PingFederate Server

Configuring a token generator instance

Configure the SAML token generator instance parameters depending on the use case requirements.

About this task

Depending on the selected token generator, the Instance Configuration tab presents you with different parameters.

Steps

  1. Go to Applications → Token Exchange → Token Generators.

  2. Select an existing generator instance by clicking its name or click Create New Instance to open the Create Token Generator Instance window.

  3. On theInstance Configuration tab, configure the parameters for this instance type. For the integrated SAML 1.0 and 2.0 Token Generators, see the following table and specify parameters for generated SAML tokens.

    SAML token generator instance field names and descriptions
    Field Instructions

    Minutes Before

    Enter a numerical value. This element in a SAML token allows for any server clock variability.

    Minutes After

    Enter a numerical value. This element in a SAML token allows for any server clock variability.

    Issuer

    Enter your SAML 2.0 entity ID or the SAML 1.x issuer as configured in the System → Server → Protocol Settings window.

    Signing Certificate

    Responses containing SAML tokens must be signed. Select a signing certificate from the list.

    If you have not yet created or imported your certificate into PingFederate, click Manage Signing Certificates. For more information, see Manage digital signing certificates and decryption keys.

    Signing Algorithm

    Select the signing algorithm corresponding to the selected certificate. Choices include SHA1 for both RSA and DSA, RSA-SHA256, SHA384, and SHA512, as well as, ECDSA-SHA256, SHA384, and SHA512.

    Include Certificate in KeyInfo

    If selected, the entire public certificate is included with the assertion. Otherwise, a short hash reference to the certificate is sent.

    Include Raw Key in KeyValue

    If selected, the raw key is included in the KeyInfo element as well.

    Audience

    A unique identifier for the target web service, used for the audience element of the generated SAML token.

    Confirmation Method

    Choose from among available methods:

    • urn…​cm:sender-vouches Default option.

    • urn…​cm:bearer

    • urn…​cm:holder-of-key

    For more information, see WSS SAML Token Profile.

    Encryption Certificate

    The web service provider’s public certificate for encryption is required only if holder-of-key is selected as the confirmation method. Select a partner certificate from the list.

    If you have not yet imported the certificate from your partner, click Manage Certificates to do so. For more information, see Managing certificates from partners.

    Message Customization expression

    Click Show Advanced Fields to see this field.

    An OGNL expression to customize the assertion. The returned type from the expression must be an AssertionType, or the customization will be ignored.

    The available attributes are:

    • #AssertionType: org.sourceid.saml20.xmlbinding.assertion.AssertionType

    • #Attributes: org.sourceid.util.log.AttributeMap

    The following example is for SAML2. The line breaks are provided to improve readability.

    #AssertionType
      .getSubject()
      .getNameID()
      .setStringValue("JoeSAML2IDP"),
    #AssertionType

    The following example is for SAML1.1.

    #AssertionType
      .getAuthenticationStatementArray(0)
      .getSubject().getNameIdentifier()
      .setStringValue("Joe123"),
    #AssertionType

    For information about add-on generators, see Integration overview.

  4. Click Next.