Mapping ID token signing keys to virtual issuers - PingFederate - 11.1

PingFederate Server
bundle
pingfederate-111
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.1
category
Administrator
Audience
Capability
DeploymentMethod
Product
SingleSignonSSO
Software
SystemAdministrator
pf-111
pingfederate
ContentType_ce

You can create sets of ID token signing keys in PingFederate, and map each set to one or more virtual issuers for OpenID Connect.

Before you map token signing keys to virtual issuers, configure the necessary static signing keys and virtual issuers. For more information, see Configuring static signing keys and Adding virtual issuers for OpenID Connect.

When minting an ID token, PingFederate signs the ID token with a key from the right key set based on the authorization request, virtual issuers configuration, and token signing keys configuration. Because of these features, you do not need multiple PingFederate environments to support multiple brands, which especially helps if you participate in Open Banking in the UK or have similar requirements.

  1. Go to Security > Certificate & Key Management > Token Signing Keys.
  2. Click Add Key Set.
  3. Enter the key set's Name and optional Description. Click Next.
  4. Select at least one Issuer.
  5. Select at an RSA signing key in the Active column.
  6. Optional: Select one or more EC (elliptic curve) signing keys in the Active column.
  7. Optional: Select Previous signing keys next to any of the Active keys.
  8. Optional: Select the Publish Certificate check box next to the Active signing keys.
    PingFederate publishes the certificates associated with these active signing keys and previous signing keys (if selected) at the /pf/JWKS endpoint.
  9. Click Save.