If you are using PingFederate 10.1 or later, you can enable the centralized signing key functionality. Additional configuration isn't required in PingCentral to access the centralized JWKS endpoint.

If the access token manager has been configured with an explicit JWKS endpoint path, you must also specify this path in PingCentral.


In PingFederate, this endpoint is exposed as https://<pf_host>:<port>/ext/<JWKS Endpoint Path>.

  1. To provide the JWKS endpoint to PingCentral, open the <PingCentral_install>/conf/application.properties file, uncomment the pingcentral.sso.oidc.oauth-jwk-set-uriproperty, and define the JWKS endpoint URI, as in this example.
  2. Configure the username-claim that PingCentral will use with bearer tokens.

    With bearer tokens, PingCentral looks for the Username claim by default.


    While the subject (sub) claim is mandatory with OpenID Connect (OIDC), it's not required when using OAuth 2.

  3. Configure PingCentral to validate the access token issuer and audience claim values defined in the access token manager.

    By default, these claims aren't validated. Validation for either or both is enabled by setting the following properties:

    • pingcentral.sso.oidc.oauth-iss-claim-value=<myissuer>
    • pingcentral.sso.oidc.oauth-aud-claim-value=<myaudience>
  4. Make sure that the values specified match those defined in the access token manager.

    If the values don't match, the validation fails.


    If a blank value is defined in PingFederate, the claim won't be present in the token, so do not enable the validation of that claim in PingCentral.

  5. Now that the resource server is configured, configure the OpenID provider.