The integrated SAML (1.1 or 2.0) Token Processor accepts and validates SAML (1.1 or 2.0) security tokens. The PingFederate STS validates digital signatures using all trusted certificate authorities (CAs) imported into PingFederate. As needed, you may restrict the signature verification process by subject DNs or issuers (or both) to limit the token requests accepted for this token processor instance.

In addition, you must indicate a unique identifier for the PingFederate STS. Once defined, incoming SAML tokens must contain this ID in its audience element in order for them to be accepted by this token processor instance.

  • On the Instance Configuration screen, configure the basics of this token processor instance.
    1. Enter the URI that uniquely identifies your federation gateway for this SAML protocol in the Audience field.
      This is the federation ID for the STS for either SAML 1.1 or SAML 2.0 tokens, depending on which processor you are configuring.
    2. Optional: Click Add a new row to 'Valid Certificate Issuer DNs' and then enter one or more issuers.

      If issuer DNs are specified here, then only those issuers are considered valid for verifying incoming digital signatures. Otherwise, all trusted certificate authorities (CAs) are used to verify signatures.

    3. Optional: Click Add a new row to 'Valid Certificate Subject DNs' and then enter one or more subject DNs.

      If subject DNs are specified here, then only those subject DNs are considered valid for verifying incoming digital signatures. Otherwise, all trusted certificate authorities (CAs) are used to verify signatures.

      Important:

      If you specify both issuer DNs and subject DNs, then the certificate used to validate signatures must match an entry in both lists.

      If you provide no issuer DN and subject DN, then all certificates are treated as valid for purposes of verification.