Page created: 6 Nov 2019
|
Page updated: 25 Mar 2020
| 2 min read
8.0 Product PingDirectory Product documentation Content Type Administration User task Configuration IT Administrator Administrator Audience System Administrator Software Deployment Method Capability Directory Delegated Administration
-
Click IdP Adapter Mapping and add the new IdP adapter
for creating OAuth grants.
An additional attribute source is unnecessary. Fulfill the contract with the USER_KEY from adapter entryUUID and with the USER_NAME from adapter cn, and then click Next, Next, and Save.
-
Select an existing instance or click Access Token Management >
Create New Instance.
If selecting an existing instance, JSON Web Tokens (JWTs) are configured automatically:
-
If creating a new instance, select JSON Web
Tokens.
If selecting an existing instance, click Instance Configuration.
-
Choose one-way encryption for JWT, which only requires a symmetric key
(not a certificate and private key).
This step requires the client to validate the token by hitting the validation endpoint on the server.
- Add a row to symmetric keys and use 32 bytes or 64 chars of hex.
- Choose the JWS Algorithm HMAC using SHA-256.
- Choose your symmetric key for Active Symmetric Key ID and click Next.
- Select all options and click Next.
- List at least one attribute to be defined in the access token, add sub, and click Save.
-
If creating a new instance, select JSON Web
Tokens.
-
Click Access Token Mapping and map the access token
attributes from the persistent grant, as follows:
- Choose Default Context and the new Access Token Manager.
- Click Contract Fulfillment.
-
In the sub row, make the following selections:
- From the Source list box, select Persistent Grant.
- From the Value list box, select USER_KEY.
- Click Save.
-
Click OpenID Connect Policy Management > Add Policy.
- Choose the previously created Access Token Manager and click Next.
-
Delete all extended contract attributes except
sub.
Other scopes are defined, if configured.
- Click Next to reach Contract Fulfillment.
- Fulfill the OIDC contract sub with the Access Token attribute sub.
- Click Next and then click Done.
- If a default OIDC policy is not already defined, set this new policy as the default, and click Save.
-
Add scopes for PingDirectory Server APIs.
- Click Scope Management > Exclusive Scopes.
- Add a value and description for urn:pingidentity:directory-delegated-admin.
- Click Save.