As long as an OpenID provider is able to provide the endpoints and claims required by PingCentral (most notably the user name and role), other OpenID Connect 1.0 providers, can also be used.
- Configure the Access Token Manager (ATM) for PingCentral.
- Configure the OIDC policy for PingCentral.
- Configure the OAuth client for PingCentral.
This section doesn't provide all of the details of setting up access token managers, OIDC policies, or attribute contracts because these topics are complex and often specific to a customer environment.
Configuring the Access Token Manager for PingCentral
- In PingFederate, go to and click Create New Instance.
On the Instance Configuration tab, add one or more
symmetric keys, signing certificates, or both.
Click Add a new row to... or click
Update to modify an existing entry.
Important: The Key ID field values must be unique across all JSON-token management instances, including child instances.
If you have not yet created or imported your certificate into
PingFederate, click Manage Signing Certificates
and complete the task.
Note: To use an RSA-based algorithm for JSON Web Signature (JWS), the key size of the signing certificate must be at least 2,048 bits. For an EC-based JWS algorithm, the key size depends on the chosen algorithm.
- Click Add a new row to... or click Update to modify an existing entry.
On the Instance Configuration tab, select the Use
Centralized Signing Key option.
Select Show Advanced Fields and specify the path in the
JWKS Endpoint Path field. This setp is optional when
an algorithm is selected in the JWE Algorithm list.
This path must be explicitly configured in PingCentral. See Configuring resource server functionality.
If you define either or both of the issuer or audience claim values within the
access token manager, you can configure PingCentral to validate them.
These claim values are also defined in the Issuer Claim Value and Audience Claim Value fields.
Configuring the OIDC policy for PingCentral
The OAuth client will be associated with an OIDC Policy, which could be the default policy. This policy must map an attribute into the expected claim to signify the user’s PingCentral role, which is defined in the Attribute Contract, Attribute Sources & User Lookup, and Contract Fulfillment in PingFederate.
In addition to the
sub claim, the important claim is the
PingCentral-Role claim. Optionally, you can also include the
family_name claims with the
You can fulfill the
sub claim from the access token, and
you need to fulfill the
PingCentral-Role claim using an OGNL
expression based on group memberships in your directory. The following is an example
of an OGNL expression used in Contract Fulfillment to map
// Reads the memberOf attribute values from the access token. #pcrole = #this.get("memberOf"), // If the values in memberOf contain the IAM administrator's group name, send 'IAM-ADMIN' in the claim value. #pcrole ==null?"False":#this.get("memberOf").toString().contains("pingcentral-iamadmins")? "IAM-Admin": // If the values in memberOf contain the application owner's group name, send 'Application-Owner' in the claim value or send 'NoAccess'. #pcrole ==null?"False":#this.get("memberOf").toString().contains("pingcentral-appowners")? "Application-Owner" :"NoAccess"
memberOf must be in your access token contract or retrieved
through a lookup for the expression to work.
If the default PingCentral role claim name and values need to be altered to match the OIDC policy, update the <PingCentral_install>/conf/application.properties file.
Configuring the OAuth client for PingCentral
Define a PingCentral-specific OAuth client. These steps explain how to configure PingFederate as the OpenID provider. See Configuring OAuth clients in the PingFederate Server guide for additional information.
- In PingFederate, go to .
- In the Client ID field, enter a unique identifier the client provides to the resource server (RS) to identify itself. This identifier is included with every request the client makes.
- In the Name field, enter a descriptive name for the client instance. This name appears when the user is prompted for authorization.
- In the Client Authentication field, select Client Secret, and manually enter a secret or click Generate Secret to have one created for you.
- In the Redirection URIs field, enter this URI: https://<pc-host>:<pc-port>/login/oauth2/code/pingcentral.
- Locate the Allowed Grant Types field and select Authorization Code.
Optional: If you want API access with bearer tokens,
locate the field and select the Resource Owner Password
Note: PingCentral doesn't support ID token encryption.
- From the Default Access Token Manager list, select your access token manager.
- In the OpenID Connect section, from the ID Token Signing Algorithm list, select RSA using SHA-256. From the Policy list, select your OIDC policy.
- Click Save.