Service Accounts with PingAM

Ping One Advanced Identity Cloud allows the creation of Service Accounts to access their services, but the process is hidden behind their root realm. This is an attempt to replicate that process for PingAM so that you can understand how to replicated it if required.

Create a Service Account

For this we need to create an OAuth2 Client in the root realm that has

• a Public Client Type.
• our required scopes.
• a JWT Bearer Grant Type.
• a private_key_jwt Token Endpoint Authentication Method.

For that perform the following

1. Connect to your PingAM instance and log in as an admin user.
2. Go to Applications -> OAuth 2.0 -> Clients and click Add Client

3. Provide the following details and click the Create button.

   Key	Value
   Client ID	service-account
   Scope(s)	fr:idm:*

   

4. On the Core tab provide the following details and click Save Changes

   Key	Value
   Client Type	Public

   

5. in the Advanced tab provide the following details and click Save Changes

   Key	Value
   Grant Types	JWT Bearer

   

Create a Trusted JWT Issuer

For this we need to generate a JWKS so that we can use the Public Key in the Trusted JWT Issuer being generated. For this go to https://mkjwk.org/ and select the follwoing values and then click GenerJJJJJJJate

Key	Value
Key Size	2048
Key Usage	Signature
Algorithm	RS256:RSA

We will use the Private Key in the Postman request later.

{
    "p": "8lQvHToOl4D48pRnva_CXNBbhMt-5ctgDBy3cATu3rDYY8ohdv-2wvR0ldQatHF32OVTGlPDgjpoFbl4slPlM89EfVEerhfSBodfLtO7ZXZdStFWSbyd5JtqIyofSpVUfW1nVBqaVG3SH8Z01O3zoIMjMSxKKY5-1P46KNr72Tk",
    "kty": "RSA",
    "q": "3ZqYHsyQbaDwuhtDd7iIoV9b6870kXSP_ldKHopteioPDMmNY1ADyWc_iOrUlFr8AX517X-8oY-qgYdXqCafaBJkGjDHzQ7N6lIdkUa178ArH61rOjPeiQKhz_0_y2INMfbOZ0CYILl698g6gnu6AQSOLlKCb1eRNEYgzwtAD0k",
    "d": "bn2veNUlEBOFqii2wF6iBTtbvoXQpE0z6oqCrUyWY7U87fySjeyvv4zH0s76rv2m6Rw0N56mzhVyq_KfB1oW4V411_qHPyT_XeTCfUYXvIyQ3vPsw581T7if9jB4GvQ4Y2E51j_rFKoDF123ukBZmgkTjRcvsfTTpvvr0H-GgPc1mw6lKUwoCZlsjSuWE5_4xqcgUnetvRbdWeWYPkH2ZIMu43i8KS8dYh5UlN_wUJWEBZid9cA6Kwq4q9VD2jpy-xMpHRAa8HvWoUaXNwxAdEMOfDlnE3l__UweBEs7tjQpLHv9Qvya5GY4k83RSHgSbGVFBtUp5vLyaNqlCxZKAQ",
    "e": "AQAB",
    "use": "sig",
    "qi": "l8CIew3kKRvec7ddzeg3bpP5i01Rtoh6M9i0_duZP80kDFqgRYCO-h-F6dWpRTtwtMZCP68vBVcAOPIDsAGpM-keF8EaFaSiuZbm66-qd266ojYD6yBsZl9VPwlSVJp5UFk0E3OOwa5xYoI1XMb83XlGO4_qWSHtuJPPfHyxVKo",
    "dp": "s6apjxddfgBFj0Fqb3v_seNeFeLvXtkZiaE4dTmTBVFB-yj9CkWlbn7gd7tZWPDOEuRgaaIzzTYTuBdaXYpI39IHSoh7IEHUmLZ_YC3kPeI0Y6UyPVQyEisN0qgFrrtqedpDwlw-kd0g7CGqt7j45sSRsIDPMmPLr4gSAfvmvjE",
    "alg": "RS256",
    "dq": "AS74LQHuq4c2gefvXk5P_Hyj4wiB6dzzf-o7bRpUJ1jeJ7VT2fntaz_v6O1IIVqzCdcBDjmmaj54LKTqZO1_4HBotHMaPhAcLWou2j3EbvlZwZuNfQwV3ilzb8bsdkuZwnCM_aQsq9ARxgz9swCyJ5s8nya1p56SGfNd7X0j5HE",
    "n": "0cUDT7YuMiLtacUI6D_axU4kYcizPs_yLLi5_dvWWp7iibYU17XxBX3jo2FWqb1b8viQbrooyxxsdjhxY-qg-3gxSb9Tqi8YZ7xedxNRmHICVwKjU5AsfO3nEs9l1QTy8eRVIbYWV15UX-FC6_Ke1qsVdo64GmAIv90EbExY_tzmUPAsICRW_QWLgu_BpxtTbjAqIjF-pEuaF3ny-K8k312HDVyfHcyDljp8-3uS9mGdPuru5XalkFLPqc8a70NEpqw97IWKC-sLHEUavSVFUSNIQfGnobPs7RoYLW6hODnfGIu2AlZ0NjNhb4ae8xd-UohjUp270GJz6FDd9MtIQQ"
}

Take the Public Key and wrap it as follows

{
    "keys": [
{
    "kty": "RSA",
    "e": "AQAB",
    "use": "sig",
    "alg": "RS256",
    "n": "0cUDT7YuMiLtacUI6D_axU4kYcizPs_yLLi5_dvWWp7iibYU17XxBX3jo2FWqb1b8viQbrooyxxsdjhxY-qg-3gxSb9Tqi8YZ7xedxNRmHICVwKjU5AsfO3nEs9l1QTy8eRVIbYWV15UX-FC6_Ke1qsVdo64GmAIv90EbExY_tzmUPAsICRW_QWLgu_BpxtTbjAqIjF-pEuaF3ny-K8k312HDVyfHcyDljp8-3uS9mGdPuru5XalkFLPqc8a70NEpqw97IWKC-sLHEUavSVFUSNIQfGnobPs7RoYLW6hODnfGIu2AlZ0NjNhb4ae8xd-UohjUp270GJz6FDd9MtIQQ"
}
    ]
}

Next we can create the Trusted JWT Issuer.

1. Connect to your PingAM instance and log in as an admin user.
2. Go to Applications -> OAuth 2.0 -> Trusted JWT Issuer and click Add Trusted JWT Issuer agent

3. Provide the following values and click Create

   Key	Value
   Agent ID	d4f14c26-3d9b-47ed-9dcb-b2ce62c55af6
   JWT Issuer	d4f14c26-3d9b-47ed-9dcb-b2ce62c55af6

4. Provide the following values and click Save Changes

   Key	Value
   JWK Set	Use the Public key created above
   Allowed Subjects	d4f14c26-3d9b-47ed-9dcb-b2ce62c55af6

Get an Access Token

For this we need to fork https://www.postman.com/nirving/pingam/collection/v5rxj4t/service-account?action=share&creator=761710&active-environment=761710-8d8b3e02-a9bb-4ed1-af41-4cc75a7faeed

1. Select get PostMan Lib code and click Send

2. Update the value for AUD to be the coorect value for accessing your realm. An example is https://fram.example.com/openam/oauth2/access_token

3. When done click the send button and the folowing should be returned.
   

   {
       "access_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiIvYXBYSkQ5RWp2MWV1VXZpdGcyMjNVVkdWRFU9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIodXNyIWQ0ZjE0YzI2LTNkOWItNDdlZC05ZGNiLWIyY2U2MmM1NWFmNikiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXVkaXRUcmFja2luZ0lkIjoiZWIyNmMwYTktYTI4Zi00ZTFkLTk1M2QtNDdjMzkwNGI4MDUwLTMxMjkiLCJzdWJuYW1lIjoiZDRmMTRjMjYtM2Q5Yi00N2VkLTlkY2ItYjJjZTYyYzU1YWY2IiwiaXNzIjoiaHR0cHM6Ly9mcmFtLmNvbm5lY3RpZC5kYXJrZWRnZXMuY29tL29wZW5hbS9vYXV0aDIiLCJ0b2tlbk5hbWUiOiJhY2Nlc3NfdG9rZW4iLCJ0b2tlbl90eXBlIjoiQmVhcmVyIiwiYXV0aEdyYW50SWQiOiJqYmZVaE13a1UwM250cFNHb2RMMjNmLWpTZUUiLCJhdWQiOiJzZXJ2aWNlLWFjY291bnQiLCJuYmYiOjE3Mzc5MzYyNjcsImdyYW50X3R5cGUiOiJ1cm46aWV0ZjpwYXJhbXM6b2F1dGg6Z3JhbnQtdHlwZTpqd3QtYmVhcmVyIiwic2NvcGUiOlsiZnI6aWRtOioiXSwiYXV0aF90aW1lIjotMSwicmVhbG0iOiIvY29ubmVjdGlkIiwiZXhwIjoxNzM3OTM5ODY3LCJpYXQiOjE3Mzc5MzYyNjcsImV4cGlyZXNfaW4iOjM2MDAsImp0aSI6IjA3MWxXRkpCNktaZWkyNWFkd29pbVZ5Zm9CayJ9.CYHjnNHhMY2g91NlJl0wjXcRMGe0wT74E43PVDecrGwJ8BBME02gSNHJDYcuR3ndph3u10Jlrq3lFsSL3hbceRoUgOP0Xzi5ReMLaDZJrONT0cwTe9hsmg9ePkohMDPlRdjvrYcWBom8s6Ls4E2S2cZ-Tv3SJrJ7IUvvndma4U-J7iIhhz1i3r3ulyxElIuMBA40ngRQkt9zrI77qRRkgU9l4Rsh1uDy3S2HCcVTGVCw_4P9L3cDvlAeaW3YQ9Q2OwIjWtBonEMpgTefryE6Gpa6Rx7BHyyM641CyGsDZ3fYsLrpDgb5RUX6awGlXAZ2HnzBZiyEj5dmth71KaAqQA",
       "scope": "fr:idm:*",
       "token_type": "Bearer",
       "expires_in": 3599
   }
   

   

Conclusion

This illustrates the Service Account basics. In the next post we will add support for Custom Scopes and how to assign them to individual Service Accounts.