--- title: Choosing an IdP connection type description: You can use the administrative console to choose an identity provider (IdP) connection type. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_idpconnectionconfigtasklet_connroleandprotocolstate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_idpconnectionconfigtasklet_connroleandprotocolstate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: June 5, 2026 section_ids: about-this-task: About this task steps: Steps --- # Choosing an IdP connection type You can use the administrative console to choose an identity provider (IdP) connection type. ## About this task You can indicate on the **Connection Type** tab whether the connection to this partner is for browser single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)*, WS-Trust Security Token Service (STS) *(tooltip: \
\

An entity responsible for responding to WS-Trust requests for validation and issuance of security tokens used for SSO authentication to web services.\

\
)*, OAuth, SAML, inbound provisioning, or a combination of them. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You can add STS, OAuth, and outbound provisioning support to any existing SSO connection, or vice versa, at any time. However, when OpenID Connect is the chosen protocol for browser SSO, the other types become unavailable. | Select the applicable protocol on the **Connection Type** tab when establishing a new connection. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If your partner's deployment also supports multiple protocols and you intend to communicate using more than one, you must set up a separate connection for each protocol. Each connection must use a unique partner connection ID. | ## Steps * On the **Connection Type** tab, indicate the desired type of connection to your partner. | Choice | Action | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Configure a connection for secure browser-based SSO | Select the **Browser SSO Profiles** checkbox and a protocol from the list, if necessary. | | Configure an STS connection | Select the **WS-Trust STS** checkbox and the default token type from the list. | | Configure a connection that exchanges SAML assertions or JSON web tokens (JWTs) for access tokens | Select the **OAuth Assertion Grant** checkbox. The OAuth Assertion Grant option is available only if at least one Access Token Manager instance has been configured on the Applications > OAuth > Access Token Management window\.For more information about these standards, see [Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://tools.ietf.org/html/rfc7522) and [JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://tools.ietf.org/html/rfc7523). | | Configure a connection to exchange JSON Web Token (JWT) *(tooltip: \
\

An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. You can find the industry standard in \RFC 7519\.\

\
)* for access tokens by delegating JWT Bearer Grant processing to a configured plugin. For example, the macOS SSO Adapter. | Select the **JWT Bearer Grant Processor** checkbox and select a configured [JWT Bearer Grant Processor](pf_jwt_bearer_grant_processors.html) instance in the list. | | Configure an inbound provisioning connection | Select the **Inbound Provisioning** checkbox and choose to support provisioning of users only (**User Support**) or users and groups (**User and Group Support**). For groups, nested group membership, if any, is preserved. | * (Optional) If your PingFederate license manages connections by groups, you can select a group for this connection. This option isn't displayed for unrestricted or other types of licenses.