Choosing a decryption key (SAML 2.0) - PingFederate - 10.0

PingFederate Server
bundle
pingfederate-100
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.0
category
Product
pf-100
pingfederate
ContentType_ce
  • Release Notes
  • PingFederate 10.0.15 - February 2023
  • PingFederate 10.0.14 - August 2022
  • PingFederate 10.0.13 - January 2022
  • PingFederate 10.0.12 - October 2021
  • PingFederate 10.0.11 - August 2021
  • PingFederate 10.0.10 - June 2021
  • PingFederate 10.0.9 - May 2021
  • PingFederate 10.0.8 - April 2021
  • PingFederate 10.0.7 - January 2021
  • PingFederate 10.0.6 - October 2020
  • PingFederate 10.0.5 - August 2020
  • PingFederate 10.0.4 - June 2020
  • PingFederate 10.0.3 - June 2020
  • PingFederate 10.0.2 - April 2020
  • PingFederate 10.0.1 - February 2020
  • PingFederate 10.0 - December 2019
  • Known issues and limitations
  • Deprecated features
  • Previous releases
  • Get Started with PingFederate
  • Introduction to PingFederate
  • About identity federation and SSO
  • Service providers and identity providers
  • Federation hub
  • Security token service
  • OAuth authorization server
  • User account management
  • Enterprise deployment architecture
  • Additional features
  • Supported standards
  • Federation roles
  • Terminology
  • Browser-based SSO
  • SAML 1.x profiles
  • SSO—Browser-POST
  • SSO—Browser-Artifact
  • SP-initiated (destination-first) SSO
  • SAML 2.0 profiles
  • Single sign-on
  • SP-initiated SSO—POST-POST
  • SP-initiated SSO—Redirect-POST
  • SP-initiated SSO—Artifact-POST
  • SP-initiated SSO—POST-Artifact
  • SP-initiated SSO—Redirect-Artifact
  • SP-initiated SSO—Artifact-Artifact
  • IdP-initiated SSO—POST
  • IdP-initiated SSO—Artifact
  • Single logout
  • Attribute Query and XASP
  • Standard IdP Discovery
  • WS-Federation
  • About account linking
  • Web services standards
  • Web Services Security
  • WS-Trust
  • Request types
  • OAuth 2.0 and PingFederate AS
  • Web redirect flow
  • Device authorization grant
  • CIBA grant
  • CIBA by poll
  • CIBA by ping
  • Assertion grant profile for OAuth 2.0 authorization grants
  • OpenID Connect support
  • Client management
  • System for Cross-domain Identity Management (SCIM)
  • Transport and message security
  • Installing PingFederate
  • Deployment options
  • System requirements
  • Database driver information
  • Port requirements
  • Installing Java
  • Installation options
  • Installing PingFederate on Windows
  • Installing PingFederate on Linux systems
  • Installing PingFederate as a service
  • Installing PingFederate service on Windows manually
  • Installing the PingFederate service on Linux manually
  • Uninstalling PingFederate
  • Uninstalling PingFederate from a Windows server
  • Uninstalling PingFederate from a Linux server
  • Starting and stopping PingFederate
  • Setup wizard
  • Connecting PingFederate to PingOne for Enterprise
  • Set up with PingOne for Enterprise
  • Connecting to a directory server
  • Configuring PingOne and PingID options
  • Configure PingOne SSO options
  • Configuring Kerberos authentication
  • Configuring provisioning to PingOne for Enterprise
  • Reviewing PingOne SSO options
  • Configure PingID VPN (RADIUS) options
  • Configuring basic settings
  • Configuring provisioning to PingID
  • Reviewing PingID VPN (RADIUS) options
  • Set up without PingOne for Enterprise
  • Importing your license
  • Selecting your federation roles
  • Configuring identity provider settings
  • Connecting to a directory
  • Configuring Kerberos authentication
  • Reviewing your identity provider configuration
  • Creating an administrator account
  • Entering basic information
  • Reviewing your configuration
  • Opening PingFederate administrative console
  • PingFederate administrative console
  • Tasks and steps
  • Console buttons
  • Supported hardware security modules
  • Integrating with AWS CloudHSM
  • AWS CloudHSM operational notes
  • Integrating with Gemalto SafeNet Luna Network HSM
  • SafeNet Luna Network HSM operational notes
  • Integrating with nCipher nShield Connect HSM
  • nShield Connect HSM operational notes
  • Administrator's Manual
  • Key concepts
  • Connection types
  • About WS-Trust STS
  • Connection-based policy
  • Token processors and generators
  • WSC and WSP support
  • STS OAuth integration
  • About OAuth
  • Delegated access types
  • Token models and management
  • Grant types
  • Scopes
  • Consent approval
  • Client management and storage
  • Client authentication schemes
  • Dynamic client registration
  • Persistent versus transient grants
  • Grant storage and management
  • Mapping OAuth attributes
  • OAuth user-facing screens
  • OpenID Connect
  • CORS support for OAuth endpoints
  • SSO integration kits and adapters
  • Security infrastructure
  • Digital signatures
  • Message signing
  • Certificate validation
  • Digital signing policy coordination
  • Secure sockets layer
  • Encryption
  • Hierarchical plugin configurations
  • Identity mapping
  • Account linking
  • Account mapping
  • User attributes
  • Attribute contracts
  • Adapter contracts
  • STS token contracts
  • Datastores
  • Attribute masking
  • About token authorization
  • User provisioning
  • Outbound provisioning for IdPs
  • Provisioning for SPs
  • Customer identity and access management
  • Federation hub use cases
  • Bridging an IdP to an SP
  • Bridging an IdP to multiple SPs
  • Bridging multiple IdPs to an SP
  • Bridging multiple IdPs to multiple SPs
  • Federation hub and authentication policy contracts
  • Federation hub and virtual server IDs
  • Federation planning checklist
  • Multiple virtual server IDs
  • Configuration data exchange
  • System settings
  • Server
  • Protocol settings
  • Choosing roles and protocols
  • Specifying federation information
  • Configuring WS-Trust settings
  • Configuring outbound provisioning settings
  • Configuring standard IdP Discovery
  • Reviewing protocol settings
  • Administrative accounts
  • Enabling native authentication
  • Managing local accounts and role assignments
  • Enabling notification messages for account management events
  • Setting or resetting passwords
  • Changing passwords
  • License management
  • Reviewing license information
  • Requesting a new license key
  • Installing a license key on a new or upgraded PingFederate server
  • Installing a replacement license key
  • Configuring notification for licensing events
  • Configuration archive
  • Configuring a backup schedule
  • Exporting an archive
  • Importing an archive
  • Cluster management
  • Replicating configuration
  • Virtual host names
  • Configuring virtual host names
  • Extended Properties
  • Defining extended properties
  • Metadata
  • Metadata settings
  • Entering system information
  • Configuring metadata signing
  • Configuring metadata lifetime
  • Reviewing metadata settings
  • Metadata export
  • Exporting connection-specific SAML metadata
  • Exporting selected SAML metadata
  • File signing
  • Signing XML files
  • Monitoring and notifications
  • Runtime notifications
  • Configuring runtime notifications
  • Runtime reporting
  • Configuring SNMP monitoring
  • Runtime monitoring using JMX
  • External systems
  • Connecting to PingOne for Enterprise after initial setup
  • Configuring identity repository settings
  • Managing PingOne for Enterprise settings
  • Configuring SSO from PingOne admin portal to PingFederate administrative console
  • Monitoring PingFederate from the PingOne admin portal
  • Updating the PingOne identity repository
  • Managing datastores
  • Adding a new datastore
  • Configuring a JDBC connection
  • Configuring an LDAP connection
  • Setting advanced LDAP options
  • Specifying LDAP binary attributes
  • Configuring proxied authorization
  • Configuring the account usability control ACI
  • Configuring the password validation details request control ACI
  • Defining a custom LDAP type for outbound provisioning
  • Configuring other types of data stores
  • Configuring a REST API datastore
  • Configuring a custom datastore
  • Defining a datastore for persistent authentication sessions
  • Configuring an external database for authentication sessions
  • Configuring PingDirectory for authentication sessions
  • Defining an OAuth grant datastore
  • Configuring an external database for grant storage
  • Configuring a directory for grant storage
  • Granting storage performance considerations
  • Using a custom solution for grant storage
  • Defining an OAuth client datastore
  • Configuring external databases for client storage
  • Configuring a directory for client storage
  • Client storage performance considerations
  • Using custom storage for OAuth clients
  • Defining an account-linking datastore
  • Configuring an external database server for account linking
  • Configuring a directory server for account linking
  • Managing Password Credential Validator instances
  • Choosing a Password Credential Validator
  • Configuring a Password Credential Validator instance
  • Configuring the LDAP Username Password Credential Validator
  • Configuring the PingOne Directory Password Credential Validator
  • Configuring the RADIUS Username Password Credential Validator
  • Configuring the Simple Username Password Credential Validator
  • Extending the contract for the credential validator
  • Finishing the Password Credential Validator instance configuration
  • Configuring Active Directory domains or Kerberos realms
  • Multiple-domain support
  • Configuring the Active Directory environment
  • Adding a domain
  • Managing domain connectivity settings
  • Managing CAPTCHA settings
  • Managing SMS provider settings
  • Managing notification publisher instances
  • Defining a notification publisher instance
  • Configuring a notification publishers instance
  • Configuring an Amazon SNS Notification Publisher instance
  • Event types and variables
  • Configuring an SMTP Notification Publisher instance
  • Finalizing actions for a notification publisher instance
  • Reviewing a notification publisher instance configuration
  • System administration
  • Configuring PingFederate properties
  • PingFederate log files
  • Log4j 2 logging service and configuration
  • HTTP request logging
  • Administrator audit logging
  • API audit logging
  • Administrative API audit log
  • Runtime APIs audit log
  • Runtime transaction logging
  • Security audit logging
  • Outbound provisioning audit logging
  • Server logging
  • Server log filter
  • Logging in other formats
  • Writing logs to databases
  • Logging in Common Event Format
  • Writing audit log in CEF
  • Writing provisioner audit log in CEF
  • Writing audit log for Splunk
  • Alternative console authentication
  • Enabling LDAP authentication
  • Enabling RADIUS authentication
  • Multifactor console authentication using PingID
  • Solution overview
  • Configuring your PingID account
  • Creating an LDAP Username Password Credential Validator instance
  • Configuring a PingID Password Credential Validator instance
  • Configuring PingFederate to use RADIUS authentication
  • Verifying your setup
  • Enabling certificate-based authentication
  • Configuring automatic connection validation
  • Automating configuration migration
  • Copying the key from the source to the target server
  • Administrative console migration
  • Using the migration tool
  • Outbound provisioning CLI
  • Customizable user-facing screens
  • IdP user-facing pages
  • SP user-facing pages
  • Either IdP or SP user-facing pages
  • OAuth user-facing pages
  • Customizable email notifications
  • Local administrative account management events
  • Certificate events
  • SAML metadata update events
  • Licensing events
  • HTML Form Adapter events
  • Customizable text message
  • Localizing messages for end users
  • Locale overrides by cookies
  • Retrieval of localized messages
  • Configuring a password policy
  • Managing cipher suites
  • Managing externally stored authentication sessions
  • Managing authentication sessions stored in the database
  • Managing authentication sessions stored in PingDirectory
  • OAuth persistent grants cleanup
  • Managing expired persistent grants
  • Managing expired persistent grants in PingDirectory
  • Managing cleanup of persistent grants
  • Specifying the domain of the PF cookie
  • Specifying the domain of the PF.PERSISTENT cookie
  • Extending the lifetime of the PF cookie
  • Configuring forward proxy server settings
  • Adding custom HTTP response headers
  • Configuring validation for the AudienceRestriction element
  • Customizing the OpenID Provider configuration endpoint response
  • Customizing the heartbeat message
  • Customizing the favicon for application and protocol endpoints
  • Configuring the behavior of searching multiple datastores with one mapping
  • Security management
  • Certificate and key management
  • Managing trusted certificate authorities
  • Managing SSL server certificates
  • Managing SSL client keys and certificates
  • Managing digital signing certificates and decryption keys
  • Certificate rotation
  • Connection and federation metadata
  • Managing certificate rotation settings
  • Managed SP connection to PingOne for Enterprise and signing certificate
  • Managing keys for OAuth and OpenID Connect
  • Configuring static signing keys
  • Configuring static decryption keys
  • Managing certificates from partners
  • Configuring certificate revocation
  • Transitioning to an HSM
  • Managing Partner metadata URLs
  • Rotating system keys
  • System integration
  • Configuring redirect validation
  • Managing partner redirect validation
  • Configuring incoming proxy settings
  • Configuring service authentication
  • Account lockout protection
  • Configuring account lockout protection
  • Password spraying prevention
  • Configuring password spraying prevention
  • Implementing a MasterKeyEncryptor using AWS KMS
  • Authentication policies
  • Selectors
  • Managing authentication selector instances
  • Choosing a selector type
  • Configuring an authentication selector instance
  • Configuring the CIDR Authentication Selector
  • Configuring the Cluster Node Authentication Selector
  • Configuring the Connection Set Authentication Selector
  • Configuring the Extended Property Authentication Selector
  • Configuring the HTTP Header Authentication Selector
  • Configuring the HTTP Request Parameter Authentication Selector
  • Configuring the OAuth Client Set Authentication Selector
  • Configuring the OAuth Scope Authentication Selector
  • Configuring the Requested AuthN Context Authentication Selector
  • Configuring the Session Authentication Selector
  • Configuring a sample use case
  • Policies
  • Defining authentication policies
  • Specifying an incoming user ID
  • Configuring rules in authentication policies
  • Defining authentication policies based on group membership information
  • Applying policy contracts or identity profiles to authentication policies
  • Configuring contract mapping
  • Configuring local identity mapping
  • Defining issuance criteria for contract or local identity mapping
  • Mapping a policy contract to multiple use cases
  • SP authentication policies
  • Configuring an SP authentication policy for users from one IdP
  • Configuring SP authentication policies for users from multiple IdPs
  • Configuring SP authentication policies for internal users
  • Policy contracts
  • Managing policy contracts
  • Editing contract information
  • Defining contract attributes
  • Reviewing the policy contract
  • Adapter Mappings
  • Configuring authentication policy adapter mappings
  • Defining issuance criteria for adapter mapping
  • Sessions
  • Configuring tracking options for logout
  • Configuring application sessions
  • Configuring authentication sessions
  • OAuth configuration
  • Configuring OAuth use cases
  • Enabling the OAuth AS role
  • Configuring AS settings
  • External consent user interface
  • Scopes and scope management
  • Defining scopes
  • Configuring client settings
  • Configuring dynamic client registration settings
  • Supported client metadata
  • Configuring scope constraints
  • Managing client configuration defaults
  • Selecting client registration policies
  • Reviewing client settings
  • Managing Client Registration Policy instances
  • Configuring a Client Registration Policy instance
  • Configuring a Response Type Constraints instance
  • Managing OAuth clients
  • Configuring an OAuth client
  • Grant mapping
  • Managing IdP adapter grant mapping
  • Configuring IdP adapter attribute sources and user lookup
  • Fulfilling IdP adapter grant mapping
  • Defining issuance criteria for OAuth IdP adapter mapping
  • Reviewing the IdP adapter mapping
  • Configuring IdP connection grant mapping
  • Choosing an OAuth datastore
  • Fulfilling OAuth attribute mapping
  • Defining issuance criteria for OAuth attribute mapping
  • Reviewing the OAuth attribute mapping summary
  • Managing authentication policy contract grant mapping
  • Configuring policy contract attribute sources and user lookup
  • Fulfilling policy contract grant mapping
  • Defining issuance criteria for policy contract mapping
  • Reviewing authentication policy contract mapping
  • Managing resource owner credentials grant mapping
  • Configuring resource owner attribute sources and user lookup
  • Fulfilling resource owner credentials grant mapping
  • Defining issuance criteria for resource-owner credentials mapping
  • Reviewing the resource owner credentials mapping
  • Token mapping
  • Access token management
  • Managing access token management instances
  • Defining an access token management instance
  • Configuring an access token management instance
  • Configuring reference token management
  • Configuring JSON token management
  • Managing session validation settings
  • Defining the access token attribute contract
  • Managing resource URIs
  • Defining access control
  • Reviewing the access token management configuration
  • Managing access token mappings
  • Configuring access token attribute sources and user lookup
  • Configuring access token fulfillment
  • Defining issuance criteria for access token mapping
  • Reviewing the access token mapping
  • Configuring an OAuth assertion grant IdP connection
  • Defining an attribute contract for the OAuth assertion grant
  • Configuring access token manager mappings
  • Selecting an access token manager instance
  • Configuring a datastore for OAuth assertion grant attribute mapping
  • Configuring OAuth assertion grant contract fulfillment
  • Defining issuance criteria for OAuth assertion grant
  • Reviewing OAuth assertion grant attribute mapping configuration
  • Reviewing OAuth assertion grant configuration
  • Configuring OpenID Connect policies
  • Configuring policy and ID token settings
  • Configuring the policy attribute contract
  • Configuring attribute scopes
  • Configuring policy attribute sources and user lookup
  • Configuring ID token fulfillment
  • Defining issuance criteria for policy mapping
  • Reviewing your OpenID Connect policy
  • Client Initiated Backchannel Authentication (CIBA)
  • Managing CIBA authenticators
  • Configuring a CIBA authenticator instance
  • Managing CIBA request policies
  • Defining a request policy
  • Configuring identity hint contract
  • Configuring identity hint contract fulfillment
  • Configuring attribute sources and user lookup
  • Fulfilling identity hint contract
  • Defining issuance criteria for identity hint contract
  • Reviewing identity hint contract fulfillment
  • Configuring attribute sources and user lookup for request policy contract
  • Configuring request policy contract fulfillment
  • Defining issuance criteria for CIBA request policy
  • Reviewing your CIBA request policy
  • OAuth attribute mapping using a datastore
  • OAuth client session management
  • Asynchronous Front-Channel Logout
  • Back-Channel Session Revocation
  • OAuth token exchange
  • Configuring OAuth token exchange
  • Defining token exchange processor policies
  • Creating token exchange generator groups
  • Mapping token exchange attributes to token generator attributes
  • Mapping token exchange attributes to access token manager attributes
  • Enabling token exchange in OAuth clients
  • Identity provider SSO configuration
  • IdP application integration settings
  • Managing IdP adapters
  • Creating an IdP adapter instance
  • Configuring an IdP adapter instance
  • Invoking IdP adapter actions
  • Extending an IdP adapter contract
  • Setting pseudonym and masking options
  • Defining the IdP adapter contract
  • Defining attribute sources and user lookup
  • Configuring IdP adapter contract fulfillment
  • Defining issuance criteria for IdP adapter contract
  • Reviewing an IdP adapter contract
  • Reviewing and save an IdP adapter configuration
  • Authentication API
  • Managing authentication applications
  • Configuring an authentication application
  • Exploring authentication API
  • Configuring a default URL and error message
  • Viewing IdP application endpoints
  • Viewing IdP protocol endpoints
  • Managing SP connections
  • Accessing SP connections
  • Resolving SP connection errors
  • Importing a connection
  • Updating a SAML connection using metadata
  • Choosing an SP connection template
  • Choosing an SP connection type
  • Choosing SP connection options
  • Importing SP metadata
  • Identifying the SP
  • Populating extended property values
  • Configure IdP Browser SSO
  • Choosing SAML 2.0 profiles
  • Setting an SSO token lifetime
  • Configuring SSO token creation
  • Choosing an identity mapping method
  • Selecting a SAML Name ID type
  • Selecting a WS-Federation Name ID type
  • Setting up an attribute contract
  • Managing authentication source mappings
  • Selecting an authentication source
  • Overriding an IdP adapter instance
  • Restricting an authentication source to certain virtual server IDs
  • Selecting an attribute mapping method
  • Configuring attribute sources and user lookup
  • Configuring contract fulfillment for IdP Browser SSO
  • Configuring default contract fulfillment for IdP Browser SSO
  • Defining issuance criteria for IdP Browser SSO
  • Reviewing the authentication source mapping
  • Reviewing the SSO token creation summary
  • Configuring protocol settings
  • Setting Assertion Consumer Service URLs (SAML)
  • Setting a default target URL (SAML 1.x)
  • Specifying the WS-Trust version
  • Defining a service URL (WS-Federation)
  • Specifying SLO service URLs (SAML 2.0)
  • Choosing allowable SAML bindings (SAML 2.0)
  • Setting an artifact lifetime (SAML)
  • Specifying artifact resolver locations (SAML 2.0)
  • Defining signature policy (SAML)
  • Configuring XML encryption policy (SAML 2.0)
  • Reviewing protocol settings
  • Reviewing browser-based SSO settings
  • Configuring the Attribute Query profile
  • Defining retrievable attributes
  • Configuring attribute lookup
  • Choosing a datastore for Attribute Query
  • Configuring contract fulfillment for Attribute Query
  • Defining issuance criteria for Attribute Query
  • Specifying security policy
  • Reviewing the Attribute Query configuration
  • Configuring credentials
  • Configuring back-channel authentication (SAML)
  • Configuring authentication requirements for outbound messages
  • Configuring authentication requirements for inbound messages
  • Configuring digital signature settings
  • Configuring signature verification settings (SAML 2.0)
  • Selecting an encryption certificate
  • Selecting a decryption key (SAML 2.0)
  • Reviewing credential settings
  • Configuring outbound provisioning
  • Defining a provisioning target
  • Specifying custom SCIM attributes
  • Managing channels
  • Specifying channel information
  • Identifying the source datastore
  • Modifying source settings
  • Specifying a source location
  • Mapping attributes
  • Specifying mapping details
  • Reviewing channel settings
  • Reviewing SP connection settings
  • SP affiliations
  • Managing SP affiliations
  • Importing affiliation metadata
  • Entering affiliation information
  • Managing affiliation membership
  • Reviewing an SP affiliation
  • Customer IAM configuration
  • Setting up PingDirectory for customer identities
  • Managing local identity profiles
  • Defining a local identity profile
  • Defining authentication sources
  • Defining local identity fields
  • Configuring a local identity field
  • Configuring email ownership verification options
  • Configuring registration options
  • Configuring profile management options
  • Managing datastore configuration
  • Selecting a datastore for customer identities
  • Configuring LDAP base DN and attributes
  • Configuring LDAP relative DN and object class
  • Defining datastore mapping configuration
  • Reviewing datastore configuration
  • Reviewing a local identity profile
  • Configuring the HTML Form Adapter for customer identities
  • Setting up self-service registration
  • Enabling third-party identity providers
  • Enabling profile management
  • Creating advanced registration mapping
  • Enabling third-party identity providers without registration
  • Service provider SSO configuration
  • SP application integration settings
  • Managing SP adapters
  • Creating an SP adapter instance
  • Configuring an SP adapter instance
  • Invoking SP adapter actions
  • Extending an SP adapter contract
  • Identifying the target application
  • Reviewing an SP adapter configuration
  • Configuring target URL mapping
  • Configuring Identity Store Provisioners
  • Creating an Identity Store Provisioner instance
  • Defining the Identity Store Provisioner behavior
  • Extending the Identity Store Provisioner contract
  • Extending the Identity Store Provisioner contract for groups
  • Reviewing the Identity Store Provisioner configuration
  • Configuring default URLs
  • Viewing SP application endpoints
  • Federation settings
  • Managing attribute requester mappings
  • View SP protocol endpoints
  • Managing IdP connections
  • Accessing IdP connections
  • Resolving IdP connection errors
  • Choosing an IdP connection type
  • Choosing IdP connection options
  • Importing IdP metadata
  • Identifying the partner
  • Populating extended property values
  • Defining additional issuers
  • Configure SP Browser SSO
  • Selecting SAML profiles
  • Configuring user-session creation
  • Choosing an identity mapping method
  • Defining an attribute contract
  • Managing target session mappings
  • Selecting a target session
  • Overriding an SP adapter instance
  • Restricting a target session to certain virtual server IDs
  • Choosing an attribute mapping method
  • Configuring target session fulfillment
  • Defining issuance criteria for SP Browser SSO
  • Reviewing the target session mapping
  • Reviewing the session creation summary
  • Managing protocol settings
  • Specifying SSO service URLs (SAML)
  • Specifying a service URL (WS-Federation)
  • Defining SLO service URLs (SAML 2.0)
  • Selecting allowable SAML bindings (SAML)
  • Specifying an artifact lifetime (SAML 2.0)
  • Defining artifact resolver locations (SAML)
  • Configuring OpenID Provider information
  • Configuring default target URLs
  • Overriding authentication context in an IdP connection
  • Configuring signature policy
  • Specifying XML encryption policy (for SAML 2.0)
  • Reviewing protocol settings
  • Reviewing Browser SSO settings
  • Manage Attribute Query profile
  • Setting the Attribute Authority Service URL
  • Mapping attribute names for Attribute Query
  • Configuring security policy for Attribute Query
  • Reviewing the Attribute Query settings
  • Configuring just-in-time provisioning
  • Selecting attribute sources (SAML 2.0)
  • Identifying the user repository
  • Specifying an LDAP user-record location
  • Entering an LDAP filter
  • Identifying provisioning attributes for LDAP
  • Choosing a SQL method
  • Specifying a database user-record location
  • Specifying a unique-ID database column
  • Specifying a stored-procedure location
  • Mapping attributes to a user account
  • Choosing an event trigger
  • Configuring an error handling method
  • Reviewing the JIT provisioning configuration
  • Configuring SCIM inbound provisioning
  • Specifying the user repository
  • Identifying an LDAP user-record location
  • Defining a unique ID
  • Defining a unique group ID
  • Defining custom SCIM attributes
  • Configuring custom SCIM attribute options
  • Writing user information to the datastore
  • Identifying inbound provisioning attributes for LDAP
  • Mapping attributes to user accounts
  • Reviewing user mapping (Write Users) configuration
  • Configuring a SCIM response
  • Identifying expected user attributes for the SCIM response
  • Identifying LDAP attributes for the SCIM response
  • Mapping attributes into the SCIM response
  • Reviewing SCIM response (Read Users) configuration
  • Configuring the handling of SCIM delete requests
  • Writing group information to the datastore
  • Identifying inbound provisioning group attributes for LDAP
  • Mapping attributes to groups
  • Reviewing group mapping (Write Groups) configuration
  • Configuring a SCIM response for groups
  • Identifying expected group attributes for the SCIM response
  • Identifying LDAP group attributes for the SCIM response
  • Mapping group attributes into SCIM response
  • Reviewing SCIM response for groups (Read Groups) configuration
  • Reviewing the inbound provisioning configuration
  • Configuring security credentials
  • Managing back-channel authentication
  • Configuring back-channel authentication for outbound messages
  • Configuring back-channel authentication for inbound messages
  • Managing digital signature settings
  • Managing signature verification settings
  • Choosing an encryption certificate (SAML 2.0)
  • Choosing a decryption key (SAML 2.0)
  • Reviewing credential settings
  • Reviewing an IdP connection
  • OpenID Connect Relying Party support
  • Creating an OpenID Connect IdP connection
  • Configuring request parameters and SSO URLs
  • Query parameters versus request object
  • Configuring IdP discovery using a persistent cookie
  • WS-Trust STS configuration
  • Server settings
  • Enabling the WS-Trust protocol
  • Configuring STS authentication
  • Identity provider STS configuration
  • Managing token processors
  • Selecting a token processor type
  • Configuring a token processor instance
  • Configuring a Username Token Processor instance
  • Configuring a Kerberos Token Processor instance
  • Configuring an OAuth Token Processor instance
  • Configuring a JSON Web Token Processor instance
  • Configuring a SAML Token Processor instance
  • Extending a token processor contract
  • Setting attribute masking
  • Reviewing the token processor configuration
  • Managing STS request parameters
  • Creating a request contract
  • Configuring SP connections for STS
  • Configuring protocol settings for IdP STS
  • Setting a token lifetime
  • Configuring token creation
  • Defining an attribute contract for IdP STS
  • Selecting a request contract
  • Managing IdP token processor mappings
  • Selecting a token processor instance
  • Overriding a token processor instance
  • Restricting a token processor to certain virtual server IDs
  • Selecting an attribute retrieval method for token creation
  • Configuring attribute sources and user lookup for token creation
  • Configuring contract fulfillment for token creation
  • Defining issuance criteria for token creation
  • Reviewing the IdP token processor mapping
  • Selecting a request error handling method
  • Reviewing the token creation configuration
  • Reviewing the IdP STS settings
  • Service provider STS configuration
  • Managing token generators
  • Selecting a token generator type
  • Configuring a token generator instance
  • Extending a token generator contract
  • Reviewing the token generator configuration
  • Configuring IdP connections for STS
  • Configuring protocol settings for SP STS
  • Configuring token generation
  • Defining an attribute contract for SP STS
  • Managing SP token generator mappings
  • Selecting a token generator instance
  • Overriding a token generator instance
  • Restricting a token generator to certain virtual server IDs
  • Selecting an attribute retrieval method for token generation
  • Configuring contract fulfillment for token generation
  • Defining issuance criteria for token generation
  • Reviewing the SP token generator mapping
  • Reviewing the token generation configuration
  • Reviewing the SP STS configuration
  • IdP-to-SP bridging
  • Adapter-to-adapter mappings
  • Managing mappings
  • Assigning a license group
  • Identifying the target application
  • Configuring attribute lookup for adapter-to-adapter mapping
  • Configuring contract fulfillment for adapter-to-adapter mapping
  • Configuring a default target URL (optional)
  • Defining issuance criteria for adapter-to-adapter mapping
  • Reviewing the adapter-to-adapter mapping
  • Token translator mappings
  • Managing token mappings
  • Configuring attribute lookup for token mapping
  • Configuring contract fulfillment for token exchange mapping
  • Defining issuance criteria for token translator mapping
  • Reviewing the token exchange mapping
  • Bundled adapters
  • Identifier First Adapter
  • Configuring an Identifier First Adapter instance
  • Identifier First Adapter and authentication policies
  • Configuring a policy for multiple user populations
  • HTML Form Adapter
  • Configuring an HTML Form Adapter instance
  • HTML Form Adapter advanced fields
  • Kerberos Adapter
  • Authentication mechanism assurance
  • Configuring a Kerberos Adapter instance for SSO authentication
  • Configuring end-user browsers
  • Configuring Microsoft Internet Explorer
  • Configuring Mozilla Firefox
  • OpenToken Adapter
  • Configuring an OpenToken IdP Adapter instance
  • Configuring an OpenToken SP Adapter instance
  • Composite Adapter
  • Configuring a Composite Adapter instance
  • HTTP Basic Adapter
  • Configuring an HTTP Basic Adapter instance
  • Self-service user account management
  • Configuring self-service password management
  • Configuring self-service account recovery
  • Configuring self-service user name recovery
  • Application endpoints
  • IdP endpoints
  • SP endpoints
  • SP services
  • SCIM inbound provisioning endpoints
  • System-services endpoints
  • Constructing an alternative metadata exchange endpoint
  • OAuth 2.0 endpoints
  • Authorization endpoint
  • Client-initiated backchannel authentication endpoint
  • Token endpoint
  • OAuth grant type parameters
  • Introspection endpoint
  • Token revocation endpoint
  • Grant-management endpoint
  • Dynamic client registration endpoint
  • Device authorization endpoint
  • User authorization endpoint
  • OpenID Provider configuration endpoint
  • UserInfo endpoint
  • Web service interfaces and APIs
  • Connection Management Service
  • Exporting a connection
  • Importing connections
  • Deleting connections
  • Cluster configuration replication
  • Validation disclaimer
  • SSO Directory Service
  • Coding example
  • SOAP request and response examples
  • OAuth Client Management Service
  • OAuth Access Grant Management Service
  • OAuth Persistent Grant Management API
  • Session Revocation API endpoint
  • PingFederate administrative API
  • Configure access to the administrative API
  • Enabling native authentication
  • Enabling LDAP authentication
  • Enabling RADIUS authentication
  • Enabling certificate-based authentication
  • Accessing the API interactive documentation
  • Attribute mapping expressions
  • Enabling and disabling expressions
  • Construct OGNL expressions
  • Sample OGNL expressions
  • Issuance criteria and multiple virtual server IDs
  • Expressions for OAuth and OpenID Connect uses cases
  • Using the OGNL edit screen
  • Customizing assertions and authentication requests
  • Message types and available variables
  • Sample customizations
  • Fulfillment by datastore queries
  • Attribute mapping with multiple data sources
  • Datastore query configuration
  • Choosing a datastore
  • Specifying database table and columns
  • Entering a database search filter
  • Specifying directory properties and attributes
  • Defining encoding for binary attributes
  • Entering a directory search filter
  • Specifying data source filter and fields
  • Specifying a resource path for a REST API datastore
  • Specifying a dynamic authorization header for a REST API datastore
  • Specifying filters and fields for a custom datastore
  • Configuring failsafe options
  • Reviewing datastore query configuration
  • Troubleshooting
  • Enabling debug messages and console logging
  • Resolving startup issues
  • Troubleshooting datastore issues
  • Resolving URL-related errors
  • Resolving service-related errors
  • Troubleshooting authentication policy issues
  • Troubleshooting registration and profile management issues
  • Troubleshooting runtime errors
  • Activating tracking ID in templates
  • Correlating log messages by PF cookie
  • Correlating log messages by tracking ID
  • Troubleshooting OAuth transactions
  • Reviewing an OAuth request and various OAuth settings
  • Other runtime issues
  • Collecting support data
  • List of acronyms
  • Server Clustering Guide
  • Overview of clustering
  • Cluster protocol architecture
  • Runtime state-management architectures
  • Adaptive clustering
  • Multi-region support
  • Configuring multi-region support
  • Directed clustering
  • Sharing all nodes
  • Designating state servers
  • Defining subclusters
  • Runtime state-management services
  • Inter-Request State-Management (IRSM) Service
  • IdP Session Registry Service
  • SP Session Registry Service
  • LRU memory management schemes
  • Assertion Replay Prevention Service
  • Artifact-Message Persistence and Retrieval Service
  • Back-Channel Session Revocation Service
  • Account Locking Service
  • Other services
  • Deploying cluster servers
  • Enabling dynamic discovery for clustering
  • Deploying provisioning failover
  • Configuration synchronization
  • Console configuration push
  • Configuration-archive deployment
  • SSO Integration Overview
  • Integration introduction
  • SSO integration concepts
  • Identity provider integration
  • Service provider integration
  • Bundled adapters and integration kits for deployment scenarios
  • SDK Developer's Guide
  • Preface
  • SDK introduction
  • Getting started with the SDK
  • Directory structure
  • Developing your own plugin
  • Implementation guidelines
  • Shared interfaces
  • Configurable plugin
  • Describable plugin
  • Implementing an IdP adapter
  • IdP adapter session lookup
  • Processing steps
  • IdP adapter session logout
  • Implementing an SP adapter
  • SP session creation
  • SP adapter session logout
  • SP account linking
  • Implementing a token processor
  • Implementing a token generator
  • Implementing an authentication selector
  • Context selection
  • Authentication selector callback
  • Implementing a custom data source
  • Implementing a password credential validator
  • Implementing an identity store provisioner
  • Implementing the IdentityStoreProvisionerWithFiltering interface
  • Implementing the IdentityStoreUserProvisioner interface
  • Building and deploying your project
  • Building and deploying with Ant
  • Building and deploying manually
  • Creating deployment descriptors
  • Building your project manually
  • Deploying your project
  • Logging
  • Upgrade Guide
  • Upgrade considerations
  • Upgrade considerations introduced in PingFederate 8.x
  • Upgrade considerations introduced in PingFederate 7.x
  • Upgrade considerations introduced in PingFederate 6.x
  • Updating to the latest maintenance release
  • Upgrading PingFederate on Windows using the installer
  • Upgrading PingFederate on Windows using the Upgrade Utility
  • Upgrading PingFederate on Linux systems
  • Custom mode
  • Reviewing post-upgrade tasks
  • Copying customized files or settings
  • Reviewing database changes
  • Reviewing log configuration
  • Upgrading from PingFederate 8.x, 9.x, or 10.x
  • Upgrading from PingFederate 6.x or 7.x
  • Migrating other components
  • Updating the custom authentication selector
  • Migrating to the integrated LDAP Username PCV
  • Migrating to the integrated Username Token Processor
  • Resetting files and variable for HSM
  • Verifying the new installation
  • Performance Tuning Guide
  • Logging
  • Operating system tuning
  • Linux tuning
  • Windows tuning
  • Concurrency
  • Tuning the acceptor queue size
  • Tuning the server thread pool
  • Configuring connection pools to datastores
  • Memory
  • JVM heap
  • Garbage collectors
  • Young generation bias
  • The memoryoptions utility
  • memoryoptions and installation
  • memoryoptions and upgrade
  • Fine-tuning JVM options
  • Hardware security modules
  • Configuration at scale
  • References
  • PingFederate Monitoring Guide
  • Liveliness and responsiveness
  • Resource metrics
  • Connecting with JMX
  • Connecting to a local process
  • Connecting to a remote process
  • Monitoring
  • Thread pool
  • Logging, reporting, and troubleshooting
  • Creating an error-only server log
  • Splunk dashboards and audit logs
  • Legal Information
Page created: 12 Sep 2019 |
Page updated: 19 Mar 2020
| 1 min read

PingFederate 10.0 Product Configuration User task Single Sign-on (SSO) Capability Administrator Audience Product documentation Content Type Software Deployment Method SAML Standards, specifications, and protocols

As part of XML encryption, you must identify a certificate and key for PingFederate to use to decrypt incoming assertions or assertion elements (see Specifying XML encryption policy (for SAML 2.0)).

  1. Select the primary XML decryption key from the list.

    If you have not yet created or imported your certificate into PingFederate, click Manage Certificates (see Managing digital signing certificates and decryption keys).

  2. Optional: Select the secondary XML decryption key from the list.
Back to home page