Ping Identity Data Sync Server - External Access Token Validator

Data Sync Server Documentation Index
Configuration Reference Home

External Access Token Validator

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

Note: this is an abstract component that cannot be instantiated.

External Access Token Validators validate access tokens by communicating with an external validation server over HTTP or HTTPS.

↓Direct Subcomponents
↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage

Direct Subcomponents

The following External Access Token Validators are available in the server :

These External Access Token Validators inherit from the properties described below.

Parent Component

The External Access Token Validator component inherits from the Access Token Validator

Relations from This Component

The following components have a direct aggregation relation from External Access Token Validators:

HTTP External Server

Properties

The properties supported by this managed object are as follows:

General Configuration Basic Properties:	Advanced Properties:
↓ identity-mapper	↓ subject-claim-name
↓ description
↓ enabled
↓ evaluation-order-index
↓ authorization-server

Basic Properties

identity-mapper

Property Group	General Configuration
Description	Specifies the name of the Identity Mapper that should be used for associating user entries with Bearer token subject names. The claim name from which to obtain the subject (i.e. the currently logged-in user) may be configured using the subject-claim-name property.
Default Value	Requests must specify a fully qualified DN. No attempt will be made to map a user name to a DN.
Allowed Values	The DN of any Identity Mapper.
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

description

Property Group	General Configuration
Description	A description for this Access Token Validator
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

enabled

Property Group	General Configuration
Description	Indicates whether this Access Token Validator is enabled for use in Data Sync Server.
Default Value	None
Allowed Values	true false
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

evaluation-order-index

Property Group	General Configuration
Description	When multiple Access Token Validators are defined for a single Data Sync Server, this property determines the evaluation order for determining the correct validator class for an access token received by the Data Sync Server. Values of this property must be unique among all Access Token Validators defined within Data Sync Server but not necessarily contiguous. Access Token Validators with a smaller value will be evaluated first to determine if they are able to validate the access token.
Default Value	None
Allowed Values	An integer value. Lower limit is 0.
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

authorization-server

Property Group	General Configuration
Description	Specifies the external server that will be used to aid in validating access tokens. In most cases this will be the Authorization Server that minted the token.
Default Value	Not specifying an authorization server implies that no external communication is required to validate access tokens.
Allowed Values	The DN of any HTTP External Server.
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

Advanced Properties

subject-claim-name (Advanced Property)

Property Group	General Configuration
Description	The name of the token claim that contains the subject, i.e. the logged-in user in an access token. This property goes hand-in-hand with the identity-mapper property and tells the Identity Mapper which field to use to look up the user entry on the server.
Default Value	sub
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

dsconfig Usage

To list the configured Access Token Validators:

dsconfig list-access-token-validators
     [--property {propertyName}] ...

To view the configuration for an existing Access Token Validator:

dsconfig get-access-token-validator-prop
     --validator-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Access Token Validator:

dsconfig set-access-token-validator-prop
     --validator-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To delete an existing Access Token Validator:

dsconfig delete-access-token-validator
     --validator-name {name}