--- title: Configuring authentication requirements for inbound messages description: You can configure the authentication requirements used to validate inbound messages in PingFederate. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_config_auth_requirement_for_inbound_messag canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_auth_requirement_for_inbound_messag.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: steps: Steps --- # Configuring authentication requirements for inbound messages You can configure the authentication requirements used to validate inbound messages in PingFederate. ## Steps On the **Back-Channel Authentication** tab, in the **Received from your partner** section, click **Configure**. On the **Inbound Authentication Type** tab, choose one or more authentication methods. * HTTP Basic When selected, the administrative console prompts you to enter the credentials on the **Basic SOAP Authentication (Inbound)** tab. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you are configuring more than one connection that uses the artifact or HTTP profile, you must ensure that the username is unique for each connection. You must communicate these credentials to your partner out-of-band. | * SSL Client Certificate When selected, the administrative console prompts you to specify the trust model and the related certificate settings on subsequent windows. See the next step. * Digital Signature (Browser SSO profile only) You select a signing certificate on the **Signature Verification Settings** tab.This option leverages on the digital signature of the message. * Require SSL When selected, incoming HTTP transmissions must use a secure channel. This option is selected by default.You can clear the checkbox if you do not require a secure channel and client certificate authentication. For SAML 2.0, use these options in any combination or independently. For SAML 1.x, you must enable HTTP Basic authentication, client certificate authentication, or both. You can also add digital signing to ensure message integrity. If you chose **SSL Client Certificate** in the previous step, select a trust model on the **Certificate Verification Method** tab. * Anchored The partner certificate must be signed by a trusted certificate authority (CA). Optionally, you can also restrict the issuer to a specific Trusted CA to mitigate potential man-in-the-middle attacks and to provide a means to isolate certificates used by different connections. The CA's certificate must be imported into the PingFederate Trusted CA store on the **Trusted CAs**window\.. * Unanchored The partner certificate is self-signed or you want to trust a specified certificate. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When anchored certificates are used between partners, certificates can be changed without sending the update to your partner. If the certificate is unanchored, any changes must be promulgated.For more information, see [Digital signing policy coordination](../introduction_to_pingfederate/pf_digi_sign_poli_coordin.html). | | Trust model | Subsequent steps | | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Anchored | On the **Subject DN** tab:1) Enter the `Subject D`N of the certificate. 2) Optionally, select the **Restrict Issuer** checkbox and enter the `Issuer DN` of the certificate. Consider enabling this option to mitigate potential man-in-the-middle attacks and to provide a means to isolate certificates used by different connections. | | Unanchored | On the **SSL Verification Certificate** tab, select the client certification from your partner.If you have not yet imported the client certificate from your partner, click **Manage Certificates** to do so. For more information, see [Managing certificates from partners](pf_managing_certificates_from_partners.html). | On the **Summary** tab, review your configuration and perform one of the following tasks. * Amend your configuration Click the corresponding tab title and then follow the configuration wizard to complete the task. * Keep your changes Click **Done** and continue with the rest of the configuration. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------ | | | When editing an existing configuration, you can also click **Save** as soon as the administrative console offers the opportunity to do so. | * Discard your changes Click **Cancel**.