Configuring PingFederate Client Management in Anypoint Platform

Configure PingFederate versions 6 through 8 as a client provider in Anypoint Platform to manage OAuth 2.0 client authentication. Map authorization, token, and client management endpoints to your PingFederate deployment.

Anypoint Platform supports only PingFederate versions 6 through 8. For versions 9 or later, you can configure the PingFederate client provider as an OIDC provider by following the instructions in Configure OpenID Connect Client Management.

When you configure client provider URLs, use the endpoint /pf-ws/rest/oauth/clients and not /as/clients.oauth2. Do not use PingFederate’s dynamic client registration URL for this configuration.

To edit existing PingFederate client providers:

1. Sign in to Anypoint Platform using an account that has the Organization Administrator permission.

2. Select Access Management from the 👁 gear icon
   menu.

3. In the Access Management navigation menu, click Client Providers.

4. Click the name of the PingFederate client to edit.

5. Edit these fields:

   • OAuth2 Authorization Provider, Authorize URL

     The authorization endpoint defined by OAuth 2.0 and used to interact directly with resource owners, authenticate owners, and obtain owner authorization. For example:

     https://ec2-55-88-144-83.us-west-2.compute.amazonaws.com:9031/as/authorization.oauth2

   • OAuth2 Token Provider, Create URL

     The endpoint that creates an access token for OAuth authentication. For example:

     https://ec2-55-88-144-83.us-west-2.compute.amazonaws.com:9031/as/token.oauth2

   • OAuth2 Token Validation Provider

     • Validate URL

       The token endpoint defined in the OAuth 2.0 specification where the client obtains an access token and possibly a refresh token by presenting its authorization grant. For example:

       https://ec2-55-88-144-83.us-west-2.compute.amazonaws.com:9031/as/token.oauth2

     • Username Token Mapping

       The name of the user requesting access. For example, the username mapping token uid.

     • Client Id

       The optional client identifier that is the username of the client being authenticated using HTTP Basic Authentication.

     • Client Secret

       The optional client password of the client being authenticated using HTTP Basic Authentication.

   • OAuth 2 Client Provider

     • Create URL

       The URL at which the PingFederate client management API resources are served. For example:

       https://ec2-55-88-144-83.us-west-2.compute.amazonaws.com:9031/pf-ws/rest/oauth/clients

       The base URL is the base URL for your server. Confirm this with your PingFederate administrator.

     • Delete URL

       URL destination for sending a DELETE request to delete a test client. For example:

       https://ec2-55-88-144-83.us-west-2.compute.amazonaws.com:9031/pf-ws/rest/oauth/clients/{{client_id}}

     • Username

       Name of user with privileges for creating new clients within the target PingFederate system.

     • Password

       Password of user with privileges for creating new clients within the target PingFederate system.

6. Select Bypass approval page if you already have approval.

7. Click Save.

• PingFederate OAuth 2.0 Endpoints

• PingFederate Web Service Interfaces and APIs

• About OAuth 2.0

• OpenAM and PingFederate OAuth Token Enforcement Policies

• Migrate Client Applications for APIs with External Client Providers in API Manager