--- title: Configuring a SAML Token Processor instance description: The integrated SAML (1.1 or 2.0) Token Processor accepts and validates SAML (1.1 or 2.0) security tokens. The PingFederate security token service (STS) validates digital signatures using all trusted certificate authorities (CAs) imported into PingFederate. component: pingfederate version: 13.0 page_id: pingfederate:administrators_reference_guide:pf_config_saml_token_process_instance canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_config_saml_token_process_instance.html revdate: July 5, 2022 section_ids: about-this-task: About this task steps: Steps --- # Configuring a SAML Token Processor instance The integrated SAML (1.1 or 2.0) Token Processor accepts and validates SAML (1.1 or 2.0) security tokens. The PingFederate security token service (STS) validates digital signatures using all trusted certificate authorities (CAs) imported into PingFederate. | | | | - | --------------------------------------------------------------------------------------------------- | | | The `Signature` element must include `KeyInfo` for signature verification to complete successfully. | ## About this task On the **Instance Configuration** tab, configure a SAML Token Processor instance. You can restrict the signature verification process by subject distinguished names (DN), issuers, or both to limit the token requests accepted for this token processor instance. You must indicate a unique identifier for the PingFederate STS. Token processor instances reject SAML tokens that do not contain the identifier in the `audience` element. ## Steps * Go to **Authentication > Token Exchange > Token Processors**. * On the **Instance Configuration** tab, configure the basics of the token processor instance. 1. In the **field value** field of the **Audience** row, enter the URI that uniquely identifies your federation gateway for this SAML protocol. This is the federation ID for the STS for either SAML 1.1 or SAML 2.0 tokens, depending on which processor you are configuring. 2. (Optional) Click **Add a new row to 'Valid Certificate Issuer DNs'** to enter one or more issuers. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If issuer DNs are specified here, then only those issuers are considered valid for verifying incoming digital signatures. Otherwise, all trusted certificate authorities (CAs) are used to verify signatures. | 3. (Optional) Click **Add a new row to 'Valid Certificate Subject DNs'** to enter one or more subject DNs. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If subject DNs are specified here, then only those subject DNs are considered valid for verifying incoming digital signatures. Otherwise, all trusted certificate authorities (CAs) are used to verify signatures.If you specify both issuer DNs and subject DNs, then the certificate used to validate signatures must match an entry in both lists.If you provide no issuer DN and subject DN, then all certificates are treated as valid for purposes of verification. |