---
title: Token translator mappings
description: Use the token translator configuration to map incoming user attributes from an identity provider (IdP) token processor directly to a service provider (SP) token generator.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_token_translator_mappings
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_token_translator_mappings.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 10, 2024
---

# Token translator mappings

Use the token translator configuration to map incoming user attributes from an identity provider (IdP) token processor directly to a service provider (SP) token generator.

This configuration is provided for use cases in which the PingFederate WS-Trust STS exchanges one type of security token for another without needing to generate a SAML token in between. See [WS-Trust STS](../introduction_to_pingfederate/pf_wstrust_sts.html). Use this configuration, for example, to convert a user's Kerberos token to a third-party proprietary web access management (WAM) session token.

In effect, this configuration provides an alternative to setting up complete STS connections to make such an exchange using the same instance of PingFederate. Instead, incoming user attributes from an IdP token processor are mapped directly to an SP token generator.

To use this configuration, ensure that you have enabled both the IdP and SP roles for PingFederate, including the WS-Trust protocol. See [Enabling the WS-Trust protocol](pf_enabling_wstrust_protocol.html). Make sure to configure the required token-translator instances. You might reuse instances that are also in use for STS connection configurations.