-
Enter a URL for your partner's web service in the text field and then click
Add.
This identifier is compared to the AppliesTo element in the Requests for Security Token (RST) messages and may be either a complete URL or a base URL for matching variable ports or paths.
Repeat this step to add additional identifiers as needed.
-
Select any of the following options that are applicable to your use case.
Option Description OAuth Assertion Profiles When selected, four additional token-type requests become available based on these OAuth grant types: - JWT Bearer Token grant type
- OAuth Access Token via JWT Bearer Token grant type
- SAML 2.0 Bearer Assertion grant type
- OAuth Access Token via SAML 2.0 Bearer Assertion grant type
See STS OAuth integration for more information on the use of these token-type requests.
Default Token Type The default token type when a web service client (WSC) does not specify in the token request which token type the STS should issue. The choices are: - SAML 2.0
- SAML 1.1
- SAML 1.1 for Office 365
The default token type does not need to match the protocol selected for the browser-based SSO (if enabled) and does not apply to OAuth assertion profiles (because those RST messages must contain the requested token type).
Generate Key for SAML Holder of Key Subject Confirmation Method When selected, the STS generates a symmetric key to be used in conjunction with the "Holder of Key" (HoK) designation for the assertion's Subject Confirmation Method. For information about HoK assertions, see Web Services Security SAML Token Profile (docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html).
This option does not apply to OAuth assertion profiles.
Encrypt SAML 2.0 Assertion When selected, the STS encrypts the SAML 2.0 assertion. Applicable only to SAML 2.0 security token. This option does not apply to OAuth assertion profiles.
-
You can customize SAML messages and assertions for WS-Trust connections. Message
customizations are OGNL expressions that allow you to customize the security token
sent from PingFederate to the service provider.
- Click Show Advanced Customizations.
-
Select a Message Type and enter an expression. The
message type is used to override the message type returned from the OGNL
expression.
The following tables describe the relationship between message type and available variables, and the corresponding class or interface information in Java:
SP connections (SAML 2.0)
Message types Available variables and classes/interfaces in Javadoc AssertionType #AssertionType org.sourceid.saml20.xmlbinding.assertion.AssertionType
#AssertionTypes
org.sourceid.saml20.xmlbinding.assertion.AssertionType[]
#Attributes
org.sourceid.util.log.AttributeMap
ResponseDocument #ResponseDocument For a connection with WS-Trust v1.3, #ResponseDocument will be of type org.oasisOpen.docs.wsSx.wsTrust.x200512. RequestSecurityTokenResponseCollectionDocument
For a connection with WS-Trust v1.2, #ResponseDocument will be of type org.xmlsoap.schemas.ws.x2005.x02.trust. RequestSecurityTokenResponseDocument
#Attributes
org.sourceid.util.log.AttributeMap
SP Connections (SAML 1.x)
Message types Available variables and classes/interfaces in Javadoc AssertionType #AssertionType org.sourceid.protocol.saml11.xml.AssertionType
#AssertionTypes
org.sourceid.protocol.saml11.xml.AssertionType[]
#Attributes
org.sourceid.util.log.AttributeMap
ResponseDocument #ResponseDocument For a connection with WS-Trust v1.3, #ResponseDocument will be of type org.oasisOpen.docs.wsSx.wsTrust.x200512. RequestSecurityTokenResponseCollectionDocument
For a connection with WS-Trust v1.2, #ResponseDocument will be of type org.xmlsoap.schemas.ws.x2005.x02.trust. RequestSecurityTokenResponseDocument
#Attributes
org.sourceid.util.log.AttributeMap
- Example AssertionType expression for
SAML1.1:
#AssertionType.getAuthenticationStatementArray(0) .getSubject().getNameIdentifier().setStringValue("JoeSAML2IDP"), #AssertionType
- Example ResponseDocument
expression:
#requestSecurityTokenResponseNode = #XmlHelper.getFirstChild(#RequestSecurityTokenResponseDocument) .getDomNode().getFirstChild(), #childNodeList = #requestSecurityTokenResponseNode.getChildNodes(), #requestSecurityTokenNode = #childNodeList.item(1), #appliesToNode = #childNodeList.item(4), #copyNode = #appliesToNode.cloneNode(true), #requestSecurityTokenResponseNode.removeChild(#appliesToNode), #requestSecurityTokenResponseNode.insertBefore (#copyNode.#requestsecurityTokenNode), #RequestSecurityTodenResponseDocument
Page created: 12 Sep 2019
|
Page updated: 19 Mar 2020