Ping Federate Access Token Validator

Ping Federate Access Token Validator validates access tokens that were generated by PingFederate.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The Ping Federate Access Token Validator component inherits from the External Access Token Validator

Relations from This Component

The following components have a direct aggregation relation from Ping Federate Access Token Validators:

Properties

The properties supported by this managed object are as follows:


General Configuration Basic Properties: Advanced Properties:
 identity-mapper  subject-claim-name
 description  include-aud-parameter
 enabled  access-token-manager-id
 evaluation-order-index
 authorization-server
 client-id
 client-secret
 client-secret-passphrase-provider
 endpoint-cache-refresh

Basic Properties

identity-mapper

Property Group
General Configuration
Description
Specifies the name of the Identity Mapper that should be used for associating user entries with Bearer token subject names. The claim name from which to obtain the subject (i.e. the currently logged-in user) may be configured using the subject-claim-name property.
Default Value
Requests must specify a fully qualified DN. No attempt will be made to map a user name to a DN.
Allowed Values
The DN of any Identity Mapper.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

description

Property Group
General Configuration
Description
A description for this Access Token Validator
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Property Group
General Configuration
Description
Indicates whether this Access Token Validator is enabled for use in Directory Server.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

evaluation-order-index

Property Group
General Configuration
Description
When multiple Ping Federate Access Token Validators are defined for a single Directory Server, this property determines the evaluation order for determining the correct validator class for an access token received by the Directory Server. Values of this property must be unique among all Ping Federate Access Token Validators defined within Directory Server but not necessarily contiguous. Ping Federate Access Token Validators with a smaller value will be evaluated first to determine if they are able to validate the access token.
Default Value
2000
Allowed Values
An integer value. Lower limit is 0.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

authorization-server

Property Group
General Configuration
Description
Specifies the external server that will be used to aid in validating access tokens. In most cases this will be the Authorization Server that minted the token.
Default Value
Not specifying an authorization server implies that no external communication is required to validate access tokens.
Allowed Values
The DN of any HTTP External Server.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

client-id

Property Group
General Configuration
Description
The client identifier to use when authenticating to the PingFederate authorization server.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

client-secret

Property Group
General Configuration
Description
The client secret to use when authenticating to the PingFederate authorization server.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

client-secret-passphrase-provider

Property Group
General Configuration
Description
The passphrase provider for obtaining the client secret to use when authenticating to the PingFederate authorization server.
Default Value
None
Allowed Values
The DN of any Passphrase Provider.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

endpoint-cache-refresh

Property Group
General Configuration
Description
How often the Access Token Validator should refresh its stored value of the PingFederate server's token introspection endpoint. Upon startup, the PingFederate Access Token Validator makes a request to the PingFederate server's discovery endpoint to determine the URL of its token introspection endpoint. This value defines how frequently the Access Token Validator will make this request again and update this URL value. If the value is 0, the endpoint will be updated every time a token validation request is made.
Default Value
30 minutes
Allowed Values
A duration. Lower limit is 0 minutes. Upper limit is 2147483647 minutes.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


Advanced Properties

subject-claim-name (Advanced Property)

Property Group
General Configuration
Description
The name of the token claim that contains the subject, i.e. the logged-in user in an access token. This property goes hand-in-hand with the identity-mapper property and tells the Identity Mapper which field to use to look up the user entry on the server.
Default Value
sub
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

include-aud-parameter (Advanced Property)

Property Group
General Configuration
Description
Whether to include the incoming request URL as the "aud" parameter when calling the PingFederate introspection endpoint. This property is ignored if the access-token-manager-id property is set. If this property is true, at least one of the Access Token Managers on the PingFederate instance must be configured with a Resource URI that matches the targeted Directory Server endpoint. See the PingFederate Administrator's Manual for more details about configuring Resource URIs.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

access-token-manager-id (Advanced Property)

Property Group
General Configuration
Description
The Access Token Manager instance ID to specify when calling the PingFederate introspection endpoint. If this property is set the include-aud-parameter property is ignored. Specifying a value for this property will cause the Ping Federate Access Token Validator to include the access-token-manager-id parameter in all token validation requests to PingFederate. See the PingFederate Administrator's Manual for more details about Access Token Managers.
Default Value
The access-token-manager-id parameter is not included in token validation requests.
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Access Token Validators:

dsconfig list-access-token-validators
     [--property {propertyName}] ...

To view the configuration for an existing Access Token Validator:

dsconfig get-access-token-validator-prop
     --validator-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Access Token Validator:

dsconfig set-access-token-validator-prop
     --validator-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Ping Federate Access Token Validator:

dsconfig create-access-token-validator
     --validator-name {name}
     --type {type}
     --set enabled:{propertyValue}
     --set client-id:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Access Token Validator:

dsconfig delete-access-token-validator
     --validator-name {name}