Configuring static signing keys - PingFederate - 11.3

PingFederate Server

bundle
pingfederate-113
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.3 (Latest)
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-113
pingfederate
ContentType_ce
Guide > Administrator Guide
Product documentation
Guide

Determine when to use static and dynamically rotating keys to sign tokens as needed.

Specify whether PingFederate should use static or dynamically rotating keys to sign self-contained access tokens, ID tokens, JSON web tokens (JWTs) for client authentication, and JWTs for OpenID Connect request objects.

  1. Go to Security > Certificate & Key Management > OAuth & OpenID Connect Keys.
  2. Select the Enable Static Keys check box to use static keys for OAuth and OpenID Connect.
    Note:

    Clear this check box to let PingFederate generate and rotate keys automatically for OAuth and OpenID Connect.

    The Enable Static Keys check box is not selected by default.

    Once selected, the administrative console displays the following fields under the Signing Keys heading.

    Key Type Active Previous Publish Certificate
    EC with P-256 curve Optional Optional Optional
    EC with P-384 curve Optional Optional Optional
    EC with P-521 curve Optional Optional Optional
    RSA Required Optional Optional
  3. Follow these steps to complete the configuration under Signing Keys.
    1. For the RSA key type, select an active signing key and optionally a previous signing key.
      Note:

      If you don't find the desired signing key, click Manage Certificates to create it.

      There is no default selection.

      The active signing key and the previous signing key (if configured) are published at the PingFederate JSON Web Key (JWK) Set endpoint /pf/JWKS.

      Note:

      The alg parameter value is only included for the RSA key that handles RS256. All EC keys have a corresponding alg param. For example: "crv": "P-256","alg": "ES256".

    2. For each applicable EC (elliptic curve) key type, select an active signing key and optionally a previous signing key.
      Note:

      If you don't find the desired signing key, click Manage Certificates to create it. Alternatively, complete the configuration, create the desired signing keys later, and then update the configuration afterward.

      There is no default selection.

      The active signing key and the previous signing key (if configured) are published at the PingFederate JWKS endpoint /pf/JWKS.

    3. Optional: For any key type for which you have selected an active signing key (with or without a previous signing key), select the Publish Certificate check box to publish the certificates associated with the active signing key and the previous signing key (if configured) at the PingFederate JWKS endpoint /pf/JWKS.
      Tip:

      For each applicable signing key, its associated chain of certificates is published as the x5c parameter value.

      The Publish Certificate check boxes are not selected by default.

  4. Click Save.
Important:

When static keys are enabled, PingFederate uses only static signing keys to sign ID tokens for OAuth clients or to sign JWTs for authentication or request objects (or both) for authorization servers; dynamic keys are not used and are not returned by the PingFederate JWKS endpoint /pf/JWKS. Signing algorithms associated with EC key types not configured with an active static signing key are hidden.

For existing clients and identity provider (IdP) connections, if you have previously selected a certain signing algorithm associated with an EC key type (for example, ECDSA using P256 Curve and SHA-256) without enabling static keys and then subsequently decide to enable static keys without selecting an active signing key for such EC key type (EC with P-256 curve in this example), transactions that involve that signing algorithm will fail. When you revisit the configuration, the administrative console displays an error message. Your options are as follows:

OAuth clients
  • Click Save to update the value of the ID Token Signing Algorithm setting to Default, which is the equivalent of selecting RSA using SHA-256 from the list.
  • Select a different value from the ID Token Signing Algorithm list and save the configuration.
  • Ignore the error and click Cancel without updating the configuration. Note that runtime errors persist until the configuration issue is resolved.
These options are applicable to individual clients on the Client window and the default setting configured for all clients created via the Dynamic Client Registration protocol on the Client Configuration Defaults window.
OpenID Connect IdP connections
  • Select a different value from the Authentication Signing Algorithm list or the Request Signing Algorithm list (or both) and save the configuration.
  • Ignore the error and click Cancel without updating the configuration. Runtime errors persist until the configuration issue is resolved.
These options are applicable to individual OpenID Connect IdP connections on the OpenID Provider Info window.