PingAccess

SAML token mediator site authenticators

Security Assertion Markup Language (SAML) token mediator site authenticators use the PingFederate Security Token Service (STS) to exchange a PingAccess token for a SAML token that is valid at the target site.

The following table describes the fields available for managing SAML token mediator site authenticators on the New Site Authenticator page.

Field Description

Token Generator ID

Defines the Instance Name of the token generator that you want to use.

The token generator is configured in PingFederate. For more information, see Managing token generators in the PingFederate documentation.

If PingFederate administration is configured, and PingFederate has one or more token generators configured, this field becomes a list of available token generator IDs.

Logged In Cookie Name

Defines the cookie name containing the token that the target site is expecting.

Logged In Header Name

Defines the header name containing the token that the target site is expecting. You must enter a valid header name per RFC 7230.

You can set both a Logged In Cookie Name and a Logged In Header Name for a SAML token mediator site authenticator, or you can just pick one, but you must fill out at least one of these two fields.

Logged Off Cookie Name

Defines the cookie name that the target site responds with in the event of an invalid or expired token.

If the PingAccess token is still valid, PingAccess re-obtains a valid SAML token and makes the request to the site again. If the site responds with the cookie set as logged off again, PingAccess responds to the client with an access denied message.

Logged Off Cookie Value

Defines the value placed in the Logged Offcookie to detect an invalid or expired SAML token event.

Advanced Settings

To configure advanced settings on a SAML token mediator site authenticator, expand the Show Advanced Settings section at the bottom of the New Site Authenticator page. These settings are optional.

Field Description

Token Processor ID

Defines the instance name of a token processor that you want to use.

The token processor is configured in PingFederate. Specify this value if more than one instance of either the JSON Web Token (JWT) processor or the OAuth bearer access token processor is defined in PingFederate.

If PingFederate Administration is configured, and PingFederate has one or more token processors configured, this field becomes a list of available token processor IDs.