If you are using PingFederate 10.1 or later, you can enable the centralized signing key functionality. Additional configuration is not required in PingCentral to access the centralized JWKS endpoint. However, if the access token manager has been configured with an explicit JWKS endpoint path, this must also be specified to PingCentral.
Note: In PingFederate, this endpoint is exposed as https://<pf_host>:<port>/ext/<JWKS Endpoint Path>.

To provide this endpoint to PingCentral, access the application.properties file, which resides in the conf folder in the PingCentral installation directory. Uncomment the property and define the JWKS endpoint URI, as shown in this example:


While the subject (sub) claim is mandatory with OpenID Connect, it is not required when using OAuth 2. With bearer tokens, PingCentral looks for the Username claim by default, but this also can be configured, as shown in this example:

PingCentral can be configured to validate the access token issuer and audience claim values defined in the access token manager. By default, these claims will not be validated. Validation for either or both is enabled by setting the following properties:
  • pingcentral.sso.oidc.oauth-iss-claim-value=myissuer
  • pingcentral.sso.oidc.oauth-aud-claim-value=myaudience
Ensure that the values specified match those defined in the access token manager. If they do not match, the validation will fail.
Note: If a blank value is defined in PingFederate, the claim will not be present in the token, so the validation of that claim must not be enabled in PingCentral.