Depending on the selected token generator, the Instance Configuration screen presents you with different parameters.

  • For the integrated SAML 1.0 and 2.0 Token Generators, refer to the following table and specify parameters for generated SAML tokens.
    Field Instructions
    Minutes Before Enter a numerical value. This element in a SAML token allows for any server clock variability.
    Minutes After Enter a numerical value. This element in a SAML token allows for any server clock variability.
    Issuer Enter your SAML 2.0 entity ID or the SAML 1.x issuer as configured on the System > Protocol Settings > Roles & Protocols screen.
    Signing Certificate Responses containing SAML tokens must be signed. Select a signing certificate from the list.

    If you have not yet created or imported your certificate into PingFederate, click Manage Signing Certificates (see Managing digital signing certificates and decryption keys).

    Signing Algorithm Select the signing algorithm corresponding to the selected certificate. Choices include SHA1 for both RSA and DSA, RSA-SHA256, SHA384, and SHA512; as well as ECDSA-SHA256, SHA384, and SHA512.
    Include Certificate in KeyInfo If selected, the entire public certificate is included with the assertion. Otherwise, a short hash reference to the certificate is sent instead.
    Include Raw Key in KeyValue If selected, the raw key is included in the KeyInfo element as well.
    Audience This is a unique identifier for the target web service, used for the audience element of the generated SAML token.
    Confirmation Method Choose from among available methods:
    • urn...cm:sender-vouches (default)
    • urn...cm:bearer
    • urn...cm:holder-of-key

    For more information, see WSS SAML Token Profile (docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html).

    Encryption Certificate The web service provider's public certificate for encryption is required only if holder-of-key is selected as the confirmation method. Select a partner certificate from the list.

    If you have not yet imported the certificate from your partner, click Manage Certificates to do so (see Managing certificates from partners).

    Message Customization expression Click Show Advanced Fields to see this field.
    An OGNL expression to customize the assertion. The returned type from the expression must be an AssertionType, or the customization will be ignored. The following example is for SAML2:
    #AssertionType.getSubject().getNameID().setStringValue("JoeSAML2IDP"),
    #AssertionType
    The following example is for SAML1.1:
    #AssertionType.getAuthenticationStatementArray(0).getSubject().getNameIdentifier().setStringValue("Joe123"),
    #AssertionType
  • For add-on generators, please refer to the online documentation referenced in the download package.