--- title: Configuring an OpenToken SP Adapter instance description: Configure an instance of the deployed OpenToken Adapter, which uses a secure token format to transfer user attributes between an application and the PingFederate server. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_config_opentoken_sp_adapt_instance canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_opentoken_sp_adapt_instance.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: about-this-task: About this task steps: Steps --- # Configuring an OpenToken SP Adapter instance Configure an instance of the deployed OpenToken Adapter, which uses a secure token format to transfer user attributes between an application and the PingFederate server. ## About this task Configure an OpenToken Service Provider (SP) Adapter instance to enable a secure transfer of the user-identity information to the target SP application. ## Steps 1. Go to **Applications > Integration > SP Adapters** to access the **Manage SP Adapters Instances** window. 2. Click **Create New Instance** to start the **Create Adapter Instance** configuration wizard. 3. On the **Type** tab, configure the basics of this adapter instance. 1. Enter the **Instance Name**, **Instance ID**, and **Parent Instance** information and select the adapter type from the **Type** list. 2. (Optional) Select a **Parent Instance** from the list.This is useful when you are creating an instance that is similar to an existing instance. The child instance inherits the configuration of its parent. In addition, you have the option to override one or more settings during the rest of the setup. Select the **Override …​** checkbox and make the adjustments as needed in one or more subsequent windows. 4. On the **Instance Configuration** tab, configure your OpenToken SP Adapter instance security context. | | | | - | -------------------------------------------------------------- | | | These values are dependent on your developer's implementation. | For more information, see the **Description** field provided in-window and in the following table. **PingFederate's field names and descriptions for creating an adapter instance** | Field | Description | | ----------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | PasswordConfirm Password(Required) | The password to use for generating the encryption key. It is also known as the shared secret. | | Click **Show Advanced Fields** in the **Instance Configuration**tab to review the following settings. Modify as needed. | | | Transport Mode | How the token is transported to and from the application, either through a query parameter, a cookie, or as a form POST (default). | | Token Name | The name of the cookie or query parameter that contains the token. This name must be unique for each adapter instance. Override the default value `opentoken` as needed. | | Cipher Suite | The algorithm, cipher mode, and key size that should be used for encrypting the token. The default selected value is **AES-128/CBC**. | | Authentication Service | The URL to which the user is redirected for a single sign-on (SSO) event. This URL overrides the Target Resource, which is sent as a parameter to the Authentication Service. | | Account Link Service | The URL to which the user is redirected for account linking. This URL is part of an external SP application. This external application performs user authentication and returns the local user ID inside the token. | | Logout Service | The URL to which the user is redirected for a single-logout event. This URL is part of an external application, which terminates the user session. | | Cookie Domain | The server domain; for example, `example.com`. If no domain is specified, the value is obtained from the request. | | Cookie Path | The path for the cookie that contains the token. | | Token Lifetime(Required) | The duration in seconds for which the token is valid. Valid range is 1 to 28800. The default value is `300` (5 minutes). | | Session Lifetime(Required) | The duration in seconds for which the token may be re-issued without authentication. Valid range is 1 to 259200. The default value is `43200`, 12 hours. | | Not Before Tolerance(Required) | The amount of time in seconds to allow for clock skew between servers. Valid range is 0 to 3600. The default value is `0`. | | Force SunJCE Provider | If selected, the SunJCE provider is forced for encryption/decryption. | | Use Verbose Error Messages | If selected, use verbose TokenException messages. | | Obfuscate Password | If selected, the default, the password is obfuscated and password-strength validation is applied. Clearing the checkbox allows backward compatibility with previous OpenToken agents. | | Session Cookie | If selected, OpenToken is set as a session cookie rather than a persistent cookie. Applies only if the **Transport Mode** field is set to **Cookie**. The checkbox is not selected by default. | | Secure Cookie | If selected, the OpenToken cookie is set only if the request is on a secure channel (https). Applies only if the **Transport Mode** field is set to **Cookie**. The checkbox is not selected by default. | | Send Subject as Query Parameter | Selecting this checkbox sends the user identifier `subject` as a clear-text query parameter, if the **Transport Mode** field is set to **Query Parameter**. If **Form POST** is the chosen token transport mode, the user identifier is sent as POST data. | | Subject Query Parameter | The parameter name used for the user identifier when the **Send Subject ID as Query Parameter** checkbox is selected. | | Send Extended Attributes | Extended Attributes are typically sent only within the token, but this option overrides the normal behavior and allows the attributes to be included in browser cookies or query parameters. | | Skip Trimming of Trailing Backslashes | If not selected, the default, it prevents insecure content from affecting the security of your application and the agent. Update your applications with the latest version of the agent. We recommend not to change the value of this flag to avoid a negative security impact, such as someone maliciously adding slashes to exploit the system. | | URL Encode Cookie Values | If checked, the extended attribute cookie value will be URL encoded. | 5. In the **Actions** tab, click **Download** under **Action** section. Click **Export** to save the properties file. The values in the resulting file, `agent-config.txt`, represent the console configuration and are used by the SP application. See the documentation of your respective integration kit for more information. 6. (Optional) In the **Extended Contract** tab, configure additional attributes for this adapter instance. 7. In the **Summary** tab, review your configuration, modify as needed. Click **Done**. 8. On the **SP Adapters** window, click **Save** to confirm the adapter instance configuration. If you want to exit without saving the configuration, click **Cancel**.