Configuring a JWT Token Processor 2.0 instance - PingFederate - 11.3

PingFederate Server

bundle
pingfederate-113
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.3 (Latest)
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-113
pingfederate
ContentType_ce
Guide
Guide > Administrator Guide
Product documentation

The PingFederate Security Token Service (STS)Security Token Service (STS)STS An entity responsible for responding to WS-Trust requests for validation and issuance of security tokens used for SSO authentication to web services. provides validation for any JSON Web Token (JWT)JSON Web Token (JWT)JWT An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. To read the industry standard, see RFC 7519.

Use the Type tab on the Create Token Processor Instance window to begin configuring a JWT token processor 2.0 instance. See Selecting a token processor type.

The following procedure describes how to use the Instance Configuration tab on the Create Token Processor Instance window to continue configuring a JWT token processor 2.0 instance.

This feature supports the OAuth 2.0 Token Exchange and WS Trust specifications. JWT token processor 2.0 offers more functions than does JWT token processor 1.2.

Screenshot of the Instance Configuration tab for a JWT token processor 2.0
Screenshot of the Instance Configuration tab for a JWT token processor 2.0
Screenshot of the Instance Configuration tab for JWT token processor 2.0
  1. On the Create Token Processor Instance window, go to the Instance Configuration tab.
  2. Specify one or more Allowed Issuers and a JWKS or JWKS URL for each allowed issuer.

    PingFederate uses the JWKS or JWKS URL to get the validation keys for the issuer.

  3. Specify one or more Allowed Audiences.

    This setting is optional unless you select the Require Audience check box.

  4. Specify which of the following token claims are required:
    • Audience (aud)
    • Expiration time (exp)
    • Issued at time (iat)
    • Not before time (nbf)

    By default, the aud and exp claims are required, and the iat and nbf claims are not required.

  5. Optional: Click Show Advanced Fields and change the default value for any of the following settings:
    • Default Cache Configuration, which sets the number of minutes to cache the JWKS
      Note:

      This feature affects JWKS caching only when you specify a JWKS URL for an Allowed Issuer and the JWKS URL response doesn’t indicate a cache time. This feature doesn’t apply when you specify a JWKS for an allowed issuer.

    • Allowed Clock Skew for exp and nbf claims
    • Max Future Validity, which limits the lifetime of the token
  6. Click Save.

After selecting the token processor type, go to the Extended Contract tab to continue configuring the token processor instance. See Extending a token processor contract.