With PingIdentity
- Last Updated: May 20, 2026
- 3 minute read
- MarkLogic Server
- Version 12.0
- Documentation
You can set up MarkLogic Server to use the vendor PingIdentity as your OAuth external agent.
To set up the PingFederate server to properly interface with MarkLogic Server, follow these steps while noting the information that you will need later as you go along:
-
Register with PingIdentity to obtain a tenancy.
-
Configure a database to store user information.
-
Set up users.
-
Set up roles.
-
Note the roles names to configure as external names during role configuration.
-
-
-
Make sure that the proper IdP Adapter Mapping is properly configured with your system.
-
If you are using an asymmetric algorithm to sign JWT access tokens, then create or import the key certificate into the PingFederate Server.
-
Make sure that access tokens are properly configured to use JSON Web Tokens.
-
Create an Access Token Manager that uses JSON Web Tokens as the Token Type.
-
Note the Token Type for external security object configuration.
-
-
Ensure that a proper JWT Secret is configured for the token manager.
To use a symmetric algorithm like HS256 to sign, enter the symmetric key under the symmetric keys section.
To use an asymmetric algorithm like RS256 to sign, you need to have already inserted the key certificate into PingFederate (Step 3).
-
Note the value of JWS Algorithm for external security object configuration.
-
Note the value of Active Symmetry Key ID for external security object configuration.
-
Note the value of JWT Secret for external security object configuration.
-
(Optional) (Asymmetric algorithm) Note the value of JWKS Endpoint Path under Advanced fields JWKS for external security object configuration.
Note:
The JWT Secrets field secures both symmetric and asymmetric signature keys.Note:
If you are using an asymmetric algorithm, then you can specify a JWKS URI to validate incoming JWT access tokens with JWKS instead of with JWT Secrets signature keys. -
-
Create the JWT access token's payload structure to include claims containing username, roles, and (Optional) privilege information:
{ "payload": { "username": <Username info>, "roles": <Roles info>, "privileges": <Privileges info> } }-
Note the names of the elements from this payload for external security object configuration: username, roles, and (Optional) privileges.
-
-
-
Create an OAuth 2.0 client by setting the Access Token Manager for the OAuth client to the Access Token Manager created in Step 5a.
- Note the OAuth client name that you chose for external security object configuration.
Your PingFederate Server is now set up to integrate with MarkLogic Server, and you have the information that you need to configure MarkLogic Server external security.
This table shows how the elements that you noted from the PingFederate server map to fields on the MarkLogic Server External Security configuration page and includes the values used in the example setups:
PingIdentity element |
External Security configuration page field |
|---|---|
OAuth Client Name EXAMPLE: |
OAuth Client ID |
Token Type EXAMPLE: |
OAuth Token Type |
|
OAuth Username Attribute |
|
OAuth Role Attribute |
(Optional)
|
OAuth Privilege Attribute |
JWS Algorithm EXAMPLE: |
OAuth JWT Algorithm |
JWT Secret Active Summary Key ID JWT Secret EXAMPLE: Active Summary Key ID: JWT Secret (for Symmetric JWS Algorithm):
Note: |
OAuth JWT Secrets Secret Key ID Secret Value |
(Optional) JWKS Endpoint Path EXAMPLE: Note: |
OAuth JWKS URI |
You will also assign each role name returned in the JWT access token payload under the roles claim to a corresponding MarkLogic Server role as its external name.
EXAMPLE: external-user-role
You can now set up MarkLogic Server integration through one of the methods described in this section.