--- title: Configuring protocol settings for IdP STS description: Specify the WS-Trust protocol details for web service clients related to this connection. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_wstrustsptasklet_wstrustspprotocolsettingsstate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_wstrustsptasklet_wstrustspprotocolsettingsstate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: steps: Steps example: Example: --- # Configuring protocol settings for IdP STS Specify the WS-Trust protocol details for web service clients related to this connection. ## Steps 1. Go to **Applications > Integration > SP Connections**. 2. Click on an existing connection in the **SP Connection** column, or click **Create Connection** to configure a new SP connection to open the **SP Connection** configuration window. 3. On the **WS-Trust STS** tab, click **Configure WS-Trust STS** to open the **WS-Trust STS** configuration window. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The **WS-Trust STS** tab is only available after you enable the **WS-Trust** role on the**Connection Type** tab. For more information, see [Configuring SP Connections for STS](help_spconnectionconfigtasklet_wstrustspstate.html). | 4. On the **Protocol Settings** tab, enter a URL for your partner's web service in the **Partner Service Identifier** field. Click **Add**. This identifier compares to the `AppliesTo` element in the Requests for Security Token (RST) messages and can be either a complete URL or a base URL for matching variable ports or paths. Repeat this step to add additional identifiers. 5. Select any of the following WS-Trust protocol setting options that are applicable to your use case. | Option | Description | | --------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | OAuth Assertion Profiles | When selected, four additional token-type requests become available based on these OAuth grant types:- JWT Bearer Token grant type - OAuth Access Token via JWT Bearer Token grant type - SAML 2.0 Bearer Assertion grant type - OAuth Access Token via SAML 2.0 Bearer Assertion grant typeSee [STS OAuth integration](../introduction_to_pingfederate/pf_sts_oauth_integr.html) for more information on the use of these token-type requests. | | Default Token Type | The default token type when a web service client (WSC) does not specify in the token request which token type the STS should issue. The choices are:- **SAML 2.0** - **SAML 1.1** - **SAML 1.1 for Office 365**The default token type does not need to match the protocol selected for the browser-based SSO, if enabled, and does not apply to OAuth assertion profiles because those RST messages must contain the requested token type. | | Generate Key for SAML Holder of Key Subject Confirmation Method | When selected, the STS generates a symmetric key to be used in conjunction with the "Holder of Key" (HoK) designation for the assertion's Subject Confirmation Method.For information about HoK assertions, see [Web Services Security SAML Token Profile](https://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html).This option does not apply to OAuth assertion profiles. | | Encrypt SAML 2.0 Assertion | When selected, the STS encrypts the SAML 2.0 assertion. Applicable only to SAML 2.0 security token.This option does not apply to OAuth assertion profiles. | 6. On the **Protocol Settings** tab, customize SAML messages and assertions for WS-Trust connections. Message customizations are OGNL expressions that allow you to customize the security token sent from PingFederate to the service provider (SP). 1. Click **Show Advanced Customizations**. 2. From the **Message Type** list, select a type option and enter an expression. The message type is used to override the message type returned from the OGNL expression. The following tables describe the relationship between message type and available variables, and the corresponding class or interface information in Java. **SP connections SAML 2.0 message types and expressions** | Message types | Available variables and classes/interfaces in Javadoc | | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | AssertionType | #AssertionTypeorg.sourceid.saml20.xmlbinding.assertion.AssertionType#AssertionTypesorg.sourceid.saml20.xmlbinding.assertion.AssertionType\[]#Attributesorg.sourceid.util.log.AttributeMap | | ResponseDocument | #ResponseDocumentFor a connection with WS-Trust v1.3, #ResponseDocument will be of type org.oasisOpen.docs.wsSx.wsTrust.x200512. RequestSecurityTokenResponseCollectionDocumentFor a connection with WS-Trust v1.2, #ResponseDocument will be of type org.xmlsoap.schemas.ws.x2005.x02.trust. RequestSecurityTokenResponseDocument#Attributesorg.sourceid.util.log.AttributeMap | **SP Connections SAML 1.x message types and expressions** | Message types | Available variables and classes/interfaces in Javadoc | | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | AssertionType | #AssertionTypeorg.sourceid.protocol.saml11.xml.AssertionType#AssertionTypesorg.sourceid.protocol.saml11.xml.AssertionType\[]#Attributesorg.sourceid.util.log.AttributeMap | | ResponseDocument | #ResponseDocumentFor a connection with WS-Trust v1.3, #ResponseDocument will be of type org.oasisOpen.docs.wsSx.wsTrust.x200512. RequestSecurityTokenResponseCollectionDocumentFor a connection with WS-Trust v1.2, #ResponseDocument will be of type org.xmlsoap.schemas.ws.x2005.x02.trust. RequestSecurityTokenResponseDocument#Attributesorg.sourceid.util.log.AttributeMap | ### Example: * Example of an **AssertionType** expression for SAML1.1. ``` #AssertionType.getAuthenticationStatementArray(0) .getSubject().getNameIdentifier().setStringValue("JoeSAML2IDP"), #AssertionType ``` * Example of a **ResponseDocument** expression for a connection with WS-Trust v1.3. ``` #RequestSecurityTokenResponseCollectionDocument.getRequestSecurityTokenResponseCollection() .getRequestSecurityTokenResponseArray(0).setContext('context1'){code} ``` * Example of a **ResponseDocument** expression for a connection with WS-Trust v1.2. ``` #RequestSecurityTokenResponseDocument.getRequestSecurityTokenResponse().setContext('context1') ``` 7. Click**Next**.