Configuring a token generator instance
Configure the SAML token generator instance parameters depending on the use case requirements.
About this task
Depending on the selected token generator, the Instance Configuration tab presents you with different parameters.
Steps
-
Go to Applications → Token Exchange → Token Generators.
-
Select an existing generator instance by clicking its name or click Create New Instance to open the Create Token Generator Instance window.
-
On theInstance Configuration tab, configure the parameters for this instance type. For the integrated SAML 1.0 and 2.0 Token Generators, see the following table and specify parameters for generated SAML tokens.
SAML token generator instance field names and descriptions Field Instructions Minutes Before
Enter a numerical value. This element in a SAML token allows for any server clock variability.
Minutes After
Enter a numerical value. This element in a SAML token allows for any server clock variability.
Issuer
Enter your SAML 2.0 entity ID or the SAML 1.x issuer as configured in the System → Server → Protocol Settings window.
Signing Certificate
Responses containing SAML tokens must be signed. Select a signing certificate from the list.
If you have not yet created or imported your certificate into PingFederate, click Manage Signing Certificates. For more information, see Manage digital signing certificates and decryption keys.
Signing Algorithm
Select the signing algorithm corresponding to the selected certificate. Choices include SHA1 for both RSA and DSA. For a list of the available signing algorithms and their URIs, see Signing algorithms.
Include Certificate in KeyInfo
If selected, the entire public certificate is included with the assertion. Otherwise, a short hash reference to the certificate is sent.
Include Raw Key in KeyValue
If selected, the raw key is included in the
KeyInfo
element as well.Audience
A unique identifier for the target web service, used for the
audience
element of the generated SAML token.Confirmation Method
Choose from among available methods:
-
urn…cm:sender-vouches Default option.
-
urn…cm:bearer
-
urn…cm:holder-of-key
For more information, see WSS SAML Token Profile.
Encryption Certificate
The web service provider’s public certificate for encryption is required only if holder-of-key is selected as the confirmation method. Select a partner certificate from the list.
If you have not yet imported the certificate from your partner, click Manage Certificates to do so. For more information, see Managing certificates from partners.
Message Customization expression
Click Show Advanced Fields to see this field.
An OGNL expression to customize the assertion. The returned type from the expression must be an AssertionType, or the customization will be ignored.
The available attributes are:
-
#AssertionType
:org.sourceid.saml20.xmlbinding.assertion.AssertionType
-
#Attributes
:org.sourceid.util.log.AttributeMap
The following example is for SAML2. The line breaks are provided to improve readability.
#AssertionType .getSubject() .getNameID() .setStringValue("JoeSAML2IDP"), #AssertionType
The following example is for SAML1.1.
#AssertionType .getAuthenticationStatementArray(0) .getSubject().getNameIdentifier() .setStringValue("Joe123"), #AssertionType
For information about add-on generators, see Integration overview.
-
-
Click Next.