Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
Ping Federate Access Token Validator validates access tokens that were generated by PingFederate.
↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage
The Ping Federate Access Token Validator component inherits from the External Access Token Validator
The following components have a direct aggregation relation from Ping Federate Access Token Validators:
The properties supported by this managed object are as follows:
| General Configuration Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | ↓ subject-claim-name |
| ↓ enabled | ↓ include-aud-parameter |
| ↓ evaluation-order-index | ↓ access-token-manager-id |
| ↓ authorization-server | |
| ↓ client-id | |
| ↓ client-secret | |
| ↓ client-secret-passphrase-provider | |
| ↓ endpoint-cache-refresh |
| Property Group | General Configuration |
| Description | A description for this Access Token Validator |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Indicates whether this Access Token Validator is enabled for use in PingAuthorize Server. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | When multiple Ping Federate Access Token Validators are defined for a single PingAuthorize Server, this property determines the evaluation order for determining the correct validator class for an access token received by the PingAuthorize Server. Values of this property must be unique among all Ping Federate Access Token Validators defined within PingAuthorize Server but not necessarily contiguous. Ping Federate Access Token Validators with a smaller value will be evaluated first to determine if they are able to validate the access token. |
| Default Value | 2000 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies the external server that will be used to aid in validating access tokens. In most cases this will be the Authorization Server that minted the token. |
| Default Value | Not specifying an authorization server implies that no external communication is required to validate access tokens. |
| Allowed Values | The DN of any HTTP External Server. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | The client identifier to use when authenticating to the PingFederate authorization server. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | The client secret to use when authenticating to the PingFederate authorization server. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
client-secret-passphrase-provider
| Property Group | General Configuration |
| Description | The passphrase provider for obtaining the client secret to use when authenticating to the PingFederate authorization server. |
| Default Value | None |
| Allowed Values | The DN of any Passphrase Provider. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | How often the Access Token Validator should refresh its stored value of the PingFederate server's token introspection endpoint. Upon startup, the PingFederate Access Token Validator makes a request to the PingFederate server's discovery endpoint to determine the URL of its token introspection endpoint. This value defines how frequently the Access Token Validator will make this request again and update this URL value. If the value is 0, the endpoint will be updated every time a token validation request is made. |
| Default Value | 30 minutes |
| Allowed Values | A duration. Lower limit is 0 minutes. Upper limit is 2147483647 minutes. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
subject-claim-name (Advanced Property)
| Property Group | General Configuration |
| Description | The name of the token claim that contains the subject, i.e. the logged-in user in an access token. If the claim specified by this property is present in the access token, then the PingAuthorize Server will set the HttpRequest.AccessToken.user_token flag to "true" when authorizing HTTP requests and responses with the policy decision point. |
| Default Value | sub |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
include-aud-parameter (Advanced Property)
| Property Group | General Configuration |
| Description | Whether to include the incoming request URL as the "aud" parameter when calling the PingFederate introspection endpoint. This property is ignored if the access-token-manager-id property is set. If this property is true, at least one of the Access Token Managers on the PingFederate instance must be configured with a Resource URI that matches the targeted PingAuthorize Server endpoint. See the PingFederate Administrator's Manual for more details about configuring Resource URIs. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
access-token-manager-id (Advanced Property)
| Property Group | General Configuration |
| Description | The Access Token Manager instance ID to specify when calling the PingFederate introspection endpoint. If this property is set the include-aud-parameter property is ignored. Specifying a value for this property will cause the Ping Federate Access Token Validator to include the access-token-manager-id parameter in all token validation requests to PingFederate. See the PingFederate Administrator's Manual for more details about Access Token Managers. |
| Default Value | The access-token-manager-id parameter is not included in token validation requests. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Access Token Validators:
dsconfig list-access-token-validators
[--property {propertyName}] ...
To view the configuration for an existing Access Token Validator:
dsconfig get-access-token-validator-prop
--validator-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Access Token Validator:
dsconfig set-access-token-validator-prop
--validator-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Ping Federate Access Token Validator:
dsconfig create-access-token-validator
--validator-name {name}
--type {type}
--set enabled:{propertyValue}
--set client-id:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Access Token Validator:
dsconfig delete-access-token-validator
--validator-name {name}