The OAuth AS issues tokens to clients on behalf of an RO for use in authenticating a subsequent API call to the RS, typically, but not exclusively, a REST API call.

Tip: If your PingFederate license does not include the OAuth AS capabilities, contact

You can configure the PingFederate OAuth AS independently or in conjunction with security token service (STS) or browser-based single sign-on (SSO) for either an identity provider (IdP) or a service provider (SP) deployment.

In an IdP deployment, an IdP adapter is used to authenticate and provide user information for the access token. In an SP deployment, the inbound SAML assertion is used to provide authentication information about the user associated with the access token through an OAuth attribute mapping in the IdP connection.

For an STS IdP, PingFederate provides an OAuth token processor that validates incoming OAuth Bearer access tokens.