Before using a PingFederate access token validator, create a client that represents the access token validator in the PingFederate configuration. This client must use the Access Token Validation grant type.

This step allows the authorization server to determine whether a token is valid.

Note:

Access tokens issued using the OAuth 2 client credentials grant type are issued directly to a client and do not contain a subject. Such tokens cannot be accepted by the directory server.

Because this step requires an outgoing HTTP request to the authorization server, the PingFederate access token validator might perform slower than other access token validator types. The validation result is guaranteed to be current, which is an important consideration if the authorization server permits the revocation of access tokens.

  1. In PingFederate, create a client with the following properties:
    • Client ID: Ping Identity
    • Client authentication: Client Secret
    • Allowed grant types: Access Token Validation
  2. Take note of the client secret and use the directory server's dsconfig command to create an access token validator, as shown.
    
    # Create an identity mapper that expects the token subject to be a uid
    dsconfig create-identity-mapper \
    	--mapper-name "User ID Identity Mapper" \
    	--type exact-match \
    	--set enabled:true \
    	--set match-attribute:uid \
    	--set match-base-dn:ou=people,dc=example,dc=com			
    # Change the host name and port below, as needed
    dsconfig create-external-server \
      --server-name "PingFederate External Server" \
      --type http \
      --set base-url:https://example.com:9031
    # Create the Access Token Validator
    dsconfig create-access-token-validator \
      --validator-name "PingFederate Access Token Validator" \
      --type ping-federate \
      --set enabled:true \
      --set "authorization-server:PingFederate External Server" \
      --set client-id:PingDataGovernance \
      --set "client-secret:<client secret>"
      --set evaluation-order-index:2000
      --set "identity-mapper:User ID Identity Mapper"
    
  3. Replace <client secret> with the client secret value generated by the PingFederate client.