On the System > Protocol Settings > WS-Trust STS Settings screen, you may configure PingFederate to require that client applications provide credentials to access the STS.

While this is an optional configuration, it is recommended for IdP configurations using the Username Token Processor. For other token processors and token generators, trust in the identity of the client is conveyed within the token itself and verified as part of processing. However, you may still configure authentication requirements to add another layer of security by limiting access to only authenticated clients.


You can configure STS authentication to either apply globally to all token formats and for all IdP and SP partner connections, or token-to-token mappings, using more fine grained controls, at the connection level via Issuance Criteria.

  1. On the WS-Trust STS Settings screen, click Configure WS-Trust STS Authentication.
  2. On the Authentication Methods screen, select HTTP Basic, mutual SSL/TLS authentication, or both.
    If both HTTP Basic and mutual SSL/TLS authentication are selected, all clients must provide credentials for both mechanisms.

    If you choose mutual SSL/TLS authentication, you must configure a secondary PingFederate HTTPS port (pf.secondary.https.port) in the run.properties file (see Configuring PingFederate properties).

  3. If you have chosen HTTP Basic, manage user accounts on the HTTP Basic Authentication screen.
    Click Create User and enter a username and its password on the User Account screen. Repeat to create additional user accounts for your client applications.

    On the HTTP Basic Authentication screen, you can also delete user accounts and update their passwords.

  4. If you have chosen mutual SSL/TLS authentication, click Configure Mutual SSL Authentication on the Mutual SSL Authentication screen.
    1. On the Authentication Options screen, select to restrict access by the subject DN or issuer of the client certificate.
      If both options are selected, the client certificate used for authentication to the STS endpoints must meet both sets of restrictions.
    2. If you have chosen to restrict by the subject DN, enter one or more subject DNs on the Allowed Subject DNs screen.
      On the Allowed Subject DNs screen, you may edit or delete existing entries but you must keep at least one subject DN.
    3. If you have chosen to restrict by the certificate issuer, select one or more client certificate on the Allowed Issuer Certificates screen.
      If you have not yet imported the client certificate, click Manage Certificates to do so.

      On the Allowed Issuer Certificates screen, you may remove existing entries but you must keep at least one issuer.

    4. On the Summary screen, review your mutual SSL/TLS authentication settings and then click Done.
  5. When you finish configuring WS-Trust STS settings, you can review the configuration on its Summary screen.
    If you want to keep your changes, click Save.