IdP protocol endpoints
PingFederate provides a list of identity provider (IdP) protocol endpoints and exportable metadata for your configuration.
You can find a list of applicable SAML, WS-Federation, and WS-Trust STS endpoints in System → Endpoints → IdP Endpoints. The pop-up window displays only those endpoints related to the federation protocols enabled on System → Server → Protocol Settings → Federation Info. These endpoints are built into PingFederate and cannot be changed.
Your federation partners or security token service (STS) clients need to know the applicable IdP services endpoints to communicate with your PingFederate server. Configured service endpoints for SAML connections are included in metadata export files.
PingFederate provides a favicon for all protocol endpoints. For more information, see Customizing the favicon for application and protocol endpoints.
The following table describes each endpoint.
Service | URL and Description | ||
---|---|---|---|
Single Logout Service (SAML 2.0) |
The URL that receives and processes logout requests and responses. |
||
Single Sign-on Service (SAML 2.0) |
The SAML 2.0 implementation URL that receives authentication requests for processing. |
||
Artifact Resolution Service (SAML 2.0) |
The SOAP endpoint that processes artifacts returned from a federation partner to retrieve the referenced XML message on the back channel. See the note at the end of this table. |
||
Attribute Query Service (SAML 2.0) |
The SAML implementation that receives and processes attribute requests. See the note at the end of this table. |
||
Single Sign-on Service (SAML 1.x) |
The SAML 1.x implementation of IdP intersite transfer service (ISX) to which clients are redirected for single sign-on (SSO) requests. |
||
Artifact Resolution Service (SAML 1.x) |
The SOAP endpoint that processes artifacts returned from a federation partner to retrieve the referenced XML message on the back channel. See the note at the end of this table. |
||
Single Sign-on Service (WS-Federation) |
The WS-Federation implementation URL that receives and processes security-token requests and single log-out (SLO) messages. |
||
WS-Trust STS (two endpoints) |
The SOAP endpoint that receives and processes security-token requests from STS clients (web service clients at the IdP site) to be exchanged for a SAML token based on the configured service provider (SP) connection.
Initiates direct STS token-to-token exchange and token validation from an IdP token processor to an SP token generator, when that feature is configured. For more information, see Token translator mappings.
See the note at the end of this table. |
||
|
Virtual server ID support
For SAML connections using multiple virtual server IDs, each virtual server ID has its own set of protocol endpoints. For more information, see Multiple virtual server IDs. You can export connection metadata for your partner from System → Protocol Metadata → Metadata Export. For more information, see Exporting connection-specific SAML metadata.
For WS-Federation (and SAML) connections using multiple virtual server IDs, you can provide your partner the federation metadata endpoint, /pf/federation_metadata.ping
, with the PartnerSpId
and vsid
parameters, as in the following example.
Partner’s entity ID | Your virtual server ID | Federation metadata URL |
---|---|---|
SP |
idev1 |
|
idev2 |
In this example, the base URL and the runtime port of your PingFederate server are www.example.com and 443, respectively.
When the request includes the vsid
parameter, the federation metadata endpoint returns information that is specific for a given virtual server ID.
For WS-Trust STS, you can provide your partner the STS metadata endpoint /pf/sts_mex.ping
with the PartnerSpId
and vsid
parameters. When the STS metadata request includes the vsid
parameter, the STS metadata endpoint returns information that is specific for a given virtual server ID.
For more information about these metadata endpoints, see System-services endpoints.
The virtual server ID concept does not apply to the |