---
title: Configuring a standard PingFederate runtime
description: Configure a secure connection to the PingFederate runtime in PingAccess:
component: pingaccess
version: 9.0
page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_configuring_a_standard_runtime
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_configuring_a_standard_runtime.html
revdate: August 25, 2023
section_ids:
  about-this-task: About this task
  steps: Steps
  result: Result
  next-steps: Next steps
---

# Configuring a standard PingFederate runtime

## About this task

Configure a secure connection to the PingFederate runtime in PingAccess:

## Steps

1. Click **Settings**, then go to **System > Token Provider > PingFederate > Runtime**.

2. Select **Standard Token Provider**.

3. In the **Issuer** field, enter the PingFederate issuer name.

4. **Optional:** In the **Descriptions** field, enter a description for the PingFederate instance.

5. In the **Trusted Certificate Group** list, select the certificate group that the PingFederate certificate is in.

6. To configure advanced settings, click **Show Advanced**.

   1. If host name verification for secure connections isn't required for either the runtime or the backchannel servers, select the **Skip Hostname Verification** check box.

   2. To use a configured proxy for backchannel requests, select the **Use Proxy** check box.

      |   |                                                                                                                                                                                   |
      | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | If the node is not configured with a proxy, requests are made directly to PingFederate.For more information about creating proxies, see [Adding proxies](pa_adding_proxies.html). |

   3. Select **Use Single-Logout** to enable single logout (SLO) *(tooltip: \<div class="paragraph">
      \<p>The process of signing a user out of multiple sites where the user has started a SSO session.\</p>
      \</div>)* when the `/pa/oidc/logout` endpoint is accessed to clear the cookie containing the PingAccess token.

      If you select this option, PingAccess sends a sign off request to PingFederate, which completes a full SLO flow.

      To use this feature, SLO must be configured on the OpenID Provider (OP) *(tooltip: \<div class="paragraph">
      \<p>In OAuth terms, an authorization server (AS). The OP/AS issues access tokens to protected resources for approved clients (relying parties). The clients use the access token to access the protected resources hosted by the OAuth resource server.\</p>
      \</div>)*.

   4. Enter the **STS Token Exchange Endpoint** to be used for token mediation if it's different from the default value of `<issuer>/pf/sts.wst`.

7. Click **Save**.

   |   |                                                                                                             |
   | - | ----------------------------------------------------------------------------------------------------------- |
   |   | Saving a new PingFederate runtime configuration overwrites any existing PingFederate runtime configuration. |

## Result

After you save the PingFederate runtime connection, PingAccess tests the connection to PingFederate. If the connection can't be made, a warning displays in the admin console, and the PingFederate runtime won't save.

## Next steps

After you save this configuration and perform the steps in [Configuring OAuth resource servers](pa_configuring_oauth_resource_servers.html), a PingFederate access validator is available for selection when you define OAuth-type rules in the policy manager.

After you configure the token provider, click **View Metadata** to display the metadata provided by the token provider. To update the metadata, click **Refresh Metadata**.