Powered by Zoomin Software. For more details please contactZoomin

Secure MarkLogic Server

Table of Contents

Through the Admin Interface

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 20, 2026
  • 2 minute read
    • MarkLogic Server
    • Version 12.0
    • Documentation

To set up OAuth-based authentication and authorization with PingIdentity through the Admin Interface, follow these steps:

  1. Create your external security object by setting these fields on the External Security configuration page and clicking OK:

    Field

    Setting

    External Security Name

    Enter a descriptive name for this external security object that identifies the external agent.

    EXAMPLE: PingIdentityExampleOAuth

    Description

    (Optional) Enter a description for this external security object.

    EXAMPLE: PingIdentity external security object for OAuth

    Authentication

    Choose oauth from the dropdown.

    Setting this field to oauth makes the OAuth Server fields available.

    Cache Timeout

    Enter a number in seconds after which you want MarkLogic Server to re-authenticate the user with your OAuth external agent instead of with the credentials stored in the cache..

    EXAMPLE: 300 (default kept)

    Note:

    Clear the cache by calling either sec.externalSecurityClearCache() or sec:external-security-clear-cache().

    Authorization

    Choose oauth from the dropdown.

    OAuth Server fields:

    Field

    Setting

    OAuth Flow Type

    Choose Resource server from the dropdown.

    OAuth Vendor

    Choose Ping Identity from the dropdown.

    OAuth Client ID

    Enter the name of the OAuth client that you created.

    EXAMPLE:

    PingExampleClientID

    OAuth Token Type

    Choose JSON Web Tokens from the dropdown.

    OAuth Username Attribute

    username

    OAuth Role Attribute

    roles

    OAuth Privilege Attribute

    (Optional) privileges

    OAuth JWT Algorithm

    Choose RS256 from the dropdown.

    OAuth JWT Secrets

    1. Enter the key ID into the left field as the Secret Key ID and the public key in PEM format into the right field as the Secret Value.

    2. To enter more secrets, click Add Secret to expose additional field pairs.

    EXAMPLE:

    Secret Key ID =

    PingExampleKeyID

    Secret Value =

    • <Hex-encoded JWT Secret>

    • <Hex- or Base64URL-encoded JWT Secret>

    Note:

    The JWT Secrets field secures both symmetric and asymmetric signature keys.

    OAuth JWKS URI

    (Optional) JSON Web Key Sets Endpoint for obtaining JSON Web Keys. URI must support TLS (https) or be a loopback URI.

    EXAMPLE: https://localhost/pf/JWKS

    Note:

    If you are using an asymmetric algorithm, then you can specify a JWKS URI to validate incoming JWT access tokens with JWKS instead of with JWT Secrets signature keys.

  2. Configure your desired app servers to use this external security object by setting these fields on each App Server configuration page and clicking OK:

    Field

    Setting

    Authentication

    Choose oauth from the dropdown.

    Internal Security

    Click the false radio button.

    External Securities dropdown

    Choose from the dropdown the External Security Name that you gave to your external security object in the previous step. Choose only one.

    EXAMPLE: PingIdentityExampleOAuth

  3. Assign the external name to your desired roles by setting this field on each Role configuration page and clicking OK:

    Field

    Setting

    External Name

    Enter the external role name returned in the roles attribute of the JWT token payload that corresponds to this role.

    EXAMPLE: external-user-role

MarkLogic Server is now set up for OAuth-based authentication and authorization with PingIdentity.

TitleResults for “How to create a CRG?”Also Available inAlert