You must have the PingOne issuer ID, or have access to the PingOne console, to perform this procedure.

  1. Click Settings and then go to System > Token Provider > PingOne.
  2. In the Issuer field, enter the PingOne issuer ID.

    This information is available in the PingOne console.

  3. Optional: In the Description field, enter a description for the connection.
  4. In the Trusted Certificate Group list, select a trusted certificate group for PingAccess to use when authenticating to PingOne.
  5. To configure the connection to use a configured proxy, click Show Advanced Settings and select Use Proxy.

    For more information about creating proxies, see Adding proxies.

  6. To configure OAuth 2.0 Demonstrating Proof of Possession (DPoP) settings, click Show Advanced Settings:
    1. In the DPoP Type list, select the level of DPoP support that you want to enable for access token validation:
      • Off (default): PingAccess doesn’t accept DPoP-bound access tokens, only bearer tokens.
      • Enabled: PingAccess accepts both bearer tokens and DPoP-bound access tokens.
      • Required: PingAccess doesn’t accept bearer tokens, only DPoP-bound access tokens.
    2. To require each DPoP proof to contain a nonce value during validation that was provided by PingAccess when the access token was created, per RFC 9449 section 9, select Require Nonce.

      This check box is cleared by default.

    3. In the DPoP Proof Lifetime (SEC.) field, enter the duration, in seconds, that a DPoP proof should be considered valid after it's issued.

      As a security best practice, keep this value low and consistent with the DPoP implementation of your API client. The default value is 120 seconds.

  7. Click Save.

After you configure the token provider, click View Metadata to display the metadata provided by the token provider. To update the metadata, click View Metadata > Refresh Metadata.