Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
Ping Federate Access Token Validator validates access tokens that were generated by PingFederate.
↓Parent Component
↓Properties
↓dsconfig Usage
The Ping Federate Access Token Validator component inherits from the External Access Token Validator
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | ↓ include-aud-parameter |
| ↓ enabled | ↓ access-token-manager-id |
| ↓ evaluation-order-index | |
| ↓ hostname-verification-method | |
| ↓ key-manager-provider | |
| ↓ trust-manager-provider | |
| ↓ ping-fed-server-url | |
| ↓ client-id | |
| ↓ client-secret |
| Description | A description for this Access Token Validator |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether this Access Token Validator is enabled for use in Data Governance Broker. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | When multiple Ping Federate Access Token Validators are defined for a single Data Governance Broker, this property determines the evaluation order for determining the correct validator class for an access token received by the Data Governance Broker. Values of this property must be unique among all Ping Federate Access Token Validators defined within Data Governance Broker but not necessarily contiguous. Ping Federate Access Token Validators with a smaller value will be evaluated first to determine if they are able to validate the access token. |
| Default Value | 2000 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The mechanism for checking if the external validation service hostname matches the name(s) stored inside the server's X.509 certificate. This is only applicable if SSL is being used for connection security. |
| Default Value | strict |
| Allowed Values | allow-all - This mechanism turns hostname verification off. strict - This mechanism works the same way as the Java Runtime Environment. It is also compliant with RFC 2818 for dealing with wildcards. The hostname must match any of the Subject Alternative Names or the first CN. A wildcard can occur in the CN, and in any of the Subject Alternative Names. A wildcard such as "*.foo.com" matches only subdomains in the same level, for example "a.foo.com". It does not match deeper subdomains such as "a.b.foo.com". |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Ping Federate Access Token Validator must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
| Description | The key manager provider to use if SSL (HTTPS) is to be used for connection-level security. When specifying a value for this property (except when using the Null key manager provider) you must ensure that the external server trusts this server's public certificate by adding this server's public certificate to the external server's trust store. |
| Default Value | The Java Runtime Environment's default key manager will be used |
| Allowed Values | The DN of any Key Manager Provider. The associated key manager provider must exist and must be enabled if SSL is to be used. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Ping Federate Access Token Validator must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
| Description | The trust manager provider to use if SSL (HTTPS) is to be used for connection-level security. |
| Default Value | The Java Runtime Environment's default trust manager will be used |
| Allowed Values | The DN of any Trust Manager Provider. The associated trust manager provider must exist and must be enabled if SSL is to be used. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Ping Federate Access Token Validator must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
| Description | The base URL of the PingFederate authorization server, for example "https://yourPingFedInstance:9031". |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The client identifier to use when authenticating to the PingFederate authorization server. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The client secret to use when authenticating to the PingFederate authorization server. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
include-aud-parameter (Advanced Property)
| Description | Whether to include the incoming request URL as the "aud" parameter when calling the PingFederate introspection endpoint. This property is ignored if the access-token-manager-id property is set. If this property is true, at least one of the Access Token Managers on the PingFederate instance must be configured with a Resource URI that matches the targeted Data Governance Broker endpoint. See the PingFederate Administrator's Manual for more details about configuring Resource URIs. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
access-token-manager-id (Advanced Property)
| Description | The Access Token Manager instance ID to specify when calling the PingFederate introspection endpoint. If this property is set the include-aud-parameter property is ignored. Specifying a value for this property will cause the Ping Federate Access Token Validator to include the access-token-manager-id parameter in all token validation requests to PingFederate. See the PingFederate Administrator's Manual for more details about Access Token Managers. |
| Default Value | The access-token-manager-id parameter is not included in token validation requests. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Access Token Validators:
dsconfig list-access-token-validators
[--property {propertyName}] ...
To view the configuration for an existing Access Token Validator:
dsconfig get-access-token-validator-prop
--validator-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Access Token Validator:
dsconfig set-access-token-validator-prop
--validator-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Ping Federate Access Token Validator:
dsconfig create-access-token-validator
--validator-name {name}
--type {type}
--set enabled:{propertyValue}
--set ping-fed-server-url:{propertyValue}
--set client-id:{propertyValue}
--set client-secret:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Access Token Validator:
dsconfig delete-access-token-validator
--validator-name {name}