--- title: Choosing an SP connection type description: You can manually create service provider (SP) connections in PingFederate using browser single sign-on (SSO), WS-Trust security token service (STS), outbound provisioning, or any combination thereof. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_spconnectionconfigtasklet_connroleandprotocolstate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_spconnectionconfigtasklet_connroleandprotocolstate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: about-this-task: About this task steps: Steps --- # Choosing an SP connection type You can manually create service provider (SP) connections in PingFederate using browser single sign-on (SSO), WS-Trust security token service (STS), outbound provisioning, or any combination thereof. ## About this task If you are not using a connection template, which pre-configures browser-based SSO, indicate on the **Connection Type** tab whether the connection to this partner is for Browser SSO, WS-Trust STS, outbound provisioning, or any combination of them. | | | | - | --------------------------------------------------------------------------------------------------------------------- | | | You can add STS, OAuth, and outbound provisioning support to any existing SSO connection, or vice versa, at any time. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If your partner's deployment supports multiple protocols and you intend to communicate using more than one, you must set up a separate connection for each protocol. Each connection must use a unique (partner) connection ID. | ## Steps 1. Go to **Applications > Integration > SP Connections**. 2. Click **Create Connection**. 3. Select **Do not use a template for this connection**. 4. To configure a connection for secure browser-based SSO, select the **Browser SSO Profiles** checkbox. If you are not using a connection template, you must select the applicable protocol from the list when establishing a new connection. For a WS-Federation connection, select the desired token type, either **SAML 1.1**, **SAML 2.0**, or **JWT** (JSON Web Token). | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Learn more about creating a SAML application in [Configuring a SAML application in PingFederate](https://docs.pingidentity.com/solution-guides/workforce_use_cases/htg_config_saml_app.html). | | | | | - | ------------------------------------------------------------------------------------------------------------- | | | If you are creating a WS-Federation connection to Microsoft Windows Azure Pack, select JWT as the token type. | | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | PingFederate can encrypt the subject and attributes of SAML 2.0 assertions.For information about configuring encryption policies on a PingFederate identity provider (IdP), see [Configuring XML encryption policy (SAML 2.0)](help_spprotocolsettingstasklet_selectspxmlassertionencryptionstate.html).For information about configuring encryption policies on a PingFederate SP, see [Specifying XML encryption policy (for SAML 2.0)](help_idpprotocolsettingstasklet_selectidpxmlassertionencryptionstate.html). | 5. (Optional) Choose one or both of the following depending on your configuration needs. | Connection Template | Step | | ------------------------- | ------------------------------------------------------------------------------------- | | **WS-TRUST STS** | Select the **WS-Trust STS** checkbox. | | **Outbound Provisioning** | Select **Outbound Provisioning** and then select the provisioning type from the list. | 6. If your PingFederate license manages connections by groups, select a license group for this connection. This option is not shown for unrestricted or other types of licenses. 7. To save your settings, click **Next**.