For both the IdP and SP roles, PingFederate employs a partner-connection configuration, which enables the association of web services authentication policies with federation partners. For STS processing, these policies define configurations for handling WS-Trust requests and transferring identity information between security domains (see Web services standards).
In an IdP role, you use the administrative console to configure WS-Trust request-processing policy for your SP partner including:
- The type of SAML token to create—suitable for consumption by the intended web service provider (WSP, at the SP site)—in response to an “Issue” request from a web service client (WSC) application.
- The mapping of attributes to include within the issued SAML token.
- The key used to create a digital signature for the issued SAML token.
In an SP role, you use the administrative console to configure WS-Trust request-processing policy for your IdP partner including:
- Whether to validate the incoming SAML token only, or to validate the incoming token and also issue a local token.
- The mapping of attributes to include in the locally issued token (when applicable).
- The certificate used to verify the digital signature for the incoming SAML token .
- The key used to decrypt the incoming SAML token (when needed).