Managing IdP connections
As a service provider (SP) site, you can manage connection settings to support the exchange of federation-protocol messages, such as OpenID Connect, SAML, WS-Federation, or WS-Trust, with an identity provider (IdP), OAuth client, OpenID Provider (OP), or security token service (STS) client application at your site.
These settings include:
-
User attributes that you expect to receive in an SSO token such as a SAML assertion or WS-Trust STS SAML token.
-
User attributes the you expect the OP to return in an ID token or through its user information, UserInfo, endpoint on-demand.
-
User attributes that may be requested using the SAML Attribute Query profile if that profile is used.
-
The protocol, profiles, and bindings of the connection, including detailed security specifications such as the use of back-channel authentication, digital signatures, signature verification, and XML encryption.
To establish a connection, you and your partner must have decided this information in advance. For more information, see Federation planning checklist.
As an SP site, you respond to user requests for single sign-on (SSO) and single logout (SLO) by creating or closing user sessions, respectively, in local applications. You integrate these applications with PingFederate by configuring them with SP adapter instances. Furthermore, in preparation for configuring a new SSO connection, you need to know which adapter instance or authentication policy contract to use. For more information, see Managing target session mappings.
No adapter instance or authentication policy contract is required for a connection that uses only the Attribute Query profile. For more information, see Manage the Attribute Query profile in an IdP connection.
If you intend to pass attribute values to an adapter instance from a local datastore, you must define the datastore during this configuration. If you have not done so already, see Datastores.
Administrative interface
You manage connection settings in the Authentication → Integration → IdP Connections window, which organizes the settings into a series of primary tasks. Some primary tasks have one or more levels of sub tasks. Each primary or sub task has its own tab, where you manage one or more settings. You can move to a sibling task using the Next or Previous button. If you are on a sub task, you can also move to its parent task using the Done button.
When creating a new connection, you can save your progress using the Save Draft button. Note that not all tabs offer this option. When you reach the Activation & Summary tab, you must click Save to complete the new connection.
When editing an existing connection, you can make changes and then click Save to commit your changes. In order words, you are not required to step through all tabs to reach the Activation & Summary tab before you can save your changes.
The Save button is available on most tabs. If a tab does not show a Save button, click Next or Done until you reach to a tab where you can use the Save button to commit your changes. |