PingFederate Server

Choosing an IdP connection type

You can use the administrative console to choose an identity provider (IdP) connection type.

About this task

You can indicate on the Connection Type tab whether the connection to this partner is for browser single sign-on (SSO), WS-Trust security token service (STS), OAuth, SAML, inbound provisioning, or a combination of them.

You can add STS, OAuth, and outbound provisioning support to any existing SSO connection, or vice versa, at any time. However, when OpenID Connect is the chosen protocol for browser SSO, the other types become unavailable.

Select the applicable protocol on the Connection Type tab when establishing a new connection.

If your partner’s deployment also supports multiple protocols and you intend to communicate using more than one, you must set up a separate connection for each protocol. Each connection must use a unique partner connection ID.

Steps

  • On the Connection Type tab, indicate the desired type of connection to your partner.

    Choice Action

    Configure a connection for secure browser-based SSO

    Select the Browser SSO Profiles check box and a protocol from the list, if necessary.

    Configure an STS connection

    Select the WS-Trust STS check box and the default token type from the list.

    Configure a connection that exchanges SAML assertions or JSON web tokens (JWTs) for access tokens

    Select the OAuth Assertion Grant check box.

    The OAuth Assertion Grant option is available only if at least one Access Token Manager instance has been configured on the Applications → OAuth → Access Token Management window

    For more information about these standards, see Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants and JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants.

    Configure an inbound provisioning connection

    Select the Inbound Provisioning check box and choose to support provisioning of users only (User Support) or users and groups (User and Group Support). For groups, nested group membership, if any, is preserved.

  • Optional: If your PingFederate license manages connections by groups, you can select a group for this connection.

    This option is not displayed for unrestricted or other types of licenses.