PingFederate Server

Configuring dynamic signing keys

Determine when to use dynamically rotating keys to sign tokens as needed.

About this task

PingFederate can use and publish certificates for dynamic keys to sign self-contained access tokens, ID tokens, JSON web tokens (JWTs) for client authentication, and JWTs for OpenID Connect request objects.

Steps

  1. Go to Security > Certificate & Key Management > OAuth & OpenID Connect Keys.

  2. Select the Publish Dynamic Key Certificates checkbox to use dynamic keys for OAuth and OpenID Connect.

  3. Enter the key information in the following Publish Dynamic Key Certificates fields.

    Property Definition

    Organization

    The organization or company name creating the certificate.

    Organizational Unit

    (Optional) The specific unit within the organization.

    City

    (Optional) The city or other primary location where the company operates.

    State

    (Optional) The state or province encompassing the location.

    Country

    The country where the company is based.

  4. Enter your configuration information. Click Save.

Result:

The active signing key is published at the PingFederate JSON Web Key (JWK) Set endpoint /pf/JWKS and the certificate’s Common Name (CN) is generated.

For each applicable signing key, its associated chain of certificates is published as the x5c parameter value.

You can only use either static or dynamic keys. When static keys are enabled, PingFederate uses only static signing keys to sign ID tokens for OAuth clients or to sign JWTs for authentication or request objects (or both) for authorization servers. Dynamic keys aren’t used and aren’t returned by the PingFederate JWKS endpoint /pf/JWKS. Signing algorithms associated with EC key types not configured with an active static signing key are hidden. Learn more about static keys in Configuring static signing keys.