Determine when to use static and dynamically rotating keys in order to sign tokens as needed.
Specify whether PingFederate should use static or dynamically rotating keys to sign self-contained access tokens, ID tokens, JSON web tokens (JWTs) for client authentication, and JWTs for OpenID Connect request objects.
When static keys are enabled, PingFederate uses only static signing keys to sign ID tokens for OAuth clients or to sign JWTs for authentication or request objects (or both) for authorization servers; dynamic keys are not used and are not returned by the PingFederate JWKS endpoint /pf/JWKS. Signing algorithms associated with EC key types not configured with an active static signing key are hidden.
For existing clients and identity provider (IdP) connections, if you have previously selected a certain signing algorithm associated with an EC key type (for example, ECDSA using P256 Curve and SHA-256) without enabling static keys and then subsequently decide to enable static keys without selecting an active signing key for such EC key type (EC with P-256 curve in this example), transactions that involve that signing algorithm will fail. When you revisit the configuration, the administrative console displays an error message. Your options are as follows:
- OAuth clients
-
- Click Save to update the value of the ID Token Signing Algorithm setting to Default, which is the equivalent of selecting RSA using SHA-256 from the list.
- Select a different value from the ID Token Signing Algorithm list and save the configuration.
- Ignore the error and click Cancel without updating the configuration. Note that runtime errors persist until the configuration issue is resolved.
- OpenID Connect IdP connections
-
- Select a different value from the Authentication Signing Algorithm list or the Request Signing Algorithm list (or both) and save the configuration.
- Ignore the error and click Cancel without updating the configuration. Runtime errors persist until the configuration issue is resolved.