Click Protocol Endpoints on the Identity Provider menu to see a list of applicable SAML, WS-Federation, and WS-Trust STS endpoints. The pop-up window displays only those endpoints related to the federation protocols enabled on the System > Protocol Settings > Federation Info screen. These endpoints are built into PingFederate and cannot be changed.

Your federation partners or STS clients need to know the applicable IdP services endpoints to communicate with your PingFederate server. Configured service endpoints for SAML connections are included in metadata export files.

PingFederate provides a favorite icon for all protocol endpoints. For more information, see Customizing the favicon for application and protocol endpoints.

The table below describes each endpoint:

Service URL and Description
Single Logout Service (SAML 2.0) /idp/SLO.saml2

The URL that receives and processes logout requests and responses.

Single Sign-on Service (SAML 2.0) /idp/SSO.saml2

The SAML 2.0 implementation URL that receives authentication requests for processing.

Artifact Resolution Service (SAML 2.0) /idp/ARS.ssaml2

The SOAP endpoint that processes artifacts returned from a federation partner to retrieve the referenced XML message on the back channel. (See Important note at the end of this table.)

Attribute Query Service (SAML 2.0) /idp/attrsvc.ssaml2

The SAML implementation that receives and processes attribute requests. (See Important note at the end of this table.)

Single Sign-on Service (SAML 1.x) /idp/isx.saml1

The SAML 1.x implementation of IdP intersite transfer service (ISX) to which clients are redirected for SSO requests.

Artifact Resolution Service (SAML 1.x) /idp/soap.ssaml1

The SOAP endpoint that processes artifacts returned from a federation partner to retrieve the referenced XML message on the back channel. (See Important note at the end of this table.)

Single Sign-on Service (WS-Federation) /idp/prp.wsf

The WS-Federation implementation URL that receives and processes security-token requests and SLO messages.

WS-Trust STS (two endpoints) /idp/sts.wst

The SOAP endpoint that receives and processes security-token requests from STS clients (web service clients at the IdP site) to be exchanged for a SAML token based on the configured SP connection.

/pf/sts.wst

Initiates direct STS token-to-token exchange and token validation from an IdP token processor to an SP token generator, when that feature is configured (see Token translator mappings).

Note:

If multiple token-processor instances of the same type are configured for the same connection or token-to-token mapping, a query parameter, TokenProcessorId, must be added to either of these endpoints—see Managing token processors.

(See also “Important” footnote in this table.)

Important:

If mutual SSL/TLS is used for authentication, a secondary PingFederate listening port must be configured and used by partners or STS clients for the relevant endpoints—*.ssaml* and *.wst (see Configuring PingFederate properties).

Virtual server ID support

For SAML connections using multiple virtual server IDs (see Multiple virtual server IDs), each virtual server ID has its own set of protocol endpoints. You may export a connection metadata for your partner on the System > Metadata Export screen (see Exporting connection-specific SAML metadata).

For WS-Federation (and SAML) connections using multiple virtual server IDs, you may provide your partner the federation metadata endpoint (/pf/federation_metadata.ping) with the PartnerSpId and vsid parameters; for example:

Partner's entity ID Your virtual server ID Federation metadata URL
SP idev1 https://www.example.com/pf/federation_metadata.ping?PartnerSpId=SP&vsid=idev1
idev2 https://www.example.com/pf/federation_metadata.ping?PartnerSpId=SP&vsid=idev2

(In this example, the base URL and the runtime port of your PingFederate server are www.example.com and 443, respectively.)

The federation metadata endpoint returns information that is specific for a given virtual server ID (when the request includes the vsid parameter).

For WS-Trust STS, you may provide your partner the STS metadata endpoint (/pf/sts_mex.ping) with the PartnerSpId and vsid parameters. The STS metadata endpoint returns information that is specific for a given virtual server ID (when the STS metadata request includes the vsid parameter).

(For more information about these metadata endpoints, see System-services endpoints.)

Note that the virtual server ID concept does not apply to the /pf/sts.wst endpoint because token-to-token exchange does not involves any connections. As needed, you may pass the token-to-token endpoint to your partners as-is.