You can specify whether PingFederate should use static or dynamically rotating keys to decrypt asymmetrically-encrypted ID tokens.

  1. Go to the Security > OAuth & OpenID Connect Keys screen.
  2. Select the Enable Static Keys check box to use static keys for OAuth and OpenID Connect.
    Clear this check box to let PingFederate generate and rotate keys automatically for OAuth and OpenID Connect.

    The Enable Static Keys check box is not selected by default.

    Once selected, the administrative console displays the following fields under Decryption Keys.

    Key Type Active Previous Publish Certificate
    EC with P-256 curve Optional Optional Optional
    EC with P-384 curve Optional Optional Optional
    EC with P-521 curve Optional Optional Optional
    RSA Optional Optional Optional
  3. Follow these steps to complete the configuration under Decryption Keys.
    1. For each applicable key type, select an active decryption key and optionally a previous decryption key.
      If the desired decryption key is not found, click Manage Certificates to create it. Alternatively, complete the configuration, create the desired decryption keys later, and then update the configuration afterward.

      There is no default selection.

      The active decryption key is published at the PingFederate JSON Web Key (JWK) Set endpoint /pf/JWKS.

    2. Optional: For any key type that you have selected an active decryption key (with or without a previous decryption key), select the Publish Certificate check box to publish the certificates associated with the active decryption key at the PingFederate JWKS endpoint /pf/JWKS.
      Tip:

      For each applicable decryption key, its associated chain of certificates is published as the x5c parameter value.

      The Publish Certificate check boxes are not selected by default.

Note:

When static keys are enabled, you must also select an active signing key for the RSA key type.

  1. Under Signing Keys, select an active key for the RSA key type.

    If the desired key is not found, click Manage Certificates to create it.

    There is no default selection.

    The active signing key is published at the PingFederate JWKS endpoint /pf/JWKS.

  2. Click Save.
Important:

When static keys are enabled, PingFederate uses only static decryption keys to decrypt asymmetrically-encrypted ID tokens it receives from OpenID Providers; dynamic keys are not used and not returned by the PingFederate JWKS endpoint /pf/JWKS.

The following snippet illustrates a sample response returned by the PingFederate JWKS endpoint when dynamic keys are used.

$ curl -s https://localhost:8031/pf/JWKS |python -m json.tool
{
  "keys": [
    ...
    {
      "kty": "EC",
      "kid": "I-ZbqeLPG2O5qxSf3n8yKmcGbWI",
      "use": "enc",
      "x": "AUSx-2vdfCjU90KohVs1peISnNUeDmGo3m0_x42PucBr-Gd-mHKXQ8EjTeYgLhFB5SYMV5tntKiezayWkUt9Dodc",
      "y": "AIE6vQYcKdOfyQYzENYQ86MIAwSUo4GR_-dn7m2MvRReXkotWOsFT1WKXi_KjamqJIV2AwAUZL-IQj5mew45lSTM",
      "crv": "P-521"
    },
    {
      "kty": "EC",
      "kid": "S2BbNNK9PtG0nA-EhU5BGpZ-OG8",
      "use": "enc",
      "x": "IKXASh9aDPJ1YaeXUww1YZnZ3kum_WLKvZe8xiNW6W8",
      "y": "7_zp2AuY8MY4WEuneHEzV0cqW0buqcmMGVzRANQ0r2I",
      "crv": "P-256"
    },
    {
      "kty": "EC",
      "kid": "t4-jKfmhEHn3mRc-08Oh3WKA2zE",
      "use": "enc",
      "x": "RiQkv_ArGS7Zc8XsXp0VQpEWz9ZUlbLUWA0VbTcUjWIbOByceGhg-tAj6dlFiorq",
      "y": "aHPQlrJPscdcuHtHokyr-70yBo4nUK-BjWrJgisDxnKJQFLP6YK_dfuOpuVYhFJ5",
      "crv": "P-384"
    },
    {
      "kty": "RSA",
      "kid": "tVP7otNKgIWYep8LPBR3wD3tPNE",
      "use": "enc",
      "n": "hvHfiamhV4wGC9JHppJZjdKG5K3MvhWwo6PBsSQowGOTeILAbzO8Jfmp7nRxuujTE6k83RXNeWUvTwamGqShXvHzGYJlE2gsc0Az_w5xm-vjoNZD8Cv0Y9C3R4Ckj6dBL70Osk_NfBR7MYmRA6dV0PJ5k4Lt_vQveXMkylD9XuLFP-gqooMXkB6FCCLqZZAi0voi3WQ7ECzSta3ke9F5VFl7-4zVjRtJHjM9gGEhd5OkaZioqs9xBHeOrwhPbiPTsIA7ve3No5AlGCgZw654s17zr2Ly4q8QZE7LmM30kRJnu-dpl_dKixFTdQYIBMmIWGUyuB43XYq106z9CWoOcw",
      "e": "AQAB"
    },
    ...
  ]
}

When static keys are used, the PingFederate JWKS endpoint /pf/JWKS returns only the configured active key (or keys). The following snippet illustrates a sample response returned by the PingFederate JWKS endpoint when an active key was selected for the EC with P-384 curve and EC with P-521 curve key types.

$ curl -s https://localhost:8031/pf/JWKS |python -m json.tool
{
  "keys": [
    ...
    {
      "kty": "EC",
      "kid": "7xKkiMb-YpcK2PcrTUoTrYF8EOI",
      "use": "enc",
      "x": "4p_fZluiHS9qLXQi-cqol1LP5nBrFPcXRKQN5yR3Tz51E0xfY9tmOzLqMQwKfDIh",
      "y": "kWh3up-U2mMYOuhzx4Ba7UX0P03EPLr82PdCUG6E3V53Pgnd2QU6ShWu9lH4-ugw",
      "crv": "P-384"
    },
    {
      "kty": "EC",
      "kid": "pE1XwX8Z6QYhAC7mjZ0OCn4DXAk",
      "use": "enc",
      "x": "ATCOsxg6ce437qMVlrqCyHPDE76hC0wP7Wwb7V8heai60LIDDvIJt-evxTOGn7Iolo9PYET8-Bjhu5Zg5MNxOkF-",
      "y": "AdvUA2YD2kn7COLkFIG2vL2k34CMv7VPxsvbgOJBL2exSziMGPw6YJp2eafuHlBom7bkjv3iFy5dTuGB7B28Zc7A",
      "crv": "P-521"
    },
    ...
  ]
}