The OpenID Connect (OIDC) response needs to include an access token.
- Configure an access token management instance.
- Create the relevant access token mappings.
-
In PingFederate, create an Access Token Management Instance:
- PingFederate 10.1 or later: Go to Applications > OAuth and then click Access Token Management
- PingFederate 10 or earlier: On the OAuth Server tab, in the Token Mapping section, click Access Token Management
-
Click Create New Instance and then on the
Type tab, enter the following information, and then
click Next:
- Instance Name: The name you want to use to identify the Access Token Management instance.
- Instance ID: The Access Token Management ID. This ID is for internal use and cannot contain spaces or non-alphanumeric characters.
- Type: From the Type list, select JSON Web Tokens.
-
On the Instance Configuration tab, do the
following:
-
Click Add a new row to 'Symmetric Keys' and in
the new row enter the following information and then click
Update
- Key ID: Enter a unique identifier for the key.
- Key: Enter the encoded symmetrical key.
You can find this in the
use_base64_keyattribute in the PingID Properties file that you used to create the PingID Adapter instance earlier. - Encoding: From the Encoding list, select Base64[url].
- In the JWS Algorithm field, select HMAC using SHA-256 as the signing algorithm you want to use to protect the integrity of the token.
- In the Active Symmetric Key ID field, select the new symmetric key that you created, and then click Next.
-
Click Add a new row to 'Symmetric Keys' and in
the new row enter the following information and then click
Update
- On the Session Validation tab, click Next
-
On the Access Token Attribute Contract tab:
-
In the Extend the Contract field, add the
following attributes and then click Add:
- subject
- winlogin.auth.response
- From the Subject Attribute Name list, select subject, and then click Next.
-
In the Extend the Contract field, add the
following attributes and then click Add:
- On the Resource URIs tab, click Next.
- On the Access Control tab, click Next.
- On the Summary tab, click Save.
-
Go to the Access Token Mappings window:
-
Do the following:
- PingFederate 10.1 or later: Go to Applications > OAuth and then click Access Token Mappings.
- PingFederate 10 or earlier: On the OAuth Server tab, in the Token Mapping section, click Access Token Mappings.
- From the Context list, select the Windows login authentication policy contract that you created earlier.
- From the Access Token Manager list, select the access token manager instance that you created earlier, and click Add Mapping.
- On the Attribute Sources & User Lookup tab, click Next.
-
On the Contract Fulfillment tab, do the
following and then click Next:
- In the subject row: In the Source field, select Authentication Policy Contract, and in the Value field, select subject.
- In the winlogin.auth.response row: In the Source field, select Authentication Policy Contract, and in the Value field, select winlogin.auth.response.
- On the Issuance Criteria tab, click Next.
-
On the Summary tab, click
Save.
The Access Token Mappings are saved
-
Do the following: