Contact Us 1-800-596-4880

Configure Client Management with PingFederate

Anypoint Platform supports only PingFederate versions 6 through 8. For versions 9 or later, you can configure the PingFederate client provider as an OIDC provider by following the instructions in Configure OpenID Connect Client Management.

When you configure client provider URLs, use the endpoint /pf-ws/rest/oauth/clients and not /as/clients.oauth2. Do not use PingFederate’s dynamic client registration URL for this configuration.

Steps to Add A PingFederate Client Provider

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Business Groups menu, select your root organization.

  4. In the Access Management navigation menu, click Client Providers.

  5. Click Add Client Provider, and then select PingFederate.

    The Add PingFederate client provider page appears.

  6. Fill in the following required fields:

    • OAuth2 Authorization Provider, Authorize URL

      The authorization endpoint defined by OAuth 2.0 and used to interact directly with resource owners, authenticate owners, and obtain owner authorization. For example:

      https://ec2-55-88-144-83.us-west-2.compute.amazonaws.com:9031/as/authorization.oauth2

    • OAuth2 Token Provider, Create URL

      The endpoint that creates an access token for OAuth authentication. For example:

      https://ec2-55-88-144-83.us-west-2.compute.amazonaws.com:9031/as/token.oauth2

    • OAuth2 Token Validation Provider

      • Validate URL

        The token endpoint defined in the OAuth 2.0 specification where the client obtains an access token and possibly a refresh token by presenting its authorization grant. For example:

        https://ec2-55-88-144-83.us-west-2.compute.amazonaws.com:9031/as/token.oauth2

      • Username Token Mapping

        The name of the user requesting access. For example, the username mapping token uid.

      • Client Id

        The optional client identifier that is the username of the client being authenticated using HTTP Basic Authentication.

      • Client Secret

        The optional client password of the client being authenticated using HTTP Basic Authentication.

    • OAuth 2 Client Provider

      • Create URL

        The URL at which the PingFederate client management API resources are served. For example:

        https://ec2-55-88-144-83.us-west-2.compute.amazonaws.com:9031/pf-ws/rest/oauth/clients

        The base URL could be the base URL for your server. Confirm this with your PingFederate administrator.

      • Delete URL

        URL destination for sending a DELETE request to delete a test client. For example:

        https://ec2-55-88-144-83.us-west-2.compute.amazonaws.com:9031/pf-ws/rest/oauth/clients/{{client_id}}

      • Username

        Name of user with privileges for creating new clients within the target PingFederate system.

      • Password

        Password of user with privileges for creating new clients within the target PingFederate system.

  7. Check Bypass approval page if you already have approval.

  8. Save your configuration.

Now, you can apply the PingFederate OAuth Token Enforcement policy to your APIs.