PingAccess

Token mediator site authenticators

Token mediator site authenticators use the PingFederate Security Token Service (STS) to exchange a PingAccess token for a security token, such as a Web Access Management (WAM) token or OpenToken, that is valid at the target site.

The following table describes the fields available for managing token mediator site authenticators on the New Site Authenticator page.

Field Description

Token Generator ID

Defines the Instance Name of the token generator that you want to use.

The token generator is configured in PingFederate. For more information, see Managing Token Generators in the PingFederate documentation.

If PingFederate Administration is configured, and PingFederate has one or more token generators configured, this field becomes a list of available token generator IDs.

Logged In Cookie Name

Defines the cookie name containing the token that the target site is expecting.

Logged Off Cookie Name

Defines the cookie name that the target site responds with in the event of an invalid or expired token.

If the PingAccess token is still valid, PingAccess re-obtains a valid WAM token and makes the request to the site again.

If the site responds with the cookie set as logged off again, PingAccess responds to the client with an access denied message.

Logged Off Cookie Value

Defines the value placed in the Logged Off cookie to detect an invalid or expired WAM token event.

Send Cookies to Browser

Allows the token mediator to send the backend cookie defined in the Logged In Cookie Name field back to the browser if the protected application has updated it.

If the set-cookie header isn’t in the response from the protected site and the token mediator site authenticator has a cached token for that session, the site authenticator will create a new set-cookie response header based on the Cookie Domain, Cookie Max Age, HTTP-Only Cookie and Secure Cookie fields in the administrative console.

The administrator can then direct the token mediator site authenticator to actively return cookies to the user’s browser, even when the protected site isn’t doing that.

Use this option to enable a seamless single sign-on (SSO) experience for users navigating from applications protected by PingAccess to applications protected by a third-party WAM system.

Cookie Domain

Enter the domain of the logged-in cookie.

Cookie Max Age

Define the length of time, in minutes, that you want the generated logged-in cookie to be valid.

HTTP-Only Cookie

Define the logged-in cookie as HTTP-Only. An HTTP-only cookie is not accessible when you’re using non-HTTP methods, such as making calls through JavaScript. For example, referencing document.cookie in a JavaScript call.

Secure Cookie

Indicate whether the generated logged-in cookie must be sent using only HTTPS connections.

Token Processor ID

Defines the instance name of a token processor that you want to use.

The token processor is configured in PingFederate. Specify this value if more than one instance of either the JSON Web Token (JWT) processor or the OAuth bearer access token processor is defined in PingFederate.

If PingFederate Administration is configured, and PingFederate has one or more token processors configured, this field becomes a list of available token processor IDs.