---
title: Connection-based policy
description: For both the identity provider (IdP) and service provider (SP) roles, PingFederate employs a partner-connection configuration, which enables the association of web services authentication policies with federation partners.
component: pingfederate
version: 13.1
page_id: pingfederate:introduction_to_pingfederate:pf_conn_based_poli
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/introduction_to_pingfederate/pf_conn_based_poli.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  idp-configuration: IdP configuration
  sp-configuration: SP configuration
---

# Connection-based policy

For both the identity provider (IdP) and service provider (SP) roles, PingFederate employs a partner-connection configuration, which enables the association of web services authentication policies with federation partners.

For Security Token Service (STS) processing, these policies define configurations for handling WS-Trust requests and transferring identity information between security domains. For more information, see [Web services standards](pf_web_service_standard.html).

## IdP configuration

Use the administrative console in an IdP role to configure WS-Trust request-processing policy for your SP partner including:

* The type of SAML token to create in response to an issue request from a web service client (WSC) application

* The mapping of attributes to include within the issued SAML token

* The key used to create a digital signature for the issued SAML token

## SP configuration

Use the administrative console in an SP role to configure WS-Trust request-processing policy for your IdP partner including:

* Whether to validate the incoming SAML token only, or to validate the incoming token and also issue a local token

* The mapping of attributes to include in the locally issued token when applicable

* The certificate used to verify the digital signature for the incoming SAML token

* The key used to decrypt the incoming SAML token when needed