PingFederate Server

Selecting a WS-Federation Name ID type

You can choose a name identifier for your WS-Federation Browser single sign-on (SSO) configuration on the Identity Mapping tab. Your selection might affect the way the service provider (SP) looks up and associates your users to their local accounts.

Before you begin

For previous steps in configuring Browser SSO, see Configure IdP Browser SSO. For more information about managing service provider (SP) connections, see Accessing SP connections.

About this task

The Identity Mapping window is not applicable to connections using the WS-Federation protocol in conjunction with JSON web token (JWT)-based SSO tokens. Instead, work with the SP to define an attribute contract that it can use to map users to accounts at the SP site.

Steps

  1. Select the type of name identifier that you and your SP have agreed to use.

    Option Description

    Email Address

    This attribute is commonly used as a unique identifier for SSO and single logout (SLO). Make this selection, for example, if a user logs in using an email address or if the information is available for lookup in a local datastore.

    User Principal Name

    The username or other unique ID of the subject initiating the transaction. Make this selection, for example, if a username will be available from the current user session as part of a cookie or can be derived from a local datastore.

    Common Name

    This selection provides for anonymous SSO to your SP, generally using a hard-coded generalized sign on. Make this selection if your partner agreement involves a many-to-one use case, such as if the SP has a group account set up for all users in a particular domain.

  2. Click Next to save your changes.