---
title: Example SAML v2.0 Fedlet files
description: PingGateway uses the PingAM Fedlet to act as a SAML v2.0 SP. This page provides example Fedlet configuration files PingGateway can use with specific IdPs.
component: pinggateway
version: 2026
page_id: pinggateway:gateway-guide:federation-example-files
canonical_url: https://docs.pingidentity.com/pinggateway/2026/gateway-guide/federation-example-files.html
revdate: 2026-01-20T12:00:00Z
section_ids:
  am_as_idp: AM as IdP
  ping-saml-files: PingOne as IdP
---

# Example SAML v2.0 Fedlet files

PingGateway uses the PingAM Fedlet to act as a SAML v2.0 SP. This page provides example Fedlet configuration files PingGateway can use with specific IdPs.

These examples don't include settings for every possible scenario. Learn more about the Fedlet configuration in the AM documentation [Implement SAML v2.0 SPs by using Fedlets](https://docs.pingidentity.com/pingam/8.1/am-saml2/saml2-implementation-fedlet.html).

| File                          | Description                                 |
| ----------------------------- | ------------------------------------------- |
| `FederationConfig.properties` | Fedlet properties                           |
| `fedlet.cot`                  | Circle of trust for PingGateway and the IdP |
| `idp.xml`                     | Standard metadata for the IdP               |
| `idp-extended.xml`            | Metadata extensions for the IdP             |
| `sp.xml`                      | Standard metadata for the PingGateway SP    |
| `sp-extended.xml`             | Metadata extensions for the PingGateway SP  |

## AM as IdP

> **Collapse: FederationConfig.properties**
>
> The following example of `$HOME/.openig/SAML/FederationConfig.properties` defines the fedlet properties:
>
> ```properties
> #
> # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
> #
> # Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
> #
> # The contents of this file are subject to the terms
> # of the Common Development and Distribution License
> # (the License). You may not use this file except in
> # compliance with the License.
> #
> # You can obtain a copy of the License at
> # https://opensso.dev.java.net/public/CDDLv1.0.html or
> # opensso/legal/CDDLv1.0.txt
> # See the License for the specific language governing
> # permission and limitations under the License.
> #
> # When distributing Covered Code, include this CDDL
> # Header Notice in each file and include the License file
> # at opensso/legal/CDDLv1.0.txt.
> # If applicable, add the following below the CDDL Header,
> # with the fields enclosed by brackets [] replaced by
> # your own identifying information:
> # "Portions Copyrighted [year] [name of copyright owner]"
> #
> # $Id: FederationConfig.properties,v 1.21 2010/01/08 22:41:28 exu Exp $
> #
> # Portions Copyright 2016-2024 Ping Identity Corporation.
>
> # If a component wants to use a different datastore provider than the
> # default one defined above, it can define a property like follows:
> # com.sun.identity.plugin.datastore.class.<componentName>=<provider class>
>
> # com.sun.identity.plugin.configuration.class specifies implementation for
> # com.sun.identity.plugin.configuration.ConfigurationInstance interface.
> com.sun.identity.plugin.configuration.class=com.sun.identity.plugin.configuration.impl.FedletConfigurationImpl
>
> # Specifies implementation for
> # com.sun.identity.plugin.datastore.DataStoreProvider interface.
> # This property defines the default datastore provider.
> com.sun.identity.plugin.datastore.class.default=com.sun.identity.plugin.datastore.impl.FedletDataStoreProvider
>
> # Specifies implementation for
> # org.forgerock.openam.federation.plugin.rooturl.RootUrlProvider interface.
> # This property defines the default base url provider.
> com.sun.identity.plugin.root.url.class.default=org.forgerock.openam.federation.plugin.rooturl.impl.FedletRootUrlProvider
>
> # com.sun.identity.plugin.log.class specifies implementation for
> # com.sun.identity.plugin.log.Logger interface.
> com.sun.identity.plugin.log.class=com.sun.identity.plugin.log.impl.FedletLogger
>
> # com.sun.identity.plugin.session.class specifies implementation for
> # com.sun.identity.plugin.session.SessionProvider interface.
> com.sun.identity.plugin.session.class=com.sun.identity.plugin.session.impl.FedletSessionProvider
>
> # com.sun.identity.plugin.monitoring.agent.class specifies implementation for
> # com.sun.identity.plugin.monitoring.FedMonAgent interface.
> com.sun.identity.plugin.monitoring.agent.class=com.sun.identity.plugin.monitoring.impl.FedletAgentProvider
>
> # com.sun.identity.plugin.monitoring.saml2.class specifies implementation for
> # com.sun.identity.plugin.monitoring.FedMonSAML2Svc interface.
> com.sun.identity.plugin.monitoring.saml2.class=com.sun.identity.plugin.monitoring.impl.FedletMonSAML2SvcProvider
>
> # com.sun.identity.saml.xmlsig.keyprovider.class specified the implementation
> # class for com.sun.identity.saml.xmlsig.KeyProvider interface
> com.sun.identity.saml.xmlsig.keyprovider.class=com.sun.identity.saml.xmlsig.JKSKeyProvider
>
> # com.sun.identity.saml.xmlsig.signatureprovider.class specified the
> # implementation class for com.sun.identity.saml.xmlsig.SignatureProvider
> # interface
> com.sun.identity.saml.xmlsig.signatureprovider.class=com.sun.identity.saml.xmlsig.AMSignatureProvider
>
> com.iplanet.am.server.protocol=http
> com.iplanet.am.server.host=am.example.com
> com.iplanet.am.server.port=8080
> com.iplanet.am.services.deploymentDescriptor=/openam
> com.iplanet.am.logstatus=ACTIVE
>
> # Name of the webcontainer.
> # Even though the servlet/JSP are web container independent,
> # Access/Federation Manager uses servlet 2.3 API request.setCharacterEncoding()
> # to decode incoming non English characters. These APIs will not work if
> # Access/Federation Manager is deployed on Sun Java System Web Server 6.1.
> # We use gx_charset mechanism to correctly decode incoming data in
> # Sun Java System Web Server 6.1 and S1AS7.0. Possible values
> # are BEA6.1, BEA 8.1, IBM5.1 or IAS7.0.
> # If the web container is Sun Java System Webserver, the tag is not replaced.
> com.sun.identity.webcontainer=WEB_CONTAINER
>
> # Identify saml xml signature keystore file, keystore password file
> # key password file
> com.sun.identity.saml.xmlsig.keystore=%BASE_DIR%/security/keystores/keystore.jks
> com.sun.identity.saml.xmlsig.storepass=%BASE_DIR%/.storepass
> com.sun.identity.saml.xmlsig.keypass=%BASE_DIR%/.keypass
> com.sun.identity.saml.xmlsig.certalias=test
>
> # Type of keystore used for saml xml signature. Default is JKS.
> #
> # com.sun.identity.saml.xmlsig.storetype=JKS
>
> # Specifies the implementation class for
> # com.sun.identity.saml.xmlsig.PasswordDecoder interface.
> com.sun.identity.saml.xmlsig.passwordDecoder=com.sun.identity.fedlet.FedletEncodeDecode
>
> # The following key is used to specify the maximum content-length
> # for an HttpRequest that will be accepted by the OpenSSO
> # The default value is 16384 which is 16k
> com.iplanet.services.comm.server.pllrequest.maxContentLength=16384
>
> # The following keys are used to configure the Debug service.
> # Possible values for the key 'level' are: off | error | warning | message.
> # The key 'directory' specifies the output directory where the debug files
> # will be created.
> # Trailing spaces are significant.
> # Windows: Use forward slashes "/" separate directories, not backslash "\".
> # Windows: Spaces in the file name are allowed for Windows.
> #
> com.iplanet.services.debug.level=message
> com.iplanet.services.debug.directory=%BASE_DIR%%SERVER_URI%/debug
>
> # The following keys are used to configure the Stats service.
> # Possible values for the key 'level' are: off | file | console
> # Stats state 'file' will write to a file under the specified directory,
> # and 'console' will write into  webserver log files
> # The key 'directory' specifies the output directory where the debug files
> # will be created.
> # Trailing spaces are significant.
> # Windows: Use forward slashes "/" separate directories, not backslash "\".
> # Windows: Spaces in the file name are allowed for Windows.
> # Stats interval should be atleast 5 secs to avoid CPU saturation,
> # the product would assume any thing less than 5 secs is 5 secs.
> com.iplanet.am.stats.interval=60
> com.iplanet.services.stats.state=file
> com.iplanet.services.stats.directory=%BASE_DIR%/var/stats
>
> # The key that will be used to encrypt and decrypt passwords.
> am.encryption.pwd=@AM_ENC_PWD@
>
> # SecureRandom Properties: The key
> # "com.iplanet.security.SecureRandomFactoryImpl"
> # specifies the factory class name for SecureRandomFactory
> # Available impl classes are:
> #   com.iplanet.am.util.JSSSecureRandomFactoryImpl (uses JSS)
> #   com.iplanet.am.util.SecureRandomFactoryImpl (pure Java)
> com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.am.util.SecureRandomFactoryImpl
>
> # SocketFactory properties: The key "com.iplanet.security.SSLSocketFactoryImpl"
> # specifies the factory class name for LDAPSocketFactory
> # Available classes are:
> #    com.iplanet.services.ldap.JSSSocketFactory (uses JSS)
> #    com.sun.identity.shared.ldap.factory.JSSESocketFactory    (pure Java)
> com.iplanet.security.SSLSocketFactoryImpl=com.sun.identity.shared.ldap.factory.JSSESocketFactory
>
> # Encryption: The key "com.iplanet.security.encryptor" specifies
> # the encrypting class implementation.
> # Available classes are:
> #    com.iplanet.services.util.JCEEncryption
> #    com.iplanet.services.util.JSSEncryption
> com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
>
> # Determines if JSS will be added with highest priority to JCE
> # Set this to "true" if other JCE providers should be used for
> # digial signatures and encryptions.
> com.sun.identity.jss.donotInstallAtHighestPriority=true
>
> # Configuration File (serverconfig.xml) Location
> com.iplanet.services.configpath=@BASE_DIR@
> ```
>
> Source: [FederationConfig.properties](../_attachments/SAML/FederationConfig.properties)

> **Collapse: fedlet.cot**
>
> The following example of `$HOME/.openig/SAML/fedlet.cot` defines a circle of trust between AM as the IdP and PingGateway as the SP:
>
> ```properties
> cot-name=Circle of Trust
> sun-fm-cot-status=Active
> sun-fm-trusted-providers=openam, sp
> sun-fm-saml2-readerservice-url=
> sun-fm-saml2-writerservice-url=
> ```
>
> Source: [fedlet.cot](../_attachments/SAML/fedlet.cot)

> **Collapse: idp.xml**
>
> The following example of `$HOME/.openig/SAML/idp.xml` defines a SAML configuration file for the AM IdP, `idp`:
>
> ```xml
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <EntityDescriptor entityID="openam" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xenc11="http://www.w3.org/2009/xmlenc11#" xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:x509qry="urn:oasis:names:tc:SAML:metadata:X509:query" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>     <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>         <KeyDescriptor use="signing">
>             <ds:KeyInfo>
>                 <ds:X509Data>
>                     <ds:X509Certificate>
> ...
>                     </ds:X509Certificate>
>                 </ds:X509Data>
>             </ds:KeyInfo>
>         </KeyDescriptor>
>         <KeyDescriptor use="encryption">
>             <ds:KeyInfo>
>                 <ds:X509Data>
>                     <ds:X509Certificate>
> ...
>                     </ds:X509Certificate>
>                 </ds:X509Data>
>             </ds:KeyInfo>
>             <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">
>                 <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>                 <xenc11:MGF Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha256"/>
>             </EncryptionMethod>
>             <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
>                 <xenc:KeySize>128</xenc:KeySize>
>             </EncryptionMethod>
>         </KeyDescriptor>
>         <ArtifactResolutionService index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://am.example.com:8088/openam/ArtifactResolver/metaAlias/idp"/>
>         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://am.example.com:8088/openam/IDPSloRedirect/metaAlias/idp" ResponseLocation="http://am.example.com:8088/openam/IDPSloRedirect/metaAlias/idp"/>
>         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://am.example.com:8088/openam/IDPSloPOST/metaAlias/idp" ResponseLocation="http://am.example.com:8088/openam/IDPSloPOST/metaAlias/idp"/>
>         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://am.example.com:8088/openam/IDPSloSoap/metaAlias/idp"/>
>         <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://am.example.com:8088/openam/IDPMniRedirect/metaAlias/idp" ResponseLocation="http://am.example.com:8088/openam/IDPMniRedirect/metaAlias/idp"/>
>         <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://am.example.com:8088/openam/IDPMniPOST/metaAlias/idp" ResponseLocation="http://am.example.com:8088/openam/IDPMniPOST/metaAlias/idp"/>
>         <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://am.example.com:8088/openam/IDPMniSoap/metaAlias/idp"/>
>         <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
>         <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
>         <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
>         <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
>         <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
>         <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
>         <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
>         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://am.example.com:8088/openam/SSORedirect/metaAlias/idp"/>
>         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://am.example.com:8088/openam/SSOPOST/metaAlias/idp"/>
>         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://am.example.com:8088/openam/SSOSoap/metaAlias/idp"/>
>         <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://am.example.com:8088/openam/NIMSoap/metaAlias/idp"/>
>         <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://am.example.com:8088/openam/AIDReqSoap/IDPRole/metaAlias/idp"/>
>         <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://am.example.com:8088/openam/AIDReqUri/IDPRole/metaAlias/idp"/>
>     </IDPSSODescriptor>
> </EntityDescriptor>
> ```
>
> Source: [idp.xml](../_attachments/SAML/idp.xml)

> **Collapse: idp-extended.xml**
>
> The following example of `$HOME/.openig/SAML/idp-extended.xml` defines an AM SAML descriptor file for the IdP:
>
> ```xml
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <!--
>    DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
>
>    Copyright (c) 2002-2010 Sun Microsystems Inc. All Rights Reserved
>
>    The contents of this file are subject to the terms
>    of the Common Development and Distribution License
>    (the License). You may not use this file except in
>    compliance with the License.
>
>    You can obtain a copy of the License at
>    https://opensso.dev.java.net/public/CDDLv1.0.html or
>    opensso/legal/CDDLv1.0.txt
>    See the License for the specific language governing
>    permission and limitations under the License.
>
>    When distributing Covered Code, include this CDDL
>    Header Notice in each file and include the License file
>    at opensso/legal/CDDLv1.0.txt.
>    If applicable, add the following below the CDDL Header,
>    with the fields enclosed by brackets [] replaced by
>    your own identifying information:
>    "Portions Copyrighted [year] [name of copyright owner]"
>
>    Portions Copyrighted 2010-2017 Ping Identity Corporation.
> -->
> <EntityConfig entityID="openam" hosted="0" xmlns="urn:sun:fm:SAML:2.0:entityconfig">
>     <IDPSSOConfig>
>         <Attribute name="description">
>             <Value/>
>         </Attribute>
>         <Attribute name="cotlist">
>             <Value>Circle of Trust</Value>
>         </Attribute>
>     </IDPSSOConfig>
>     <AttributeAuthorityConfig>
>         <Attribute name="cotlist">
>             <Value>Circle of Trust</Value>
>         </Attribute>
>     </AttributeAuthorityConfig>
>     <XACMLPDPConfig>
>         <Attribute name="wantXACMLAuthzDecisionQuerySigned">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="cotlist">
>             <Value>Circle of Trust</Value>
>         </Attribute>
>     </XACMLPDPConfig>
> </EntityConfig>
> ```
>
> Source: [idp-extended.xml](../_attachments/SAML/idp-extended.xml)

> **Collapse: sp.xml**
>
> |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
> | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
> |   | The SAML library component validates the SP's AssertionConsumerService Location against the incoming IdP SAML Assertion, based on the request information including the port. Always specify the port in the Location value of `AssertionConsumerService` even when using defaults of 443 or 80:```xml
> <AssertionConsumerService isDefault="true"
>                           index="0"
>                           Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>                           Location="https://sp.example.com:443/fedletapplication" />
> ``` |
>
> The following example of `$HOME/.openig/SAML/sp.xml` defines a SAML configuration file for the PingGateway SP, `sp`.
>
> ```xml
> <!--
>    DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
>
>    Copyright (c) 2002-2010 Sun Microsystems Inc. All Rights Reserved
>
>    The contents of this file are subject to the terms
>    of the Common Development and Distribution License
>    (the License). You may not use this file except in
>    compliance with the License.
>
>    You can obtain a copy of the License at
>    https://opensso.dev.java.net/public/CDDLv1.0.html or
>    opensso/legal/CDDLv1.0.txt
>    See the License for the specific language governing
>    permission and limitations under the License.
>
>    When distributing Covered Code, include this CDDL
>    Header Notice in each file and include the License file
>    at opensso/legal/CDDLv1.0.txt.
>    If applicable, add the following below the CDDL Header,
>    with the fields enclosed by brackets [] replaced by
>    your own identifying information:
>    "Portions Copyrighted [year] [name of copyright owner]"
>
>    Portions Copyrighted 2010-2017 Ping Identity Corporation.
> -->
> <EntityDescriptor entityID="sp" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
>     <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp.example.com:8443/saml/fedletSloRedirect" ResponseLocation="https://sp.example.com:8443/saml/fedletSloRedirect"/>
>         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.example.com:8443/saml/fedletSloPOST" ResponseLocation="https://sp.example.com:8443/saml/fedletSloPOST"/>
>         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sp.example.com:8443/saml/fedletSloSoap"/>
>         <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
>         <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.example.com:8443/saml/fedletapplication/metaAlias/sp"/>
>         <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sp.example.com:8443/saml/fedletapplication/metaAlias/sp"/>
>     </SPSSODescriptor>
>     <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol">
>     </RoleDescriptor>
>     <XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>     </XACMLAuthzDecisionQueryDescriptor>
> </EntityDescriptor>
> ```
>
> Source: [sp.xml](../_attachments/SAML/sp.xml)

> **Collapse: sp-extended.xml**
>
> The following example of `$HOME/.openig/SAML/sp-extended.xml` defines an AM SAML descriptor file for the SP:
>
> ```xml
> <!--
>    DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
>
>    Copyright (c) 2002-2010 Sun Microsystems Inc. All Rights Reserved
>
>    The contents of this file are subject to the terms
>    of the Common Development and Distribution License
>    (the License). You may not use this file except in
>    compliance with the License.
>
>    You can obtain a copy of the License at
>    https://opensso.dev.java.net/public/CDDLv1.0.html or
>    opensso/legal/CDDLv1.0.txt
>    See the License for the specific language governing
>    permission and limitations under the License.
>
>    When distributing Covered Code, include this CDDL
>    Header Notice in each file and include the License file
>    at opensso/legal/CDDLv1.0.txt.
>    If applicable, add the following below the CDDL Header,
>    with the fields enclosed by brackets [] replaced by
>    your own identifying information:
>    "Portions Copyrighted [year] [name of copyright owner]"
>
>    Portions Copyrighted 2010-2017 Ping Identity Corporation.
> -->
> <EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="1" entityID="sp">
>     <SPSSOConfig metaAlias="/sp">
>         <Attribute name="description">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="signingCertAlias">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="encryptionCertAlias">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="basicAuthOn">
>             <Value>false</Value>
>         </Attribute>
>         <Attribute name="basicAuthUser">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="basicAuthPassword">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="autofedEnabled">
>             <Value>false</Value>
>         </Attribute>
>         <Attribute name="autofedAttribute">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="transientUser">
>             <Value>anonymous</Value>
>         </Attribute>
>         <Attribute name="spAdapter">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="spAdapterEnv">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="fedletAdapter">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="fedletAdapterEnv">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="spAccountMapper">
>             <Value>com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper</Value>
>         </Attribute>
>         <Attribute name="spAttributeMapper">
>             <Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value>
>         </Attribute>
>         <Attribute name="spAuthncontextMapper">
>             <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value>
>         </Attribute>
>         <Attribute name="spAuthncontextClassrefMapping">
>             <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0|default</Value>
>         </Attribute>
>         <Attribute name="spAuthncontextComparisonType">
>            <Value>exact</Value>
>         </Attribute>
>         <Attribute name="attributeMap">
>            <Value>*=*</Value>
>         </Attribute>
>         <Attribute name="saml2AuthModuleName">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="localAuthURL">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="intermediateUrl">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="defaultRelayState">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="appLogoutUrl">
>            <Value>https://sp.example.com:8443/saml/logout</Value>
>        </Attribute>
>        <Attribute name="assertionTimeSkew">
>            <Value>300</Value>
>        </Attribute>
>        <Attribute name="wantAttributeEncrypted">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantAssertionEncrypted">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantNameIDEncrypted">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantPOSTResponseSigned">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantArtifactResponseSigned">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantLogoutRequestSigned">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantLogoutResponseSigned">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantMNIRequestSigned">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantMNIResponseSigned">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="cotlist">
>            <Value>Circle of Trust</Value></Attribute>
>        <Attribute name="saeAppSecretList">
>        </Attribute>
>        <Attribute name="saeSPUrl">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="saeSPLogoutUrl">
>        </Attribute>
>        <Attribute name="ECPRequestIDPListFinderImpl">
>            <Value>com.sun.identity.saml2.plugins.ECPIDPFinder</Value>
>        </Attribute>
>        <Attribute name="ECPRequestIDPList">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="enableIDPProxy">
>            <Value>false</Value>
>        </Attribute>
>        <Attribute name="idpProxyList">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="idpProxyCount">
>            <Value>0</Value>
>        </Attribute>
>        <Attribute name="useIntroductionForIDPProxy">
>            <Value>false</Value>
>        </Attribute>
>     </SPSSOConfig>
>     <AttributeQueryConfig metaAlias="/attrQuery">
>         <Attribute name="signingCertAlias">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="encryptionCertAlias">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="wantNameIDEncrypted">
>            <Value></Value>
>         </Attribute>
>         <Attribute name="cotlist">
>            <Value>Circle of Trust</Value>
>         </Attribute>
>     </AttributeQueryConfig>
>     <XACMLAuthzDecisionQueryConfig metaAlias="/pep">
>         <Attribute name="signingCertAlias">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="encryptionCertAlias">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="basicAuthOn">
>             <Value>false</Value>
>         </Attribute>
>         <Attribute name="basicAuthUser">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="basicAuthPassword">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="wantXACMLAuthzDecisionResponseSigned">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="wantAssertionEncrypted">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="cotlist">
>             <Value>Circle of Trust</Value>
>         </Attribute>
>    </XACMLAuthzDecisionQueryConfig>
> </EntityConfig>
> ```
>
> Source: [sp-extended.xml](../_attachments/SAML/sp-extended.xml)

Find additional hints for extended SAML v2.0 SP (`sp-extended.xml`) settings in the AM documentation on [Service Provider Extended XML](https://docs.pingidentity.com/pingam/8.1/am-saml2/create-configure-fedlet.html#unconfigured-fedlet-sp-extended).

## PingOne as IdP

> **Collapse: FederationConfig.properties**
>
> ```none
> # If a component wants to use a different datastore provider than the
> # default one defined above, it can define a property like follows:
> # com.sun.identity.plugin.datastore.class.<componentName>=<provider class>
>
> # com.sun.identity.plugin.configuration.class specifies implementation for
> # com.sun.identity.plugin.configuration.ConfigurationInstance interface.
> com.sun.identity.plugin.configuration.class=com.sun.identity.plugin.configuration.impl.FedletConfigurationImpl
>
> # Specifies implementation for
> # com.sun.identity.plugin.datastore.DataStoreProvider interface.
> # This property defines the default datastore provider.
> com.sun.identity.plugin.datastore.class.default=com.sun.identity.plugin.datastore.impl.FedletDataStoreProvider
>
> # Specifies implementation for
> # org.forgerock.openam.federation.plugin.rooturl.RootUrlProvider interface.
> # This property defines the default base url provider.
> com.sun.identity.plugin.root.url.class.default=org.forgerock.openam.federation.plugin.rooturl.impl.FedletRootUrlProvider
>
> # com.sun.identity.plugin.log.class specifies implementation for
> # com.sun.identity.plugin.log.Logger interface.
> com.sun.identity.plugin.log.class=com.sun.identity.plugin.log.impl.FedletLogger
>
> # com.sun.identity.plugin.session.class specifies implementation for
> # com.sun.identity.plugin.session.SessionProvider interface.
> com.sun.identity.plugin.session.class=com.sun.identity.plugin.session.impl.FedletSessionProvider
>
> # com.sun.identity.plugin.monitoring.agent.class specifies implementation for
> # com.sun.identity.plugin.monitoring.FedMonAgent interface.
> com.sun.identity.plugin.monitoring.agent.class=com.sun.identity.plugin.monitoring.impl.FedletAgentProvider
>
> # com.sun.identity.plugin.monitoring.saml2.class specifies implementation for
> # com.sun.identity.plugin.monitoring.FedMonSAML2Svc interface.
> com.sun.identity.plugin.monitoring.saml2.class=com.sun.identity.plugin.monitoring.impl.FedletMonSAML2SvcProvider
>
> # com.sun.identity.saml.xmlsig.keyprovider.class specified the implementation
> # class for com.sun.identity.saml.xmlsig.KeyProvider interface
> com.sun.identity.saml.xmlsig.keyprovider.class=com.sun.identity.saml.xmlsig.JKSKeyProvider
>
> # com.sun.identity.saml.xmlsig.signatureprovider.class specified the
> # implementation class for com.sun.identity.saml.xmlsig.SignatureProvider
> # interface
> com.sun.identity.saml.xmlsig.signatureprovider.class=com.sun.identity.saml.xmlsig.AMSignatureProvider
>
> com.iplanet.am.server.protocol=http
> com.iplanet.am.server.host=am.example.com
> com.iplanet.am.server.port=8080
> com.iplanet.am.services.deploymentDescriptor=/openam
> com.iplanet.am.logstatus=ACTIVE
>
> # Name of the webcontainer.
> # Even though the servlet/JSP are web container independent,
> # Access/Federation Manager uses servlet 2.3 API request.setCharacterEncoding()
> # to decode incoming non English characters. These APIs will not work if
> # Access/Federation Manager is deployed on Sun Java System Web Server 6.1.
> # We use gx_charset mechanism to correctly decode incoming data in
> # Sun Java System Web Server 6.1 and S1AS7.0. Possible values
> # are BEA6.1, BEA 8.1, IBM5.1 or IAS7.0.
> # If the web container is Sun Java System Webserver, the tag is not replaced.
> com.sun.identity.webcontainer=WEB_CONTAINER
>
> # Identify saml xml signature keystore file, keystore password file
> # key password file
> com.sun.identity.saml.xmlsig.keystore=%BASE_DIR%/security/keystores/keystore.jks
> com.sun.identity.saml.xmlsig.storepass=%BASE_DIR%/.storepass
> com.sun.identity.saml.xmlsig.keypass=%BASE_DIR%/.keypass
> com.sun.identity.saml.xmlsig.certalias=test
>
> # Type of keystore used for saml xml signature. Default is JKS.
> #
> # com.sun.identity.saml.xmlsig.storetype=JKS
>
> # Specifies the implementation class for
> # com.sun.identity.saml.xmlsig.PasswordDecoder interface.
> com.sun.identity.saml.xmlsig.passwordDecoder=com.sun.identity.fedlet.FedletEncodeDecode
>
> # The following key is used to specify the maximum content-length
> # for an HttpRequest that will be accepted by the OpenSSO
> # The default value is 16384 which is 16k
> com.iplanet.services.comm.server.pllrequest.maxContentLength=16384
>
> # The following keys are used to configure the Debug service.
> # Possible values for the key 'level' are: off | error | warning | message.
> # The key 'directory' specifies the output directory where the debug files
> # will be created.
> # Trailing spaces are significant.
> # Windows: Use forward slashes "/" separate directories, not backslash "\".
> # Windows: Spaces in the file name are allowed for Windows.
> #
> com.iplanet.services.debug.level=message
> com.iplanet.services.debug.directory=%BASE_DIR%%SERVER_URI%/debug
>
> # The following keys are used to configure the Stats service.
> # Possible values for the key 'level' are: off | file | console
> # Stats state 'file' will write to a file under the specified directory,
> # and 'console' will write into  webserver log files
> # The key 'directory' specifies the output directory where the debug files
> # will be created.
> # Trailing spaces are significant.
> # Windows: Use forward slashes "/" separate directories, not backslash "\".
> # Windows: Spaces in the file name are allowed for Windows.
> # Stats interval should be atleast 5 secs to avoid CPU saturation,
> # the product would assume any thing less than 5 secs is 5 secs.
> com.iplanet.am.stats.interval=60
> com.iplanet.services.stats.state=file
> com.iplanet.services.stats.directory=%BASE_DIR%/var/stats
>
> # The key that will be used to encrypt and decrypt passwords.
> am.encryption.pwd=@AM_ENC_PWD@
>
> # SecureRandom Properties: The key
> # "com.iplanet.security.SecureRandomFactoryImpl"
> # specifies the factory class name for SecureRandomFactory
> # Available impl classes are:
> #   com.iplanet.am.util.JSSSecureRandomFactoryImpl (uses JSS)
> #   com.iplanet.am.util.SecureRandomFactoryImpl (pure Java)
> com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.am.util.SecureRandomFactoryImpl
>
> # SocketFactory properties: The key "com.iplanet.security.SSLSocketFactoryImpl"
> # specifies the factory class name for LDAPSocketFactory
> # Available classes are:
> #    com.iplanet.services.ldap.JSSSocketFactory (uses JSS)
> #    com.sun.identity.shared.ldap.factory.JSSESocketFactory    (pure Java)
> com.iplanet.security.SSLSocketFactoryImpl=com.sun.identity.shared.ldap.factory.JSSESocketFactory
>
> # Encryption: The key "com.iplanet.security.encryptor" specifies
> # the encrypting class implementation.
> # Available classes are:
> #    com.iplanet.services.util.JCEEncryption
> #    com.iplanet.services.util.JSSEncryption
> com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
>
> # Determines if JSS will be added with highest priority to JCE
> # Set this to "true" if other JCE providers should be used for
> # digial signatures and encryptions.
> com.sun.identity.jss.donotInstallAtHighestPriority=true
>
> # Configuration File (serverconfig.xml) Location
> com.iplanet.services.configpath=@BASE_DIR@
> ```
>
> Source: [ping-FederationConfig.properties](../_attachments/SAML/ping-FederationConfig.properties)

> **Collapse: fedlet.cot**
>
> ```none
> cot-name=Circle of Trust
> sun-fm-cot-status=Active
> sun-fm-trusted-providers=idp-entityID, sp
> sun-fm-saml2-readerservice-url=
> sun-fm-saml2-writerservice-url=
> ```
>
> Source: [ping-fedlet.cot](../_attachments/SAML/ping-fedlet.cot)

> **Collapse: idp-extended.xml**
>
> ```none
> <EntityConfig entityID="idp-entityID" hosted="0" xmlns="urn:sun:fm:SAML:2.0:entityconfig">
>     <IDPSSOConfig>
>         <Attribute name="description">
>             <Value/>
>         </Attribute>
>         <Attribute name="cotlist">
>             <Value>Circle of Trust</Value>
>         </Attribute>
>     </IDPSSOConfig>
>     <AttributeAuthorityConfig>
>         <Attribute name="cotlist">
>             <Value>Circle of Trust</Value>
>         </Attribute>
>     </AttributeAuthorityConfig>
>     <XACMLPDPConfig>
>         <Attribute name="wantXACMLAuthzDecisionQuerySigned">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="cotlist">
>             <Value>Circle of Trust</Value>
>         </Attribute>
>     </XACMLPDPConfig>
> </EntityConfig>
> ```
>
> Source: [ping-idp-extended.xml](../_attachments/SAML/ping-idp-extended.xml)

> **Collapse: sp.xml**
>
> ```none
> <EntityDescriptor entityID="sp" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
>     <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp.example.com:8443/home/saml/fedletSloRedirect" ResponseLocation="https://sp.example.com:8443/home/saml/fedletSloRedirect"/>
>         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.example.com:8443/home/saml/fedletSloPOST" ResponseLocation="https://sp.example.com:8443/home/saml/fedletSloPOST"/>
>         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sp.example.com:8443/home/saml/fedletSloSoap"/>
>         <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
>         <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.example.com:8443/home/saml/fedletapplication"/>
>         <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sp.example.com:8443/home/saml/fedletapplication"/>
>     </SPSSODescriptor>
>     <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol">
>     </RoleDescriptor>
>     <XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>     </XACMLAuthzDecisionQueryDescriptor>
> </EntityDescriptor>
> ```
>
> Source: [ping-sp.xml](../_attachments/SAML/ping-sp.xml)

> **Collapse: sp-extended.xml**
>
> ```none
> <EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="1" entityID="sp">
>     <SPSSOConfig metaAlias="/sp">
>         <Attribute name="description">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="signingCertAlias">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="encryptionCertAlias">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="basicAuthOn">
>             <Value>false</Value>
>         </Attribute>
>         <Attribute name="basicAuthUser">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="basicAuthPassword">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="autofedEnabled">
>             <Value>false</Value>
>         </Attribute>
>         <Attribute name="autofedAttribute">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="transientUser">
>             <Value>anonymous</Value>
>         </Attribute>
>         <Attribute name="spAdapter">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="spAdapterEnv">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="fedletAdapter">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="fedletAdapterEnv">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="spAccountMapper">
>             <Value>com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper</Value>
>         </Attribute>
>         <Attribute name="spAttributeMapper">
>             <Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value>
>         </Attribute>
>         <Attribute name="spAuthncontextMapper">
>             <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value>
>         </Attribute>
>         <Attribute name="spAuthncontextClassrefMapping">
>           <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified|0|default</Value>
>         </Attribute>
>         <Attribute name="spAuthncontextComparisonType">
>            <Value>exact</Value>
>         </Attribute>
>         <Attribute name="attributeMap">
>            <Value>*=*</Value>
>         </Attribute>
>         <Attribute name="saml2AuthModuleName">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="localAuthURL">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="intermediateUrl">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="defaultRelayState">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="appLogoutUrl">
>            <Value>https://sp.example.com:8443/home/saml/logout</Value>
>        </Attribute>
>        <Attribute name="assertionTimeSkew">
>            <Value>300</Value>
>        </Attribute>
>        <Attribute name="wantAttributeEncrypted">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantAssertionEncrypted">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantNameIDEncrypted">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantPOSTResponseSigned">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantArtifactResponseSigned">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantLogoutRequestSigned">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantLogoutResponseSigned">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantMNIRequestSigned">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="wantMNIResponseSigned">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="cotlist">
>            <Value>Circle of Trust</Value></Attribute>
>        <Attribute name="saeAppSecretList">
>        </Attribute>
>        <Attribute name="saeSPUrl">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="saeSPLogoutUrl">
>        </Attribute>
>        <Attribute name="ECPRequestIDPListFinderImpl">
>            <Value>com.sun.identity.saml2.plugins.ECPIDPFinder</Value>
>        </Attribute>
>        <Attribute name="ECPRequestIDPList">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="enableIDPProxy">
>            <Value>false</Value>
>        </Attribute>
>        <Attribute name="idpProxyList">
>            <Value></Value>
>        </Attribute>
>        <Attribute name="idpProxyCount">
>            <Value>0</Value>
>        </Attribute>
>        <Attribute name="useIntroductionForIDPProxy">
>            <Value>false</Value>
>        </Attribute>
>     </SPSSOConfig>
>     <AttributeQueryConfig metaAlias="/attrQuery">
>         <Attribute name="signingCertAlias">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="encryptionCertAlias">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="wantNameIDEncrypted">
>            <Value></Value>
>         </Attribute>
>         <Attribute name="cotlist">
>            <Value>Circle of Trust</Value>
>         </Attribute>
>     </AttributeQueryConfig>
>     <XACMLAuthzDecisionQueryConfig metaAlias="/pep">
>         <Attribute name="signingCertAlias">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="encryptionCertAlias">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="basicAuthOn">
>             <Value>false</Value>
>         </Attribute>
>         <Attribute name="basicAuthUser">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="basicAuthPassword">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="wantXACMLAuthzDecisionResponseSigned">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="wantAssertionEncrypted">
>             <Value></Value>
>         </Attribute>
>         <Attribute name="cotlist">
>             <Value>Circle of Trust</Value>
>         </Attribute>
>    </XACMLAuthzDecisionQueryConfig>
> </EntityConfig>
> ```
>
> Source: [ping-sp-extended.xml](../_attachments/SAML/ping-sp-extended.xml)

Find additional hints for extended SAML v2.0 SP (`sp-extended.xml`) settings in the AM documentation on [Service Provider Extended XML](https://docs.pingidentity.com/pingam/8.1/am-saml2/create-configure-fedlet.html#unconfigured-fedlet-sp-extended).