1. Enter a URL for your partner's web service in the text field and then click Add.
    This identifier is compared to the AppliesTo element in the Requests for Security Token (RST) messages and may be either a complete URL or a base URL for matching variable ports or paths.

    Repeat this step to add additional identifiers as needed.

  2. Select any of the following options that are applicable to your use case.
    Option Description
    OAuth Assertion Profiles When selected, four additional token-type requests become available based on these OAuth grant types:
    • JWT Bearer Token grant type
    • OAuth Access Token via JWT Bearer Token grant type
    • SAML 2.0 Bearer Assertion grant type
    • OAuth Access Token via SAML 2.0 Bearer Assertion grant type

    See STS OAuth integration for more information on the use of these token-type requests.

    Default Token Type The default token type when a web service client (WSC) does not specify in the token request which token type the STS should issue. The choices are:
    • SAML 2.0
    • SAML 1.1
    • SAML 1.1 for Office 365

    The default token type does not need to match the protocol selected for the browser-based SSO (if enabled) and does not apply to OAuth assertion profiles (because those RST messages must contain the requested token type).

    Generate Key for SAML Holder of Key Subject Confirmation Method When selected, the STS generates a symmetric key to be used in conjunction with the "Holder of Key" (HoK) designation for the assertion's Subject Confirmation Method.

    For information about HoK assertions, see Web Services Security SAML Token Profile (docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html).

    This option does not apply to OAuth assertion profiles.

    Encrypt SAML 2.0 Assertion When selected, the STS encrypts the SAML 2.0 assertion. Applicable only to SAML 2.0 security token.

    This option does not apply to OAuth assertion profiles.

  3. You can customize SAML messages and assertions for WS-Trust connections. Message customizations are OGNL expressions that allow you to customize the security token sent from PingFederate to the service provider.
    1. Click Show Advanced Customizations.
    2. Select a Message Type and enter an expression. The message type is used to override the message type returned from the OGNL expression.
      The following tables describe the relationship between message type and available variables, and the corresponding class or interface information in Java:

      SP connections (SAML 2.0)

      Message types Available variables and classes/interfaces in Javadoc
      AssertionType #AssertionType

      org.sourceid.saml20.xmlbinding.assertion.AssertionType

      #AssertionTypes

      org.sourceid.saml20.xmlbinding.assertion.AssertionType[]

      #Attributes

      org.sourceid.util.log.AttributeMap

      ResponseDocument #ResponseDocument

      For a connection with WS-Trust v1.3, #ResponseDocument will be of type org.oasisOpen.docs.wsSx.wsTrust.x200512. RequestSecurityTokenResponseCollectionDocument

      For a connection with WS-Trust v1.2, #ResponseDocument will be of type org.xmlsoap.schemas.ws.x2005.x02.trust. RequestSecurityTokenResponseDocument

      #Attributes

      org.sourceid.util.log.AttributeMap

      SP Connections (SAML 1.x)

      Message types Available variables and classes/interfaces in Javadoc
      AssertionType #AssertionType

      org.sourceid.protocol.saml11.xml.AssertionType

      #AssertionTypes

      org.sourceid.protocol.saml11.xml.AssertionType[]

      #Attributes

      org.sourceid.util.log.AttributeMap

      ResponseDocument #ResponseDocument

      For a connection with WS-Trust v1.3, #ResponseDocument will be of type org.oasisOpen.docs.wsSx.wsTrust.x200512. RequestSecurityTokenResponseCollectionDocument

      For a connection with WS-Trust v1.2, #ResponseDocument will be of type org.xmlsoap.schemas.ws.x2005.x02.trust. RequestSecurityTokenResponseDocument

      #Attributes

      org.sourceid.util.log.AttributeMap

    • Example AssertionType expression for SAML1.1:
      #AssertionType.getAuthenticationStatementArray(0)
      .getSubject().getNameIdentifier().setStringValue("JoeSAML2IDP"),
      #AssertionType
    • Example ResponseDocument expression:
      #requestSecurityTokenResponseNode = 
      #XmlHelper.getFirstChild(#RequestSecurityTokenResponseDocument)
      .getDomNode().getFirstChild(),
      #childNodeList = #requestSecurityTokenResponseNode.getChildNodes(),
      #requestSecurityTokenNode = #childNodeList.item(1),
      #appliesToNode = #childNodeList.item(4),
      #copyNode = #appliesToNode.cloneNode(true),
      #requestSecurityTokenResponseNode.removeChild(#appliesToNode),
      #requestSecurityTokenResponseNode.insertBefore
      (#copyNode.#requestsecurityTokenNode),
      #RequestSecurityTodenResponseDocument