The token mediator site authenticator uses the PingFederate security token service (STS) to exchange a PingAccess token for a security token, such as a Web Access Management (WAM) token or OpenToken, that is valid at the target site.
The token mediator site authenticator might benefit from the configuration of a PingAccess Runtime State Cluster to provide fault tolerance for mediated tokens if a cluster node is taken offline.
| Field | Description |
|---|---|
| Token Generator ID | Defines the Instance Name of the token generator that you want to use. The token generator is configured in PingFederate. For more information, see the PingFederate documentation. If PingFederate Administration is configured, and PingFederate has one or more token generators configured, this field becomes a list of available token generator IDs. |
| Logged In Cookie Name | Defines the cookie name containing the token that the target site is expecting. |
| Logged Off Cookie Name | Defines the cookie name that
the target site responds with in the event of an invalid or expired token.
If the PingAccess token is still valid, PingAccess re-obtains a valid WAM
token and makes the request to the site again. If the site responds with the
cookie set as logged off again, PingAccess responds to the client with an
access denied message. |
| Logged Off Cookie Value | Defines the value placed in the Logged Off cookie to detect an invalid/expired WAM token event. |
| Send Cookies to Browser |
Allows the token mediator to send the back end cookie defined in the Logged In Cookie Name field back to the browser if the protected application has updated it. If the set-cookie header isn't in the response from the protected site, and the token mediator site authenticator has a cached token for that session, the token mediator site authenticator will create a new set-cookie response header based on the Cookie Domain, Cookie Max Age, HTTP-Only Cookie and Secure Cookie fields in the UI. The administrator now can direct the token mediator site authenticator to actively return cookies to the user's browser, even when the protected site isn't doing that. This is used to enable a seamless single sign-on (SSO) experience for users navigating from PingAccess protected applications to those protected by a third-party WAM system. |
| Cookie Domain | Enter the domain of the logged-in cookie. |
| Cookie Max Age | Define the length of time in minutes, that you want the generated logged-in cookie to be valid. |
| HTTP-Only Cookie | Define the logged-in cookie as HTTP-Only. An HTTP-only cookie is not accessible using non-HTTP methods, such as calls through JavaScript, such as referencing document.cookie. |
| Secure Cookie | Indicate whether the generated logged-in cookie must be sent using only HTTPS connections. |
| Token Processor ID |
Defines the instance name of a token processor that you want to use. The token processor is configured in PingFederate. Specify this value if more than one instance of either the JSON web token (JWT) processor or the OAuth bearer access token processor is defined in PingFederate. If PingFederate Administration is configured, and PingFederate has one or more token processors configured, this field becomes a list of available token processor IDs. |