Specifying a dynamic authorization header for a REST API datastore - PingFederate - 11.1

PingFederate Server
bundle
pingfederate-111
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.1
category
Administrator
Audience
Capability
DeploymentMethod
Product
SingleSignonSSO
Software
SystemAdministrator
pf-111
pingfederate
ContentType_ce

When you configure an Open ID Connect identity provider (IdP) connection with an application, you can use the access token from the connection as a bearer token in an authorization header to receive additional information as needed.

  • Create a Service Provider Open ID Connect IdP connection.
  • Configure an Identity Provider authentication policy for the connection.
  1. Make the Open ID Connect call to the application to obtain the access token that you plan to use as a bearer token.
    After you've made the connection, you can find the access token attribute name in <pf_install>/pingfederate/log/server.log in debug mode.
  2. On the Configure Data Source Filters window, enter the access token attribute name in the Authorization Header field.
    Tip:

    You can reference attribute values in the form of ${attributeName:-defaultValue}. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use ${ and } in the default value.

Authorization Headers

Authorization Header entries are shown here for Yahoo and Google Open ID Connect IdP connections:
  • For Yahoo: Bearer $(idp.https://api.login.yahoo.com.access_token)
  • For Google: Bearer $(idp.https://accounts.google.com.access_token)