Configuring PingFederate as an OAuth authorization server (AS) allows a resource owner (RO), typically an end user, to grant authorization to an OAuth client requesting access to the resource server (RS).
The OAuth AS issues tokens to clients on behalf of an RO for use in authenticating a subsequent API call to the RS, typically, but not exclusively, a REST API call.
You can configure the PingFederate OAuth AS independently or in conjunction with security token service (STS) or browser-based single sign-on (SSO) for either an identity provider (IdP) or a service provider (SP) deployment.
In an IdP deployment, an IdP adapter is used to authenticate and provide user information for the access token. In an SP deployment, the inbound SAML assertion is used to provide authentication information about the user associated with the access token through an OAuth attribute mapping in the IdP connection.
For an STS IdP, PingFederate provides an OAuth token processor that validates incoming OAuth Bearer access tokens.