Indicate on the Connection Type screen whether the connection to this partner is for Browser SSO, WS-Trust STS, OAuth SAML, inbound provisioning, or a combination of them.


You can add STS, OAuth, and outbound provisioning support to any existing SSO connection, or vice versa, at any time. However, when OpenID Connect is the chosen protocol for Browser SSO, the other types become unavailable.

If you have selected multiple protocols on the System > Protocol Settings > Roles & Protocols screen, you must select the applicable protocol on the Connection Type screen when establishing a new connection.


If your partner's deployment also supports multiple protocols and you intend to communicate using more than one, you must set up a separate connection for each protocol. Note that each connection must use a unique (partner) connection ID.

  • To configure a connection for secure browser-based SSO, select the Browser SSO Profiles check box and a protocol from the list (if necessary).
  • To configure an STS connection, select the WS-Trust STS check box and the default token type from the list.
  • To configure a connection that exchanges SAML assertions or JWTs for access tokens, select the OAuth Assertion Grant check box.
    Note that the OAuth Assertion Grant option is available only if at least one Access Token Manager instance has been configured on the OAuth Server > Access Token Management screen.

    For more information about these standards, see Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants ( and JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (

  • To configure an inbound provisioning connection, make that selection and choose to support provisioning of users only (User Support) or users and groups (User and Group Support). For groups, nested group membership (if any) are preserved.
    Note that the Inbound Provisioning option is active only if the Inbound Provisioning protocol is enabled on the System > Protocol Settings > Roles & Protocols screen.
  • Optional: If your PingFederate license manages connections by groups, then you can select a group for this connection.
    This option is not displayed for unrestricted or other types of licenses.