This document describes one way to configure PingFederate as an OpenID Connect provider for the PingAuthorize Policy Editor. In this example, PingFederate also acts as the identity provider and uses a PingDirectory LDAP server with sample data as the backing store.


  • PingFederate 10.3 or later
  • PingDirectory 9.0 or later
  • PingAuthorize 9.0 or later

Instructions and screenshots might differ slightly from other product versions. For the latest documentation, see the PingFederate documentation and PingDirectory documentation.

Before you begin

Make sure of the following:

  • PingFederate is running and accessible from the subnet on which the Policy Editor is running.
  • PingDirectory is running and accessible from the subnet on which PingFederate is running.
  • PingDirectory is loaded with the identities to be used. This document uses the sample data provided when running the PingDirectory setup command line tool with option --sampleData 1000.
  • You have extracted the Policy Editor distribution to your specified install location, with appropriate permissions set for write access. This document uses an installation directory of /opt/PingAuthorize-PAP.
  • If using SSL, the certificate chain is available as a PKCS12 keystore to upload as the server certificate chain for PingFederate.
  • The signing certificate for JWT tokens is available for upload to PingFederate.

    If the PingFederate certificate chain contains certificates that are not trusted by the default Java truststore on the system that the Policy Editor is running on, you will need to add them. An example of how to do this is provided in the “Add Certificate to Java Trust Store” subsection below.