--- title: SAML token mediator site authenticators description: Security Assertion Markup Language (SAML) token mediator site authenticators use the PingFederate Security Token Service (STS) to exchange a PingAccess token for a SAML token that is valid at the target site. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_saml_token_mediator_site_authn canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_saml_token_mediator_site_authn.html revdate: October 13, 2023 section_ids: advanced-settings: Advanced Settings --- # SAML token mediator site authenticators Security Assertion Markup Language (SAML) *(tooltip: \
\

A standard, XML-based, message-exchange framework enabling the secure transmittal of authentication tokens and other user attributes across domains.\

\
)* token mediator site authenticators use the PingFederate Security Token Service (STS) *(tooltip: \
\

An entity responsible for responding to WS-Trust requests for validation and issuance of security tokens used for SSO authentication to web services.\

\
)* to exchange a PingAccess token for a SAML token that is valid at the target site. The following table describes the fields available for managing SAML token mediator site authenticators on the **New Site Authenticator** page. | Field | Description | | --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Token Generator ID** | Defines the **Instance Name** of the token generator that you want to use.The token generator is configured in PingFederate. For more information, see [Managing token generators](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_tokengeneratortasklet_tokenpluginmgmtstate.html) in the PingFederate documentation.If [PingFederate administration](pa_configuring_pf_administration.html) is configured, and PingFederate has one or more token generators configured, this field becomes a list of available token generator IDs. | | **Logged In Cookie Name** | Defines the cookie name containing the token that the target site is expecting. | | **Logged In Header Name** | Defines the header name containing the token that the target site is expecting. You must enter a valid header name per [RFC 7230](https://datatracker.ietf.org/doc/html/rfc7230#section-3.2). You can set both a Logged In Cookie Name and a Logged In Header Name for a SAML token mediator site authenticator, or you can just pick one, but you must fill out at least one of these two fields. | | **Logged Off Cookie Name** | Defines the cookie name that the target site responds with in the event of an invalid or expired token.If the PingAccess token is still valid, PingAccess re-obtains a valid SAML token and makes the request to the site again. If the site responds with the cookie set as logged off again, PingAccess responds to the client with an `access denied` message. | | **Logged Off Cookie Value** | Defines the value placed in the **Logged Off** cookie to detect an invalid or expired SAML token event. | ## Advanced Settings To configure advanced settings on a SAML token mediator site authenticator, expand the **Show Advanced Settings** section at the bottom of the **New Site Authenticator** page. These settings are optional. | Field | Description | | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Token Processor ID** | Defines the instance name of a token processor that you want to use.The token processor is configured in PingFederate. Specify this value if more than one instance of either the JSON Web Token (JWT) *(tooltip: \
\

An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. You can find the industry standard in \RFC 7519\.\

\
)* processor or the OAuth *(tooltip: \
\

A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\

\
)* bearer access token processor is defined in PingFederate.If [PingFederate Administration](pa_configuring_pf_administration.html) is configured, and PingFederate has one or more token processors configured, this field becomes a list of available token processor IDs. |