Configuring static decryption keys - PingFederate - 10.2

PingFederate Server

bundle
pingfederate-102
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.2
category
Product
pf-102
pingfederate
ContentType_ce

You can specify whether PingFederate should use static or dynamically rotating keys to decrypt asymmetrically-encrypted ID tokens..

  1. Go to Security > Certificate & Key Management > OAuth & OpenID Connect Keys.
  2. Select the Enable Static Keys check box to use static keys for OAuth and OpenID Connect.
    Note:

    Clear this check box to let PingFederate generate and rotate keys automatically for OAuth and OpenID Connect. The Enable Static Keys check box is not selected by default.

    Once selected, the administrative console displays the following fields under "Decryption Keys".

    Key Type Active Previous Publish Certificate
    EC with P-256 curve Optional Optional Optional
    EC with P-384 curve Optional Optional Optional
    EC with P-521 curve Optional Optional Optional
    RSA Optional Optional Optional
  3. Follow these steps to configure "Decryption Keys".
    1. For each applicable key type, select an active decryption key and optionally a previous decryption key.
      Note:

      If the desired decryption key is not found, click Manage Certificates to create it. Alternatively, complete the configuration, create the desired decryption keys later, and then update the configuration afterward. There is no default selection.

      The active decryption key is published at the PingFederate JSON Web Key Set (JWKS) endpoint /pf/JWKS.

    2. Optional: For any key type for which you have selected an active decryption key (with or without a previous decryption key), select the Publish Certificate check box to publish the certificates associated with the active decryption key at the PingFederate JWKS endpoint /pf/JWKS.
      Tip:

      Each applicable decryption key's associated chain of certificates is published as the x5c parameter value.

      The Publish Certificate check boxes are not selected by default.

Note:

When static keys are enabled, you must also select an active signing key for the RSA key type.

  1. Under "Signing Keys", select an active key for the RSA key type.
    Note:

    If the desired key is not found, click Manage Certificates to create it. There is no default selection.

    The active signing key is published at the PingFederate JWKS endpoint /pf/JWKS.

  2. Click Save.
Important:

When static keys are enabled, PingFederate uses only static decryption keys to decrypt asymmetrically-encrypted ID tokens it receives from OpenID providers. Dynamic keys are not used and are not returned by the PingFederate JWKS endpoint /pf/JWKS.

The following snippet illustrates a sample response returned by the PingFederate JWKS endpoint when dynamic keys are used.

$ curl -s https://localhost:8031/pf/JWKS |python -m json.tool
{
  "keys": [
    ...
    {
      "kty": "EC",
      "kid": "I-ZbqeLPG2O5qxSf3n8yKmcGbWI",
      "use": "enc",
      "x": "AUSx-2vdfCjU90KohVs1peISnNUeDmGo3m0_x42PucBr-Gd-mHKXQ8EjTeYgLhFB5SYMV5tntKiezayWkUt9Dodc",
      "y": "AIE6vQYcKdOfyQYzENYQ86MIAwSUo4GR_-dn7m2MvRReXkotWOsFT1WKXi_KjamqJIV2AwAUZL-IQj5mew45lSTM",
      "crv": "P-521"
    },
    {
      "kty": "EC",
      "kid": "S2BbNNK9PtG0nA-EhU5BGpZ-OG8",
      "use": "enc",
      "x": "IKXASh9aDPJ1YaeXUww1YZnZ3kum_WLKvZe8xiNW6W8",
      "y": "7_zp2AuY8MY4WEuneHEzV0cqW0buqcmMGVzRANQ0r2I",
      "crv": "P-256"
    },
    {
      "kty": "EC",
      "kid": "t4-jKfmhEHn3mRc-08Oh3WKA2zE",
      "use": "enc",
      "x": "RiQkv_ArGS7Zc8XsXp0VQpEWz9ZUlbLUWA0VbTcUjWIbOByceGhg-tAj6dlFiorq",
      "y": "aHPQlrJPscdcuHtHokyr-70yBo4nUK-BjWrJgisDxnKJQFLP6YK_dfuOpuVYhFJ5",
      "crv": "P-384"
    },
    {
      "kty": "RSA",
      "kid": "tVP7otNKgIWYep8LPBR3wD3tPNE",
      "use": "enc",
      "n": "hvHfiamhV4wGC9JHppJZjdKG5K3MvhWwo6PBsSQowGOTeILAbzO8Jfmp7nRxuujTE6k83RXNeWUvTwamGqShXvHzGYJlE2gsc0Az_w5xm-vjoNZD8Cv0Y9C3R4Ckj6dBL70Osk_NfBR7MYmRA6dV0PJ5k4Lt_vQveXMkylD9XuLFP-gqooMXkB6FCCLqZZAi0voi3WQ7ECzSta3ke9F5VFl7-4zVjRtJHjM9gGEhd5OkaZioqs9xBHeOrwhPbiPTsIA7ve3No5AlGCgZw654s17zr2Ly4q8QZE7LmM30kRJnu-dpl_dKixFTdQYIBMmIWGUyuB43XYq106z9CWoOcw",
      "e": "AQAB"
    },
    ...
  ]
}

When static keys are used, the PingFederate JWKS endpoint /pf/JWKS returns only the configured active keys. The following snippet illustrates a sample response returned by the PingFederate JWKS endpoint when an active key was selected for the EC with P-384 curve and EC with P-521 curve key types.

$ curl -s https://localhost:8031/pf/JWKS |python -m json.tool
{
  "keys": [
    ...
    {
      "kty": "EC",
      "kid": "7xKkiMb-YpcK2PcrTUoTrYF8EOI",
      "use": "enc",
      "x": "4p_fZluiHS9qLXQi-cqol1LP5nBrFPcXRKQN5yR3Tz51E0xfY9tmOzLqMQwKfDIh",
      "y": "kWh3up-U2mMYOuhzx4Ba7UX0P03EPLr82PdCUG6E3V53Pgnd2QU6ShWu9lH4-ugw",
      "crv": "P-384"
    },
    {
      "kty": "EC",
      "kid": "pE1XwX8Z6QYhAC7mjZ0OCn4DXAk",
      "use": "enc",
      "x": "ATCOsxg6ce437qMVlrqCyHPDE76hC0wP7Wwb7V8heai60LIDDvIJt-evxTOGn7Iolo9PYET8-Bjhu5Zg5MNxOkF-",
      "y": "AdvUA2YD2kn7COLkFIG2vL2k34CMv7VPxsvbgOJBL2exSziMGPw6YJp2eafuHlBom7bkjv3iFy5dTuGB7B28Zc7A",
      "crv": "P-521"
    },
    ...
  ]
}