The PingFederate Security Token Service (STS) uses token processors to validate incoming tokens and token requests. You must configure at least one processor in order to set up an STS connection or a token-to-token mapping.

(For more information about WS-Trust, see Web services standards.)

PingFederate comes bundled with the following token processors:

  • JWT Token Processor
  • Kerberos Token Processor
  • OAuth Bear Token Processor
  • SAML 1.1 Token Processor
  • SAML 2.0 Token Processor
  • Username Token Processor

You can also deploy additional token translators from Ping Identity website (

You manage token processor instances on the Identity Provider > Token Processors screen.

  • To configure a new instance, click Create New Instance.
  • To modify an existing instance, select it by its name under Instance Name.
  • To review the usage of an existing instance, click Check Usage under Action.
  • To remove an existing instance or to cancel the removal request, click Delete or Undelete under Action.
  • To retain any configuration changes, click Save.
  • To discard any configuration changes, click Cancel.

Automatic multi-connection error checking occurs by default whenever you access this screen. The intent is to verify that configured connections have not been adversely affected by changes made here.

If you experience noticeable delays in accessing this page, you can optionally disable automatic connection validation on the System > Server > General Settings page.

For simplicity, this topic focuses on configuring an instance of one of the integrated token processors. For add-on processors, please refer to the online documentation referenced in the download package.