information available at the
In your token provider environment, open the OAuth client that you're
using for static key signing and paste the metadata value that you
copied in step 4a into your JWKS configuration.
If you're using PingFederate as the token provider:
- In PingFederate, go to and open the OAuth client that you're using for this configuration.
- In the JWKS field, paste the metadata value that you copied in step 4a.
For more information, see Configuring OAuth Clients.
- In PingAccess, on the Static OAuth & OpenID Connect Keys page, click View Metadata, then click Copy.
Configure the Signing Algorithm on the associated web session. For more information, see step 8 of Creating web sessions.