You can specify whether PingFederate should use static or dynamically rotating keys to sign ID tokens, JWTs for client authentication, and OpenID Connect request objects.
When static keys are enabled, PingFederate uses only static signing keys to sign ID tokens for OAuth clients or to sign JWTs for authentication or request objects (or both) for authorization servers; dynamic keys are not used and not returned by the PingFederate JWKS endpoint /pf/JWKS. Signing algorithms associated with EC key types that have not been configured with an active static signing key are hidden.
For existing clients and IdP connections, if you have previously selected a certain signing algorithm associated with an EC key type (for example, ECDSA using P256 Curve and SHA-256) without enabling static keys and then subsequently decide to enable static keys without selecting an active signing key for such EC key type (EC with P-256 curve in this example), transactions that involves that signing algorithm will fail. When you revisit the configuration, the administrative console displays an error message. Your options are described as follows:
- OAuth clients
-
- Click Save to update the value of the ID Token Signing Algorithm setting to Default, which is the equivalent of selecting RSA using SHA-256 from the list.
- Select a different value from the ID Token Signing Algorithm list and save the configuration.
- Ignore the error and click Cancel without updating the configuration. Note that runtime errors persist until the configuration issue is resolved.
- OpenID Connect IdP connections
-
- Select a different value from the Authentication Signing Algorithm list or the Request Signing Algorithm list (or both) and save the configuration.
- Ignore the error and click Cancel without updating the configuration. Note that runtime errors persist until the configuration issue is resolved.