PingCentral supports OAuth resource server functionality by validating provided bearer tokens when accessing the Admin API. Only signed JWT tokens are supported in this release, so a JWKS endpoint is required to obtain the public keys for signature validation.
To provide this endpoint to PingCentral, access the application.properties file, which resides in the conf folder in the PingCentral installation directory. Uncomment the property and define the JWKS endpoint URI, as shown in this example:
pingcentral.sso.oidc.oauth-jwk-set-uri=https://sso.mycompany.com:9031/ext/oauth/pingcentral/jwks
While the subject (sub) claim is mandatory with OpenID Connect, it is not required when using OAuth 2. With bearer tokens, PingCentral looks for the Username claim by default, but this also can be configured, as shown in this example:
pingcentral.sso.oidc.oauth-username-claim-name=UserId
- pingcentral.sso.oidc.oauth-iss-claim-value=myissuer
- pingcentral.sso.oidc.oauth-aud-claim-value=myaudience