--- title: SOAP STS configuration properties description: Specifies a string that identifies this SOAP STS instance. component: pingam version: 7.5 page_id: pingam:sts:sts-configure-soap-properties canonical_url: https://docs.pingidentity.com/pingam/7.5/sts/sts-configure-soap-properties.html keywords: ["Security Token Service (STS)", "Rest", "Configuration", "SOAP"] page_aliases: ["sts-guide:sts-configure-soap-properties.adoc"] section_ids: general_configuration_properties: General configuration properties deployment_configuration_properties: Deployment configuration properties soap_keystore_configuration_properties: SOAP keystore configuration properties --- # SOAP STS configuration properties * Deployment Url Element Specifies a string that identifies this SOAP STS instance. The Deployment Url Element is a component of the SOAP STS instance's endpoint. For example, if you specified `mySOAPSTSInstance` as the Deployment Url Element, the SOAP STS endpoint would be `/SOAP STS .war File Name/myRealm/mySOAPSTSInstance`. ## General configuration properties The following are general configuration properties for SOAP STS instances: * Persist Issued Tokens in Core Token Store Specifies whether to enable token persistence in the Core Token Service (CTS). AM saves all STS-issued tokens to CTS when token persistence is enabled. A token's lifetime in CTS has the same length as the Token Lifetime property specified for issued tokens. STS token validation and cancellation capabilities require tokens to be present in CTS. Therefore, if your deployment requires token validation and cancellation, you must enable token persistence. * Issued Tokens Specifies the types of tokens that this SOAP STS instance issues as output tokens for token transformations. * Security Policy Validated Token Specifies the `SupportingToken` type in the WS-SecurityPolicy bindings in the SOAP STS deployment's WSDL, and whether the AM session created during token transformation should be invalidated after the token is issued. ## Deployment configuration properties The following are deployment configuration properties for REST STS instances: * Authentication Target Mappings Specifies one or more mappings that define how the REST STS instance authenticates input tokens. Each mapping is a set of arguments separated by the vertical bar character `|` as follows: 1. (Required) The input token type: `USERNAME`, `OPENAM`, `X509`, `OPENIDCONNECT`, or a custom token type. 2. (Required) The value `service` or `module`. If the third argument is an authentication chain, specify `service`. If the third argument is an authentication module, specify `module`. 3. (Required) The name of an AM authentication chain or module to which the input token is authenticated. 4. (Optional) The name of the header to place the token in when authenticating to AM. Specify this parameter for input `X509` and `OPENIDCONNECT` tokens as follows: * For `X509` input tokens, the format is `x509_token_auth_target_header_key=Header Name`. * For `OPENIDCONNECT` input tokens, the format is `oidc_id_token_auth_target_header_key=Header Name`. Be sure to specify the header names configured in the Certificate or OpenID Connect id\_token bearer authentication module properties as the *Header Name* argument. This argument can also be used with custom token types to specify the name of a header or cookie from which to obtain a token. When using this argument with a custom token type, its format is determined by the custom validator class that validates the custom token type. The following are example mappings: * `USERNAME|service|myLDAPChain` configures STS to authenticate input `USERNAME` tokens to the `myLDAPChain` authentication chain. * `X509|module|CertModule|x509_token_auth_target_header_key=ClientCert` configures STS to obtain an X.509 certificate from the `ClientCert` header, use it as the input token, and authenticate it using the `CertModule` authentication module. * Client Certificate Header Key Specifies the name of a header that a TLS offloader should use to use to transmit client certificates. Token transformations that take an X.509 certificate as the input token require the certificate to be presented using two-way TLS, so that the TLS handshake can validate client certificate ownership. A common way of obtaining the client certificate with two-way TLS is to use the `javax.servlet.request.X509Certificate` attribute in the servlet request. However, in deployments with TLS offloading, the offloader must use an HTTP header to transmit the certificate to its destination. This configuration property is the name of the HTTP header whose value contains the certificate. * Trusted Remote Hosts Specifies one or more IP addresses of hosts trusted to transmit client X.509 certificates in deployments with TLS offloading. To allow any host to transmit a certificate, specify `any` as the value of this property. As with the Client Certificate Header Key property, configure this property for deployments with TLS offloading. ## SOAP keystore configuration properties The following are SOAP keystore configuration properties for SOAP STS instances: * Soap Keystore Location Specifies the path to a JKS keystore containing keys for signing and encryption when using the symmetric and asymmetric bindings with SOAP messaging. Specify an absolute path or a location in the AM classpath. Note that the WSDL File Referencing Security Policy Binding Selection property determines the binding for a SOAP STS instance. AM provides a JKS keystore with demo keys, `/path/to/openam/security/keystores/keystore.jks`. For more information about keystores in AM, see [Secrets, certificates, and keys](../security/secrets-certs-keys.html). * Keystore Password Specifies the password used to decrypt the keystore. * Signature Key Alias Specifies the key alias in the keystore used to sign messages from this SOAP STS instance. You must configure this property when using asymmetric binding. * Signature Key Password Specifies the password for the signature key. * Decryption Key Alias Specifies the key alias in the keystore used by this SOAP STS instance to decrypt client messages for the asymmetric binding, and to decrypt the client-generated symmetric key for the symmetric binding. * Decryption Key Password Specifies the password for the decryption key.