Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
PingOne ID Token Validators validate OpenID Connect ID tokens issued by the PingOne auth service.
↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage
The PingOne ID Token Validator component inherits from the ID Token Validator
The following components have a direct aggregation relation from PingOne ID Token Validators:
The properties supported by this managed object are as follows:
| General Configuration Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | ↓ subject-claim-name |
| ↓ enabled | |
| ↓ identity-mapper | |
| ↓ issuer-url | |
| ↓ clock-skew-grace-period | |
| ↓ evaluation-order-index | |
| Token Signing Basic Properties: | Advanced Properties: |
| None | ↓ jwks-cache-duration |
| ↓ openid-connect-provider | |
| ↓ openid-connect-metadata-cache-duration |
| Property Group | General Configuration |
| Description | A description for this ID Token Validator |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Indicates whether this ID Token Validator is enabled for use in the PingAuthorize Server. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies the name of the Identity Mapper that should be used to correlate an ID token subject value to a user entry. The claim name from which to obtain the subject (i.e. the currently logged-in user) may be configured using the subject-claim-name property. |
| Default Value | None |
| Allowed Values | The DN of any Identity Mapper. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies a PingOne base issuer URL. To find a PingOne application's issuer URL, log in to the PingOne Console, go to the Connections tab, select an application, then go to its Configuration tab. |
| Default Value | None |
| Allowed Values | An absolute URL, or a relative URL |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies the amount of clock skew that is tolerated by the ID Token Validator when evaluating whether a token is within its valid time interval. The duration specified by this parameter will be subtracted from the token's not-before (nbf) time and added to the token's expiration (exp) time, if present, to allow for any time difference between the local server's clock and the token issuer's clock. |
| Default Value | 5 s |
| Allowed Values | A duration. Lower limit is 0 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | When multiple ID Token Validators are defined for a single PingAuthorize Server, this property determines the order in which the ID Token Validators are consulted. Values of this property must be unique among all ID Token Validators defined within PingAuthorize Server but not necessarily contiguous. ID Token Validators with lower values will be evaluated first to determine if they are able to validate the ID token. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
subject-claim-name (Advanced Property)
| Property Group | General Configuration |
| Description | The name of the token claim that contains the subject; i.e., the authenticated user. This property specifies the token claim that contains the subject, which is the authenticated user identified by the ID token. The subject value is used by the validator's Identity Mapper to look up a matching user entry. By default, the standard sub claim is used. However, this value can be customized if the ID token contains a more appropriate claim to use for identity correlation. |
| Default Value | sub |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
jwks-cache-duration (Advanced Property)
| Property Group | Token Signing |
| Description | How often the ID Token Validator should refresh its cache of JWKS token signing keys. The value of this configuration property defines how frequently the ID Token Validator will retrieve the OpenID Connect provider's JWKS public signing keys. If the value is 0, a JWKS request will be performed every time a token validation request is made. |
| Default Value | 2h |
| Allowed Values | A duration. Lower limit is 0 seconds. Upper limit is 2147483647 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
openid-connect-provider (Advanced Property)
| Property Group | Token Signing |
| Description | Specifies HTTPS connection settings for the PingOne OpenID Connect provider. |
| Default Value | PingOne Auth Service |
| Allowed Values | The DN of any PingOne HTTP External Server. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
openid-connect-metadata-cache-duration (Advanced Property)
| Property Group | Token Signing |
| Description | How often the PingOne ID Token Validator should refresh its stored cache of OpenID Connect-related metadata. When first invoked, the PingOne ID Token Validator makes a request to PingOne's OpenID Connect discovery endpoint to determine its OpenID Connect configuration, such as the JWKS endpoint URL and the supported ID token signing algorithms. The value of this configuration property defines how frequently the PingOne ID Token Validator will make this discovery request again and update its OpenID Connect metadata. If the value is 0, a discovery request will be performed every time a token validation request is made (this is not recommended). |
| Default Value | 1d |
| Allowed Values | A duration. Lower limit is 0 seconds. Upper limit is 2147483647 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured ID Token Validators:
dsconfig list-id-token-validators
[--property {propertyName}] ...
To view the configuration for an existing ID Token Validator:
dsconfig get-id-token-validator-prop
--validator-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing ID Token Validator:
dsconfig set-id-token-validator-prop
--validator-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new PingOne ID Token Validator:
dsconfig create-id-token-validator
--validator-name {name}
--type ping-one
--set enabled:{propertyValue}
--set identity-mapper:{propertyValue}
--set issuer-url:{propertyValue}
--set evaluation-order-index:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing ID Token Validator:
dsconfig delete-id-token-validator
--validator-name {name}