For both the IdP and SP roles, PingFederate employs a partner-connection configuration, which enables the association of web services authentication policies with federation partners. For STS processing, these policies define configurations for handling WS-Trust requests and transferring identity information between security domains (see Web services standards).

IdP configuration

In an IdP role, you use the administrative console to configure WS-Trust request-processing policy for your SP partner including:

  • The type of SAML token to create—suitable for consumption by the intended web service provider (WSP, at the SP site)—in response to an “Issue” request from a web service client (WSC) application.
  • The mapping of attributes to include within the issued SAML token.
  • The key used to create a digital signature for the issued SAML token.

SP configuration

In an SP role, you use the administrative console to configure WS-Trust request-processing policy for your IdP partner including:

  • Whether to validate the incoming SAML token only, or to validate the incoming token and also issue a local token.
  • The mapping of attributes to include in the locally issued token (when applicable).
  • The certificate used to verify the digital signature for the incoming SAML token .
  • The key used to decrypt the incoming SAML token (when needed).