--- title: Configuring STS authentication description: You can configure PingFederate to require that client applications provide credentials to access the STS. component: pingfederate version: 13.0 page_id: pingfederate:administrators_reference_guide:pf_configuring_sts_authentication canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_configuring_sts_authentication.html revdate: July 10, 2024 section_ids: about-this-task: About this task steps: Steps --- # Configuring STS authentication You can configure PingFederate to require that client applications provide credentials to access the STS. ## About this task Although it is an optional configuration, configuring security token service (STS) authentication is recommended for identity provider (IdP) configurations that use the Username Token Processor. For other token processors and token generators, trust in the identity of the client is conveyed within the token itself and verified as part of processing. You can still configure authentication requirements to add another layer of security by limiting access to only authenticated clients. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You can configure STS authentication to either apply globally to all token formats and for all IdP and service provider (SP) partner connections, or token-to-token mappings, using more fine grained controls, at the connection level through issuance criteria. | ## Steps 1. Go to **System > Server > Protocol Settings**. 2. On the **WS-Trust STS Settings** tab, click **Configure WS-Trust STS Authentication** to open the **WS-Trust STS Settings** window. 3. On the **Authentication Methods** tab, select the **Require HTTP Basic Authentication** checkbox, the**Require Mutual SSL/TLS Authentication** checkbox, or both. If both the **Require HTTP Basic Authentication** checkbox and the **Require Mutual SSL/TLS Authentication** checkbox are selected, all clients must provide credentials for both mechanisms. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you select the **Require Mutual SSL/TLS Authentication** checkbox, you must configure a secondary PingFederate HTTPS port `pf.secondary.https.port` in the `run.properties` file. For more information, see [Configuring PingFederate properties](pf_config_pf_propert.html). | 4. If you select the **Require HTTP Basic Authentication** checkbox, manage user accounts on the **HTTP Basic Authentication** tab. 1. Click **Create User**. 2. In the **HTTP Basic Authentication**, enter a user name in the **username** field and a password in the **password** field.. Repeat to create additional user accounts for your client applications. 3. Click **Done**. | | | | - | ------------------------------------------------------------------------------------------------------- | | | On the **HTTP Basic Authentication** tab, you can also delete user accounts and update their passwords. | 5. If you select the **Require Mutual SSL/TLS Authentication** checkbox, on the **Mutual SSL Authentication** tab, click **Configure Mutual SSL Authentication**. 1. On the **Authentication Options** tab, you can select the **Restrict Access by Subject DN** checkbox and the **Restrict Access by Issuer Certificate** checkbox. Click **Next**. If both options are selected, the client certificate used for authentication to the STS endpoints must meet both sets of restrictions. 2. If you selected the **Restrict Access by Subject DN** checkbox, enter one or more subject DNs on the **Allowed Subject DNs** tab. | | | | - | ---------------------------------------------------------------------------------------------------------------------- | | | On the **Allowed Subject DNs** tab, you can edit or delete existing entries but you must keep at least one subject DN. | 3. Click **Next**. When finished, click **Save**. 4. If you selected the **Restrict Access by Issuer Certificate** checkbox, on the **Allowed Issuer Certificates** tab, from the **Issuer Certificate** list, select one or more client certificates. 5. Click **Add**. If you have not yet imported the client certificate, click **Manage Certificates** to do so. | | | | - | ------------------------------------------------------------------------------------------------------------------ | | | On the **Allowed Issuer Certificates** tab, you can remove existing entries but you must keep at least one issuer. | 6. On the **Summary** tab, review your mutual SSL/TLS authentication settings. Click **Done**. This will take you back to the **WS-Trust STS Settings** window. 6. When you finish configuring WS-Trust STS settings, on the **Summary** tab, review the configuration. To keep your changes, click **Save**.