1. Sign on to the PingFederate administrative console.
  2. Set the identity provider (IdP) adapter mapping:
    1. Go to Authentication > OAuth > IdP Adapter Grant Mapping.
    2. From the Source Adapter Instance list, select the IdP adapter you created in Configuring PingFederate as the identity provider and click Add Mapping.
    3. Click Next.

      No attribute source is needed.

    4. On the Contract Fulfillment tab, set the contracts as shown in the following table.
      Contract Source Value
      USER_KEY Adapter entryUUID
      USER_NAME Adapter cn
    5. Click Next and then click Next again.
    6. Click Save.
  3. Set up Access Token Management.
    Select an existing instance or click Applications > OAuth > Access Token Management > Create New Instance.
    • If selecting an existing instance, click the Instance Configuration tab.

      With an existing instance, JSON Web Tokens (JWTs) are configured automatically.

    • If creating a new instance, specify the required fields and set Type to JSON Web Tokens.

      Take note of your new instance name. You'll need that information later.

    1. Use symmetric encryption for JWT by adding a row in the Symmetric Keys section, using 32 bytes or 64 chars of hex.

      This encryption only requires a symmetric key, not a certificate and private key. This step requires the client to validate the token by hitting the validation endpoint on the server.

    2. Set JWS Algorithm to HMAC Using SHA-256.
    3. Set Active Symmetric Key ID to your symmetric key and click Next.
    4. On the Session Validation tab, select all options and click Next.
    5. On the Access Token Attribute Contract tab, list at least one attribute to be defined in the access token, add sub, click Next until you reach the last section, and then click Save.
  4. Set up access token mapping:
    1. Go to Applications > OAuth > Access Token Mappings.
    2. Set Context to Default, set Access Token Manager to the access token manager you created in the last step, and click Add Mapping.
    3. Click Next in the Attribute Source & User Lookup section to go to the Contract Fulfillment section.
    4. In the sub row, make the following selections:
      • In the Source list, select Persistent Grant.
      • In the Value list, select USER_KEY.
    5. Click Next until you reach the Summary section. Click Save.
  5. Set up the OpenID Connect policy:
    1. Go to Applications > OAuth > OpenID Connect Policy Management.
    2. Click Add Policy.
    3. Specify a Policy ID.
    4. Specify a Name.
    5. Choose the previously created access token manager and click Next.
    6. Delete all extended contract attributes except sub.
      Other scopes are defined, if configured.
    7. Click Next to reach the Contract Fulfillment section.
    8. Fulfill the OpenID Connect (OIDC) contract sub with the access token attribute sub.
    9. Click Next and then click Done.
    10. If a default OIDC policy is not already defined, set this new policy as the default and click Save.
  6. Add scopes for PingDirectory Server APIs:
    1. Go to System > OAuth Settings > Scope Management.
    2. Click the Exclusive Scopes tab.
    3. Add a scope with the value and description given below.
      • Scope Value


      • Scope Description


    4. Click Save.