On the System > Protocol Settings > WS-Trust STS Settings screen, you may configure PingFederate to require that client applications provide credentials to access the STS.

While this is an optional configuration, it is recommended for IdP configurations using the Username Token Processor. For other token processors and token generators, trust in the identity of the client is conveyed within the token itself and verified as part of processing. However, you may still configure authentication requirements to add another layer of security by limiting access to only authenticated clients.


You can configure STS authentication to either apply globally to all token formats and for all IdP and SP partner connections, or token-to-token mappings, using more fine grained controls, at the connection level via Issuance Criteria.

  1. On the WS-Trust STS Settings screen, click Configure WS-Trust STS Authentication to begin.

    Follow the configuration wizard to complete the task. For more information, see Configuring STS authentication

  2. Click Next and continue with the rest of the configuration.

    When editing an existing configuration, you may also click Save as soon as the administrative console offers the opportunity to do so.