vendor hub
Ping Identity
Everything on ronutz.com for Ping Identity, in one place: every tool, grouped by family, followed by every article. Tools compute locally in your browser; articles are grounded in vendor documentation.
Tools (8)
Single sign-on & federation
OIDC Decoder
Paste an OpenID Connect ID token or a .well-known/openid-configuration document and decode it: the core claims, profile claims, endpoints, and capabilities, with checks for required claims, signing algorithm, nonce, and PKCE.
Identity & tokensSAML Decoder
Paste a SAML Response or assertion (raw, base64, or URL-encoded) and decode its issuer, status, subject, conditions, audience, and attributes, with signature and weak-algorithm checks. Hardened against XXE.
Identity & tokens
OAuth & tokens
JWKS explainer + key matcher
Paste a JSON Web Key Set to break down every key, flag any private material, and match a JWT to its key by kid. Nothing leaves your browser.
Identity & tokensJWT Decoder & Verifier
Decode a JSON Web Token's header and claims, read its expiry and timing in plain language, and verify an HS256/384/512 signature with a pasted secret. Runs entirely in your browser.
Identity & tokensOAuth PKCE Verifier & Challenge
Generate an OAuth 2.0 code_verifier and derive its S256 code_challenge, or paste your own and check it against RFC 7636's length and charset rules. The same SHA-256 base64url derivation your authorization server expects. Runs entirely in your browser.
Identity & tokens
Risk & client signals
JA3 / JA3N passive TLS fingerprint
Paste a JA3 string and it recomputes the JA3 hash, computes the permutation-stable JA3N, decodes the fields, and flags GREASE values.
Security & WAFJA4 / JA3 TLS fingerprint decoder
Decode a JA4 TLS client fingerprint or a JA3 fingerprint into its fields, compute the hashed JA4 from raw values, or compute a JA3 MD5. It auto-detects which you paste. All in your browser.
Security & WAF
Articles (32)
Single sign-on & federation
Inside a SAML Assertion: Subject, Conditions, and Audience
The anatomy of a SAML assertion: the Subject and NameID formats, bearer SubjectConfirmation and the NotOnOrAfter / Recipient / InResponseTo checks, the Conditions validity window, the AudienceRestriction, and the AuthnStatement, with the validation a service provider must perform on each.
Security & WAFReadOIDC Discovery: The openid-configuration Document
How the .well-known/openid-configuration document lets a relying party learn a provider's endpoints and capabilities automatically, what the issuer, jwks_uri, and signing-algorithm fields mean, why advertising the none algorithm is dangerous, and why PKCE S256 support matters.
Identity & tokensReadOIDC vs OAuth 2.0: Authentication vs Authorization
Why OAuth 2.0 is about authorization and OpenID Connect is about authentication, the difference between an access token and an ID token, why using plain OAuth as a login mechanism is a known antipattern, and how to tell which token is which.
Identity & tokensReadOpenID Connect: An Identity Layer on OAuth 2.0
What OpenID Connect adds to OAuth 2.0, the ID token at the center of it, the relying party and provider roles, how the authorization code flow delivers an ID token, and why an ID token is just a JWT you can decode and read.
Identity & tokensReadSAML 2.0: How Browser SSO Works
What a SAML assertion is, the roles of the identity provider and service provider, the SP-initiated Web Browser SSO flow end to end, and the difference between the HTTP-POST and HTTP-Redirect bindings that carry the messages.
Security & WAFReadSAML Bindings and SP vs IdP Initiation
A SAML flow can start at the service or at the identity provider, and the messages can travel by two different bindings: an HTTP redirect with the message packed into the URL, or an auto-submitting HTML form that POSTs it. Which binding carries which message, and where the flow begins, explains a lot of SSO behavior.
Security & WAFReadSAML Signatures and XML-DSig
How a SAML message is signed with XML Signature: the enveloped ds:Signature, the SignatureMethod and DigestMethod algorithms, why SHA-1 is weak, the difference between signing the Response and signing the Assertion, and how XML signature wrapping attacks work.
Security & WAFReadThe ID Token Claims, and What a Relying Party Checks
The claims inside an OIDC ID token: the required iss, sub, aud, exp, and iat; the nonce that stops replay; azp when there are multiple audiences; acr and amr for authentication strength; auth_time; and the at_hash and c_hash binding claims, with the validation a relying party performs on each.
Identity & tokensReadThe OIDC Authorization Code Flow
The authorization code flow is the recommended way an app gets an ID token: the user is redirected to the identity provider to log in, the app receives a short-lived code, and it exchanges that code at a back-channel token endpoint for the tokens. Keeping the token out of the browser is the whole point.
Identity & tokensReadThe SAML Proxy: Inserting an Identity Layer into a Session
A SAML proxy sits in the SSO flow rather than the packet path: it terminates the user's request, forces authentication against an identity provider, and only then lets the session through, using SAML's browser-redirect model. It can act as a service provider to the IdP and an identity provider to the app at once (a proxy or broker), which is how one login federates many downstream systems. This explains the roles, the flow, and why it is a proxy at all.
Security & WAFReadXXE and Why a SAML Parser Rejects DOCTYPE
How XML External Entity (XXE) attacks work, the billion-laughs denial-of-service, why both depend on a DTD, and why a hardened SAML decoder rejects any DOCTYPE or entity declaration outright rather than trying to parse it safely.
Security & WAFRead
OAuth & tokens
Access tokens, refresh tokens, and ID tokens
Three OAuth and OpenID Connect tokens that get constantly confused, what each is actually for, and why sending the wrong one to the wrong place is a real bug.
Identity & tokensReadAnatomy of a JSON Web Token
The three segments of a JWT, how the signature makes it trustworthy, and why decoding a token is not the same as verifying it.
Identity & tokensReadJWK Key Types: RSA, EC, OKP, and oct
Every JSON Web Key declares a kty, and that one field decides which parameters the key carries. Four types cover almost everything you will meet: RSA, elliptic curve, the Edwards and Montgomery curves, and the symmetric octet sequence. The crucial split in all of them is public versus private.
Identity & tokensReadJWK Parameters and Thumbprints
A JWK is a JSON object describing one key, and its parameters say what the key is for and how to identify it. Beyond the key material, kid names it and an RFC 7638 thumbprint gives it a stable, computed identifier. This covers the common parameters and how a thumbprint is derived and used.
Identity & tokensReadJWKS and Key Rotation: How Providers Publish Their Keys
A JWKS is the public phone book of signing keys that an identity provider publishes so anyone can verify its tokens. Understanding the keys array, the kid that names each key, and why a provider keeps more than one key at a time is the foundation of token verification.
Identity & tokensReadJWT Algorithm Confusion Attacks
Two classic JWT verification failures come from trusting the token's own algorithm header: accepting alg none, and being tricked into verifying an RS256 token as HS256 using the public key as the secret. Both are defeated by pinning the expected algorithm on the server instead of reading it from the token.
Identity & tokensReadJWT security pitfalls: alg:none, key confusion, and missing checks
The handful of mistakes that turn a JWT verifier into a forgery machine, and the validation a correct verifier must perform.
Identity & tokensReadJWT signing algorithms: HMAC, RSA, and ECDSA
Why a JWT's alg header matters, the difference between symmetric and asymmetric signing, and how to choose.
Identity & tokensReadOpenID Connect: identity on top of OAuth 2.0
How OIDC adds authentication to OAuth's authorization, what the ID token is, and why the code flow with PKCE is the recommended path.
Identity & tokensReadPKCE: securing the OAuth authorization code flow
The interception attack PKCE defeats, how the verifier and challenge fit together, and why S256 is mandatory.
Identity & tokensReadPublic vs confidential clients, and where PKCE fits
Whether an OAuth client can keep a secret decides its whole security model. Why SPAs and mobile apps are public clients, and why PKCE is now recommended for all of them.
Identity & tokensReadThe OAuth 2.0 authorization code flow
The four roles, the redirect-and-exchange dance, and why the code is swapped for a token on the back channel.
Identity & tokensReadVerifying a JWT with a JWKS: From kid to Signature
Verifying a signed token is a short, strict sequence: read the header, find the key whose kid matches in the provider's JWKS, confirm the algorithm, and check the signature. Each step has a classic pitfall, and skipping the strictness is how verification bypasses happen.
Identity & tokensRead
Multi-factor authentication
Base32, explained
Why Base32 trades size for a case-insensitive, unambiguous alphabet, how its 5-bit grouping works, and where it shows up (TOTP secrets, onion addresses, DNS).
Encoding & dataReadHMAC: keyed hashing for message authentication
Why a plain hash proves integrity but not authenticity, how a secret key fixes that, and why HMAC's structure matters.
Hashing & cryptoReadHow TOTP and HOTP one-time passwords work
Both turn a shared secret into a short code that proves possession without sending the secret. HOTP counts events; TOTP counts time. The engine underneath is the same HMAC plus a truncation step.
Identity & tokensReadProvisioning Authenticators: otpauth URIs and QR Codes
Before an authenticator app can generate codes, it needs the shared secret and the parameters that go with it. That is carried in an otpauth URI, usually shown as a QR code to scan. Knowing the URI's fields explains what the QR code actually contains and why the secret is in base32.
Identity & tokensReadValidating one-time passwords: drift, windows, and replay
Generating a code is the easy half. Accepting one means tolerating clock drift, bounding the window, rejecting reuse, and throttling guesses, each a tradeoff between usability and security.
Identity & tokensRead
Risk & client signals
Passive TLS Fingerprinting: JA3, GREASE, and the Churn That Led to JA4
A ClientHello announces the client in the clear, and the combination of versions, ciphers, and extensions is characteristic of the software that sent it. This covers how JA3 turns that into a hash, why GREASE has to be stripped, how extension-order randomization broke JA3 (the churn), how JA3N and JA4 restore stability, and where a TLS fingerprint fits as a signal for secure web gateways and adaptive authentication.
Security & WAFReadWhat Is a JA4 TLS Fingerprint?
How a TLS ClientHello becomes a stable fingerprint of the client software, why JA3 faded once browsers began randomizing extension order, how JA4 fixes that by sorting before hashing, and what JA4 can and cannot tell you.
TLS & transportRead