Note: this is an abstract component that cannot be instantiated.
Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
External Access Token Validators validate access tokens by communicating with an external validation server over HTTP or HTTPS.
↓Direct Subcomponents
↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage
The following External Access Token Validators are available in the server :
These External Access Token Validators inherit from the properties described below.
The External Access Token Validator component inherits from the Access Token Validator
The following components have a direct aggregation relation from External Access Token Validators:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | ↓ subject-claim-name |
| ↓ enabled | |
| ↓ evaluation-order-index | |
| ↓ authorization-server |
| Description | A description for this Access Token Validator |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether this Access Token Validator is enabled for use in Data Governance Server. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | When multiple Access Token Validators are defined for a single Data Governance Server, this property determines the evaluation order for determining the correct validator class for an access token received by the Data Governance Server. Values of this property must be unique among all Access Token Validators defined within Data Governance Server but not necessarily contiguous. Access Token Validators with a smaller value will be evaluated first to determine if they are able to validate the access token. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the external server that will be used to aid in validating access tokens. In most cases this will be the Authorization Server that minted the token. |
| Default Value | Not specifying an authorization server implies that no external communication is required to validate access tokens. |
| Allowed Values | The DN of any HTTP External Server. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
subject-claim-name (Advanced Property)
| Description | The name of the token claim that contains the subject, i.e. the logged-in user in an access token. If the claim specified by this property is present in the access token, then the PingDataGovernance Server will set the HttpRequest.AccessToken.user_token flag to "true" when authorizing HTTP requests and responses with the policy decision point. |
| Default Value | sub |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Access Token Validators:
dsconfig list-access-token-validators
[--property {propertyName}] ...
To view the configuration for an existing Access Token Validator:
dsconfig get-access-token-validator-prop
--validator-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Access Token Validator:
dsconfig set-access-token-validator-prop
--validator-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To delete an existing Access Token Validator:
dsconfig delete-access-token-validator
--validator-name {name}