Before you map token signing keys to virtual issuers, configure the necessary static signing keys and virtual issuers. For more information, see Configuring static signing keys and Adding virtual issuers for OpenID Connect.

When minting an ID token, PingFederate signs the ID token with a key from the right key set based on the authorization request, virtual issuers configuration, and token signing keys configuration. Because of these features, you do not need multiple PingFederate environments to support multiple brands, which especially helps if you participate in Open Banking in the UK or have similar requirements.

  1. Go to Security > Certificate & Key Management > Token Signing Keys.
  2. Click Add Key Set.
  3. Enter the key set's Name and optional Description. Click Next.
  4. Select at least one Issuer.
  5. Select at an RSA signing key in the Active column.
  6. Optional: Select one or more EC (elliptic curve) signing keys in the Active column.
  7. Optional: Select Previous signing keys next to any of the Active keys.
  8. Optional: Select the Publish Certificate check box next to the Active signing keys.
    PingFederate publishes the certificates associated with these active signing keys and previous signing keys (if selected) at the /pf/JWKS endpoint.
  9. Click Save.