--- title: Configuring a token generator instance description: Configure the SAML token generator instance parameters depending on the use case requirements. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_configuring_token_generator_instance canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_configuring_token_generator_instance.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 8, 2024 section_ids: about-this-task: About this task steps: Steps --- # Configuring a token generator instance Configure the SAML token generator instance parameters depending on the use case requirements. ## About this task Depending on the selected token generator, the **Instance Configuration** tab presents you with different parameters. ## Steps 1. Go to **Applications > Token Exchange > Token Generators**. 2. Select an existing generator instance by clicking its name or click **Create New Instance** to open the **Create Token Generator Instance** window. 3. On the **Instance Configuration** tab, configure the parameters for this instance type. For the integrated SAML 1.0 and 2.0 Token Generators, see the following table and specify parameters for generated SAML tokens. **SAML token generator instance field names and descriptions** | Field | Instructions | | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Minutes Before | Enter a numerical value. This element in a SAML token allows for any server clock variability. | | Minutes After | Enter a numerical value. This element in a SAML token allows for any server clock variability. | | Issuer | Enter your SAML 2.0 entity ID or the SAML 1.x issuer as configured in the **System > Server > Protocol Settings** window. | | Signing Certificate | Responses containing SAML tokens must be signed. Select a signing certificate from the list.If you have not yet created or imported your certificate into PingFederate, click **Manage Signing Certificates**. For more information, see [Manage digital signing certificates and decryption keys](help_certmanagementtasklet_dsigsigningcert_certmanagementstate.html). | | Signing Algorithm | Select the signing algorithm corresponding to the selected certificate. Choices include SHA1 for both RSA and DSA. For a list of the available signing algorithms and their URIs, see [Signing algorithms](pf_signing_algorithms.html). | | Include Certificate in KeyInfo | If selected, the entire public certificate is included with the assertion. Otherwise, a short hash reference to the certificate is sent. | | Include Raw Key in KeyValue | If selected, the raw key is included in the `KeyInfo` element as well. | | Audience | A unique identifier for the target web service, used for the `audience` element of the generated SAML token. | | Confirmation Method | Choose from among available methods:- **urn…​cm:sender-vouches** Default option. - **urn…​cm:bearer** - **urn…​cm:holder-of-key**For more information, see [WSS SAML Token Profile](https://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html). | | Encryption Certificate | The web service provider's public certificate for encryption is required only if holder-of-key is selected as the confirmation method. Select a partner certificate from the list.If you have not yet imported the certificate from your partner, click **Manage Certificates** to do so. For more information, see [Managing certificates from partners](pf_managing_certificates_from_partners.html). | | Message Customization expression | Click **Show Advanced Fields** to see this field.An OGNL expression to customize the assertion. The returned type from the expression must be an AssertionType, or the customization will be ignored.The available attributes are:- `#AssertionType`: `org.sourceid.saml20.xmlbinding.assertion.AssertionType` - `#Attributes`: `org.sourceid.util.log.AttributeMap`The following example is for SAML2. The line breaks are provided to improve readability.+``` #AssertionType .getSubject() .getNameID() .setStringValue("JoeSAML2IDP"), #AssertionType ```The following example is for SAML1.1.+``` #AssertionType .getAuthenticationStatementArray(0) .getSubject().getNameIdentifier() .setStringValue("Joe123"), #AssertionType ``` | For information about add-on generators, see [Integration overview](../introduction_to_pingfederate/pf_integr_overview.html). 4. Click **Next**.