PingCentral supports OAuth resource server functionality by validating provided bearer tokens when accessing the Admin API. Only signed JSON web token (JWT) tokens are supported in this release, so a JSON Web Key Set ( JWKS) endpoint is required to obtain the public keys for signature validation.
If you are using PingFederate 10.1 or later, you can enable the centralized signing key functionality. Additional configuration isn't required in PingCentral to access the centralized JWKS endpoint.
If the access token manager has been configured with an explicit JWKS endpoint path, you must also specify this path in PingCentral.
In PingFederate, this endpoint is exposed as https://<pf_host>:<port>/ext/<JWKS Endpoint Path>.
To provide the JWKS endpoint to PingCentral, open the
file, uncomment the
pingcentral.sso.oidc.oauth-jwk-set-uriproperty, and define the JWKS endpoint URI, as in this example.
username-claimthat PingCentral will use with bearer tokens.
With bearer tokens, PingCentral looks for the Username claim by default.Note:
While the subject (sub) claim is mandatory with OpenID Connect, it's not required when using OAuth 2.
Configure PingCentral to validate the
access token issuer and audience claim values defined in the access token
By default, these claims aren't validated. Validation for either or both is enabled by setting the following properties:
Make sure that the values specified match those defined in the access token
If the values don't match, the validation fails.Tip:
If a blank value is defined in PingFederate, the claim won't be present in the token, so do not enable the validation of that claim in PingCentral.
- Now that the resource server is configured, configure the OpenID provider.