Choosing an IdP connection type
You can use the administrative console to choose an identity provider (IdP) connection type.
About this task
You can indicate on the Connection Type tab whether the connection to this partner is for browser single sign-on (SSO), WS-Trust security token service (STS), OAuth, SAML, inbound provisioning, or a combination of them.
You can add STS, OAuth, and outbound provisioning support to any existing SSO connection, or vice versa, at any time. However, when OpenID Connect is the chosen protocol for browser SSO, the other types become unavailable. |
Select the applicable protocol on the Connection Type tab when establishing a new connection.
If your partner’s deployment also supports multiple protocols and you intend to communicate using more than one, you must set up a separate connection for each protocol. Each connection must use a unique partner connection ID. |
Steps
-
On the Connection Type tab, indicate the desired type of connection to your partner.
Choice Action Configure a connection for secure browser-based SSO
Select the Browser SSO Profiles check box and a protocol from the list, if necessary.
Configure an STS connection
Select the WS-Trust STS check box and the default token type from the list.
Configure a connection that exchanges SAML assertions or JSON web tokens (JWTs) for access tokens
Select the OAuth Assertion Grant check box.
The OAuth Assertion Grant option is available only if at least one Access Token Manager instance has been configured on the Applications → OAuth → Access Token Management window
For more information about these standards, see Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants and JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants.
Configure an inbound provisioning connection
Select the Inbound Provisioning check box and choose to support provisioning of users only (User Support) or users and groups (User and Group Support). For groups, nested group membership, if any, is preserved.
-
Optional: If your PingFederate license manages connections by groups, you can select a group for this connection.
This option is not displayed for unrestricted or other types of licenses.