Configuring protocol settings for IdP STS
Specify the WS-Trust protocol details for web service clients related to this connection.
Steps
-
Go to Applications → Integration → SP Connections.
-
Click on an existing connection in the SP Connection column, or click Create Connection to configure a new SP connection to open the SP Connection configuration window.
-
On the WS-Trust STS tab, click Configure WS-Trust STS to open the WS-Trust STS configuration window.
The WS-Trust STS tab is only available after you enable the WS-Trust role on theConnection Type tab. For more information, see Configuring SP Connections for STS.
-
On the Protocol Settings tab, enter a URL for your partner’s web service in the Partner Service Identifier field. Click Add.
This identifier compares to the
AppliesTo
element in the Requests for Security Token (RST) messages and can be either a complete URL or a base URL for matching variable ports or paths.Repeat this step to add additional identifiers.
-
Select any of the following WS-Trust protocol setting options that are applicable to your use case.
Option Description OAuth Assertion Profiles
When selected, four additional token-type requests become available based on these OAuth grant types:
-
JWT Bearer Token grant type
-
OAuth Access Token via JWT Bearer Token grant type
-
SAML 2.0 Bearer Assertion grant type
-
OAuth Access Token via SAML 2.0 Bearer Assertion grant type
See STS OAuth integration for more information on the use of these token-type requests.
Default Token Type
The default token type when a web service client (WSC) does not specify in the token request which token type the STS should issue. The choices are:
-
SAML 2.0
-
SAML 1.1
-
SAML 1.1 for Office 365
The default token type does not need to match the protocol selected for the browser-based SSO, if enabled, and does not apply to OAuth assertion profiles because those RST messages must contain the requested token type.
Generate Key for SAML Holder of Key Subject Confirmation Method
When selected, the STS generates a symmetric key to be used in conjunction with the "Holder of Key" (HoK) designation for the assertion’s Subject Confirmation Method.
For information about HoK assertions, see Web Services Security SAML Token Profile.
This option does not apply to OAuth assertion profiles.
Encrypt SAML 2.0 Assertion
When selected, the STS encrypts the SAML 2.0 assertion. Applicable only to SAML 2.0 security token.
This option does not apply to OAuth assertion profiles.
-
-
On the Protocol Settings tab, customize SAML messages and assertions for WS-Trust connections. Message customizations are OGNL expressions that allow you to customize the security token sent from PingFederate to the service provider (SP).
-
Click Show Advanced Customizations.
-
From the Message Type list, select a type option and enter an expression. The message type is used to override the message type returned from the OGNL expression.
The following tables describe the relationship between message type and available variables, and the corresponding class or interface information in Java.
SP connections SAML 2.0 message types and expressions Message types Available variables and classes/interfaces in Javadoc AssertionType
#AssertionType
org.sourceid.saml20.xmlbinding.assertion.AssertionType
#AssertionTypes
org.sourceid.saml20.xmlbinding.assertion.AssertionType[]
#Attributes
org.sourceid.util.log.AttributeMap
ResponseDocument
#ResponseDocument
For a connection with WS-Trust v1.3, #ResponseDocument will be of type org.oasisOpen.docs.wsSx.wsTrust.x200512. RequestSecurityTokenResponseCollectionDocument
For a connection with WS-Trust v1.2, #ResponseDocument will be of type org.xmlsoap.schemas.ws.x2005.x02.trust. RequestSecurityTokenResponseDocument
#Attributes
org.sourceid.util.log.AttributeMap
SP Connections SAML 1.x message types and expressions Message types Available variables and classes/interfaces in Javadoc AssertionType
#AssertionType
org.sourceid.protocol.saml11.xml.AssertionType
#AssertionTypes
org.sourceid.protocol.saml11.xml.AssertionType[]
#Attributes
org.sourceid.util.log.AttributeMap
ResponseDocument
#ResponseDocument
For a connection with WS-Trust v1.3, #ResponseDocument will be of type org.oasisOpen.docs.wsSx.wsTrust.x200512. RequestSecurityTokenResponseCollectionDocument
For a connection with WS-Trust v1.2, #ResponseDocument will be of type org.xmlsoap.schemas.ws.x2005.x02.trust. RequestSecurityTokenResponseDocument
#Attributes
org.sourceid.util.log.AttributeMap
Example:
-
Example of an AssertionType expression for SAML1.1.
#AssertionType.getAuthenticationStatementArray(0) .getSubject().getNameIdentifier().setStringValue("JoeSAML2IDP"), #AssertionType
-
Example of a ResponseDocument expression for a connection with WS-Trust v1.3.
#RequestSecurityTokenResponseCollectionDocument.getRequestSecurityTokenResponseCollection() .getRequestSecurityTokenResponseArray(0).setContext(‘context1’){code}
-
Example of a ResponseDocument expression for a connection with WS-Trust v1.2.
#RequestSecurityTokenResponseDocument.getRequestSecurityTokenResponse().setContext(‘context1’)
-
-
Click Next.