Configuring OAuth token exchange - PingFederate - 11.2

PingFederate Server

bundle
pingfederate-112
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.2
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-112
pingfederate
ContentType_ce
Guide
Guide > Administrator Guide
Product documentation

Configuring the OAuth authorization server to support OAuth token exchange involves configuring token exchange processor policies, token generator instances and token exchange generator groups, access token manager instances, and OAuth clients.

To configure OAuth token exchange, see the included topic links to perform the necessary steps.

Tip:

Temporary AWS security credentials are security token service (STS) tokens. To exchange inbound STS tokens, use PingFederate's SAML 2.0 token processor and the configured SAML 2.0 token processor policy in the token exchange processor policy instance. The details depend on your requirements.

  1. Define token exchange processor policies to handle incoming token exchange requests. See Defining token exchange processor policies.
  2. If you need token generator instances to generate the requested tokens, complete the following tasks.
    1. Configure the token generator instances. See Managing token generators.
    2. Create token exchange generator groups. See Creating token exchange generator groups.
    3. Map the attributes from the token exchange processor policies to the attributes from the token generator instances. See Mapping token exchange attributes to token generator attributes.
  3. Access token managers to generate the requested tokens.
    1. Configure the access token manager instances. See Managing access token management instances.
    2. Map the attributes from the token exchange processor policies to the attributes from the access token manager instances. See Mapping token exchange attributes to access token manager attributes.
  4. Enable token exchange in the OAuth clients that will send the token exchange requests to the authorization server. See Enabling token exchange in OAuth clients.