The access token manager associated with the OIDC Policy must support signed JSON web token (JWT) tokens. To validate the token signature, PingCentral must be able to access a JWKS endpoint URL.


Signing certificates and JSON web encryption (JWE) encryption (symmetric or asymmetric) are not supported in this release.

If you are using PingFederate 10.1 or later, you can enable the centralized signing key functionality.


Additional configuration isn't required in PingCentral to access the centralized JWKS endpoint.

  1. Select the Use Centralized Signing Key check box.

  2. If you are using an older version of PingFederate, define an explicit JWKS endpoint path:
    1. Select Show Advanced Fields and specify the path in the JWKS Endpoint Path field.


      This path must be explicitly configured in PingCentral. See Configuring resource server functionality.

  3. If you define either or both of the issuer or audience claim values within the access token manager, you can configure PingCentral to validate them.

    These claim values are also defined within the advanced fields, as shown in the following example.