You can create sets of ID token signing keys in PingFederate, and map each set to one or more virtual issuers for OpenID Connect.
When minting an ID token, PingFederate signs the ID token with a key from the right key set based on the authorization request, virtual issuers configuration, and token signing keys configuration. Because of these features, you do not need multiple PingFederate environments to support multiple brands, which especially helps if you participate in Open Banking in the UK or have similar requirements.
- Go to .
- Click Add Key Set.
- Enter the key set's Name and optional Description. Click Next.
- Select at least one Issuer.
- Select at an RSA signing key in the Active column.
- Optional: Select one or more EC (elliptic curve) signing keys in the Active column.
- Optional: Select Previous signing keys next to any of the Active keys.
Optional: Select the Publish Certificate check box next
to the Active signing keys.
PingFederate publishes the certificates associated with these active signing keys and previous signing keys (if selected) at the /pf/JWKS endpoint.
- Click Save.