Microsoft EAM Integration Kit

Configuring an access token manager

Configure an access token manager (ATM).

Learn more in the Access token management section of the PingFederate documentation.

Steps

  1. Go to Applications > Access Token Management and open an existing ATM configuration or click Create New Instance.

  2. On the Type tab:

    1. Enter a unique Instance Name and Instance ID.

    2. In the Type list, select JSON Web Tokens.

    3. Click Next.

  3. On the Instance Configuration tab:

    1. In the JWS Algorithm list, select the RSA key type that you configured in Enabling signing keys.

    2. Select the Use Centralized Signing Key checkbox or, in the Active Signing Certificate Key ID list, select the Active Signing Certificate that you configured in Enabling signing keys.

    You can find more information about instance configuration options on the JSON token management tab in Configuring an access token management instance in the PingFederate documentation.

  4. (Optional) On the Session Validation tab, define a session validation policy. Click Next.

    You can find more information about configuration options in Managing session validation settings in the PingFederate documentation.

  5. On the Access Token Attribute Contract tab:

    1. In the Extend the Contract field, enter acr.

    2. In the Action column, click Add.

    3. Repeat this process for amr and any optional attributes that you extended the contract for in step 4 of Configuring an adapter instance.

    4. Click Next.

  6. (Optional) On the Resource URIs tab, enter a list of base resource URIs that can be used to select this access token management instance. Click Next.

    You can find more information in Managing resource URIs in the PingFederate documentation.

  7. (Optional) On the Access Control tab, select whether to restrict allowed clients. Click Next.

    You can find more information in Defining access control.

  8. On the Summary tab, click Save.

Creating access token mappings

Configure the access token mappings for the ATM you configured in the previous procedure.

You can find more information about configuration options in Managing access token mappings and Configuring access token mapping in the PingFederate documentation.

Steps

  1. On the Access Token Mappings page:

    1. In the Context menu, select the desired authentication policy contract.

    2. In the Access Token Manager menu, select the JWT ATM that you configured in the previous procedure.

    3. Click Add Mapping.

  2. On the Attribute Sources & User Lookup tab, click Next.

  3. On the Contract Fulfillment tab, select a Source and Value to map into the acr and amr attributes in the Contract list:

    For example, to configure contract fulfillment for the acr attribute:

    1. In the Source list, select Authentication Policy Contract.

    2. In the Value list, select acr.

    3. Repeat for amr and any optional attributes that you extended the contract for in step 4 of Configuring an adapter instance.

      • For the amr attribute, in the Source list, select Authentication Policy Contract, and in the Value list, select amr.

    4. Click Next.

    You can find more configuration information in Configuring access token fulfillment in the PingFederate documentation.

  4. (Optional) On the Issuance Criteria tab, configure the criteria for use with this token authorization:

    You can find more configuration information in Defining issuance criteria for access token mapping in the PingFederate documentation.

  5. On the Summary tab, click Save.