When using the Bouncy Castle FIPS provider, some restrictions apply to PingFederate.
- As an OpenID Provider, PingFederate can use static or dynamically rotating keys to sign ID tokens, JSON web tokens (JWTs) for client authentication, and OpenID Connect request objects. When using dynamically rotating keys as part of the default configuration, the memory, not the BCFIPS key stores, stores short-term keys. The HSM can store static keys.
- PingFederate limits cipher suites to those listed in the <pf_install>/pingfederate/server/default/data/config-store/com.pingidentity.crypto.com.pingidentity.crypto.BCFIPSJCEManager file.