PingFederate Server

Configuring STS authentication

You can configure PingFederate to require that client applications provide credentials to access the STS.

About this task

Although it is an optional configuration, configuring security token service (STS) authentication is recommended for identity provider (IdP) configurations that use the Username Token Processor. For other token processors and token generators, trust in the identity of the client is conveyed within the token itself and verified as part of processing. You can still configure authentication requirements to add another layer of security by limiting access to only authenticated clients.

You can configure STS authentication to either apply globally to all token formats and for all IdP and service provider (SP) partner connections, or token-to-token mappings, using more fine grained controls, at the connection level through issuance criteria.

Steps

  1. Go to System → Server → Protocol Settings.

  2. On the WS-Trust STS Settings tab, click Configure WS-Trust STS Authentication to open the WS-Trust STS Settings window.

  3. On the Authentication Methods tab, select the Require HTTP Basic Authentication check box, theRequire Mutual SSL/TLS Authentication check box, or both.

    If both the Require HTTP Basic Authentication check box and the Require Mutual SSL/TLS Authentication check box are selected, all clients must provide credentials for both mechanisms.

    If you select the Require Mutual SSL/TLS Authentication check box, you must configure a secondary PingFederate HTTPS port pf.secondary.https.port in the run.properties file. For more information, see Configuring PingFederate properties.

  4. If you select the Require HTTP Basic Authentication check box, manage user accounts on the HTTP Basic Authentication tab.

    1. Click Create User.

    2. In the HTTP Basic Authentication, enter a user name in the username field and a password in the password field.. Repeat to create additional user accounts for your client applications.

    3. Click Done.

      On the HTTP Basic Authentication tab, you can also delete user accounts and update their passwords.

  5. If you select the Require Mutual SSL/TLS Authentication check box, on the Mutual SSL Authentication tab, click Configure Mutual SSL Authentication.

    1. On the Authentication Options tab, you can select the Restrict Access by Subject DN check box and the Restrict Access by Issuer Certificate check box. Click Next.

      If both options are selected, the client certificate used for authentication to the STS endpoints must meet both sets of restrictions.

    2. If you selected the Restrict Access by Subject DN check box, enter one or more subject DNs on the Allowed Subject DNs tab.

      On the Allowed Subject DNs tab, you can edit or delete existing entries but you must keep at least one subject DN.

    3. Click Next.. When finished, click Save.

    4. If you selected the Restrict Access by Issuer Certificate check box, on the Allowed Issuer Certificates tab, from the Issuer Certificate list, select one or more client certificates.

    5. Click Add.

      If you have not yet imported the client certificate, click Manage Certificates to do so.

      On the Allowed Issuer Certificates tab, you can remove existing entries but you must keep at least one issuer.

    6. On the Summary tab, review your mutual SSL/TLS authentication settings. Click Done.

      Result:

      This will take you back to the WS-Trust STS Settings window.

  6. When you finish configuring WS-Trust STS settings, on the Summary tab, review the configuration. To keep your changes, click Save.