1. Click IdP Adapter Mapping and add the new IdP adapter for creating OAuth grants.
    An additional attribute source is unnecessary. Fulfill the contract with the USER_KEY from adapter entryUUID and with the USER_NAME from adapter cn, and then click Next, Next, and Save.
  2. Select an existing instance or click Access Token Management > Create New Instance.
    If selecting an existing instance, JSON Web Tokens (JWTs) are configured automatically:
    1. If creating a new instance, select JSON Web Tokens.
      If selecting an existing instance, click Instance Configuration.
    2. Choose one-way encryption for JWT, which only requires a symmetric key (not a certificate and private key).
      This step requires the client to validate the token by hitting the validation endpoint on the server.
    3. Add a row to symmetric keys and use 32 bytes or 64 chars of hex.
    4. Choose the JWS Algorithm HMAC using SHA-256.
    5. Choose your symmetric key for Active Symmetric Key ID and click Next.
    6. Select all options and click Next.
    7. List at least one attribute to be defined in the access token, add sub, and click Save.
  3. Click Access Token Mapping and map the access token attributes from the persistent grant, as follows:
    1. Choose Default Context and the new Access Token Manager.
    2. Click Contract Fulfillment.
    3. In the sub row, make the following selections:
      • From the Source list box, select Persistent Grant.
      • From the Value list box, select USER_KEY.
    4. Click Save.
  4. Click OpenID Connect Policy Management > Add Policy.
    1. Choose the previously created Access Token Manager and click Next.
    2. Delete all extended contract attributes except sub.
      Other scopes are defined, if configured.
    3. Click Next to reach Contract Fulfillment.
    4. Fulfill the OIDC contract sub with the Access Token attribute sub.
    5. Click Next and then click Done.
    6. If a default OIDC policy is not already defined, set this new policy as the default, and click Save.
  5. Add scopes for PingDirectory Server APIs.
    1. Click Scope Management > Exclusive Scopes.
    2. Add a value and description for urn:pingidentity:directory-delegated-admin.
    3. Click Save.