If you are using 10.1 or later, you can enable the centralized signing key functionality. Additional configuration isn't required in to access the centralized JWKS endpoint.

If the access token manager has been configured with an explicit JWKS endpoint path, you must also specify this path in .

Note:

In PingFederate, this endpoint is exposed as https://<pf_host>:<port>/ext/<JWKS Endpoint Path>.

  1. To provide the JWKS endpoint to , open the <PingCentral_install>/conf/application.properties file, uncomment the pingcentral.sso.oidc.oauth-jwk-set-uriproperty, and define the JWKS endpoint URI, as in this example. 
    pingcentral.sso.oidc.oauth-jwk-set-uri=https://sso.<mycompany.com>:9031/ext/oauth/pingcentral/jwks
  2. Configure the username-claim that will use with bearer tokens. 
    pingcentral.sso.oidc.oauth-username-claim-name=UserId

    With bearer tokens, looks for the Username claim by default.

    Note:

    While the subject (sub) claim is mandatory with , it's not required when using OAuth 2.

  3. Configure to validate the access token issuer and audience claim values defined in the access token manager.

    By default, these claims aren't validated. Validation for either or both is enabled by setting the following properties:

    • pingcentral.sso.oidc.oauth-iss-claim-value=<myissuer>
    • pingcentral.sso.oidc.oauth-aud-claim-value=<myaudience>
  4. Make sure that the values specified match those defined in the access token manager.
    Note:

    If the values don't match, the validation fails.

    Tip:

    If a blank value is defined in , the claim won't be present in the token, so do not enable the validation of that claim in .

  5. Now that the resource server is configured, configure the OpenID provider.