Choosing a decryption key (SAML 2.0) - PingFederate - 10.1

PingFederate Server
bundle
pingfederate-101
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.1
category
Product
pf-101
pingfederate
ContentType_ce
  • Release Notes
  • PingFederate 10.1.11 - February 2023
  • PingFederate 10.1.10 - January 2022
  • PingFederate 10.1.9 - October 2021
  • PingFederate 10.1.8 - August 2021
  • PingFederate 10.1.7 - June 2021
  • PingFederate 10.1.6 - May 2021
  • PingFederate 10.1.5 - March 2021
  • PingFederate 10.1.4 - January 2021
  • PingFederate 10.1.3 - December 2020
  • PingFederate 10.1.2 - October 2020
  • PingFederate 10.1.1 - August 2020
  • PingFederate 10.1 - June 2020
  • Navigation tabs and menus
  • Known issues and limitations
  • Deprecated features
  • Previous releases
  • Introduction to PingFederate
  • About identity federation and SSO
  • Service providers and identity providers
  • Federation hub
  • Supported standards
  • Federation roles
  • Terminology
  • Browser-based SSO
  • SAML 1.x profiles
  • SSO—Browser-POST
  • SSO—Browser-Artifact
  • SP-initiated (destination-first) SSO
  • SAML 2.0 profiles
  • Single sign-on
  • SP-initiated SSO—POST-POST
  • SP-initiated SSO—Redirect-POST
  • SP-initiated SSO—Artifact-POST
  • SP-initiated SSO—POST-Artifact
  • SP-initiated SSO—Redirect-Artifact
  • SP-initiated SSO—Artifact-Artifact
  • IdP-initiated SSO—POST
  • IdP-initiated SSO—Artifact
  • Single logout
  • Attribute Query and XASP
  • Standard IdP Discovery
  • WS-Federation
  • About account linking
  • Web services standards
  • Web Services Security
  • WS-Trust
  • Request types
  • OAuth 2.0
  • Web redirect flow
  • Device authorization grant
  • CIBA grant
  • CIBA by poll
  • CIBA by ping
  • Token exchange grant
  • Assertion grant profile for OAuth 2.0 authorization grants
  • OpenID Connect support
  • Client management
  • System for Cross-domain Identity Management (SCIM)
  • Transport and message security
  • SSO integration overview
  • SSO integration concepts
  • Identity provider integration
  • Service provider integration
  • Integrations and deployment scenarios
  • Security token service
  • OAuth authorization server
  • User account management
  • Enterprise deployment architecture
  • Additional features
  • Key concepts
  • About WS-Trust STS
  • Connection-based policy
  • Token processors and generators
  • WSC and WSP support
  • STS OAuth integration
  • About OAuth
  • Delegated access types
  • Token models and management
  • Grant types
  • Scopes
  • Consent approval
  • Client management and storage
  • Client authentication schemes
  • Dynamic client registration
  • Transient grants and persistent grants
  • Grant storage and management
  • Mapping OAuth attributes
  • OAuth user-facing windows
  • OpenID Connect
  • CORS support for OAuth endpoints
  • SSO integration kits and adapters
  • Security infrastructure
  • Digital signatures
  • Message signing
  • Certificate validation
  • Digital signing policy coordination
  • Secure sockets layer
  • Encryption
  • Hierarchical plugin configurations
  • Identity mapping
  • Account linking
  • Account mapping
  • User attributes
  • Attribute contracts
  • Adapter contracts
  • STS token contracts
  • Datastores
  • Attribute masking
  • About token authorization
  • User provisioning
  • Outbound provisioning for IdPs
  • Provisioning for SPs
  • Customer identity and access management
  • Federation hub use cases
  • Bridging an IdP to an SP
  • Bridging an IdP to multiple SPs
  • Bridging multiple IdPs to an SP
  • Bridging multiple IdPs to multiple SPs
  • Federation hub and authentication policy contracts
  • Federation hub and virtual server IDs
  • Federation planning checklist
  • Multiple virtual server IDs
  • Configuration data exchange
  • Installing PingFederate
  • System requirements
  • Database driver information
  • Port requirements
  • Installing Java
  • Installation options
  • Installing PingFederate on Windows
  • Installing PingFederate on Linux systems
  • Installing the PingFederate service on Linux manually
  • Installing PingFederate service on Windows manually
  • Uninstalling PingFederate
  • Uninstalling PingFederate from a Windows server
  • Uninstalling PingFederate from a Linux server
  • Upgrading PingFederate
  • Upgrade considerations
  • Upgrade considerations introduced in PingFederate 9.x
  • Upgrade considerations introduced in PingFederate 8.x
  • Upgrade considerations introduced in PingFederate 7.x
  • Upgrade considerations introduced in PingFederate 6.x
  • Updating to the latest maintenance release
  • Upgrading PingFederate on Windows using the installer
  • Upgrading PingFederate on Windows using the Upgrade Utility
  • Upgrading PingFederate on Linux systems
  • Custom mode
  • Reviewing post-upgrade tasks
  • Reviewing administrative users
  • Copying customized files or settings
  • Reviewing database changes
  • Provisioning datastore reset
  • Security enhancement in JDBC datastore queries
  • New connection pool library
  • An improved index in the database table for OAuth clients
  • Changes in the database tables for log messages
  • Changes in the database table for account linking
  • Changes in the database tables for OAuth clients
  • Changes in the database tables for OAuth persistent grants and extended attributes
  • A new database table for OAuth persistent grant extended attributes
  • New indexes in the database table for OAuth persistent grants
  • Changes in a database table supporting nested group membership
  • Reviewing log configuration
  • Upgrading from PingFederate 8.x, 9.x, or 10.x
  • Upgrading from PingFederate 6.x or 7.x
  • Migrating other components
  • Updating the custom authentication selector
  • Migrating to the integrated LDAP Username PCV
  • Migrating to the integrated Username Token Processor
  • Resetting files and variable for HSM
  • Verifying the new installation
  • Getting Started with PingFederate
  • Starting and stopping PingFederate servers
  • Starting and stopping PingFederate on Windows
  • Starting and stopping PingFederate on Linux
  • Opening the PingFederate administrative console
  • Setting up PingFederate
  • Importing your license
  • Entering basic information for PingFederate
  • Configuring identity provider settings
  • Connecting PingFederate to a directory
  • Configuring Kerberos authentication
  • Reviewing the directory configuration
  • Creating an administrator account
  • Reviewing the PingFederate configuration
  • Setting up PingFederate Bridge
  • Connecting PingFederate to PingOne for Enterprise
  • Connecting PingFederate Bridge to a directory server
  • Configuring PingOne SSO and PingID VPN settings
  • Configuring Kerberos authentication
  • Configuring provisioning to PingOne for Enterprise
  • Reviewing the PingOne SSO configuration
  • Configuring the RADIUS server to integrate PingID with your VPN
  • Reviewing the PingID VPN (RADIUS) configuration
  • Configuring provisioning to PingID
  • Entering basic information for PingFederate Bridge
  • Reviewing the PingFederate Bridge configuration
  • Completion of the PingFederate Bridge setup
  • PingFederate administrative console
  • Tasks and steps
  • Console buttons
  • Third-party cryptographic solutions
  • Supported hardware security modules
  • Integrating with AWS CloudHSM
  • AWS CloudHSM operational notes
  • Integrating with Gemalto SafeNet Luna Network HSM
  • SafeNet Luna Network HSM operational notes
  • Integrating with nCipher nShield Connect HSM
  • nShield Connect HSM operational notes
  • Supported software security package
  • Integrating with Bouncy Castle FIPS provider
  • Setting up with Java 8
  • Setting up with Java 11
  • Bouncy Castle operational notes
  • Server Clustering Guide
  • Overview of clustering
  • Cluster protocol architecture
  • Runtime state-management architectures
  • Adaptive clustering
  • Multi-region support
  • Configuring multi-region support
  • Directed clustering
  • Sharing all nodes
  • Designating state servers
  • Defining subclusters
  • Runtime state-management services
  • Inter-Request State-Management (IRSM) Service
  • IdP Session Registry Service
  • SP Session Registry Service
  • LRU memory management schemes
  • Assertion Replay Prevention Service
  • Artifact-Message Persistence and Retrieval Service
  • Back-Channel Session Revocation Service
  • Account Locking Service
  • Other services
  • Deploying cluster servers
  • Enabling dynamic discovery for clustering
  • Deploying provisioning failover
  • Configuration synchronization
  • Console configuration push
  • Configuration-archive deployment
  • Administrator's Reference Guide
  • Attribute mapping expressions
  • Enabling and disabling expressions
  • Construct OGNL expressions
  • Sample OGNL expressions
  • Issuance criteria and multiple virtual server IDs
  • Expressions for OAuth and OpenID Connect uses cases
  • Using the OGNL edit window
  • Authentication policies
  • Selectors
  • Managing authentication selector instances
  • Choosing a selector type
  • Configuring an authentication selector instance
  • Configuring the CIDR Authentication Selector
  • Configuring the Cluster Node Authentication Selector
  • Configuring the Connection Set Authentication Selector
  • Configuring the Extended Property Authentication Selector
  • Configuring the HTTP Header Authentication Selector
  • Configuring the HTTP Request Parameter Authentication Selector
  • Configuring the OAuth Client Set Authentication Selector
  • Configuring the OAuth Scope Authentication Selector
  • Configuring the Requested AuthN Context Authentication Selector
  • Configuring the Session Authentication Selector
  • Configuring a sample use case
  • Policies
  • Defining authentication policies
  • Specifying an incoming user ID
  • Configuring rules in authentication policies
  • Defining authentication policies based on group membership information
  • Applying policy contracts or identity profiles to authentication policies
  • Configuring contract mapping
  • Configuring local identity mapping
  • Defining issuance criteria for contract or local identity mapping
  • Mapping a policy contract to multiple use cases
  • SP authentication policies
  • Configuring an SP authentication policy for users from one IdP
  • Configuring SP authentication policies for users from multiple IdPs
  • Configuring SP authentication policies for internal users
  • Policy contracts
  • Managing policy contracts
  • Editing contract information
  • Defining contract attributes
  • Reviewing the policy contract
  • Adapter Mappings
  • Configuring authentication policy adapter mappings
  • Defining issuance criteria for adapter mapping
  • Sessions
  • Configuring tracking options for logout
  • Configuring application sessions
  • Configuring authentication sessions
  • Bundled adapters
  • Composite Adapter
  • Configuring a Composite Adapter instance
  • HTML Form Adapter
  • Configuring an HTML Form Adapter instance
  • HTML Form Adapter advanced fields
  • HTTP Basic Adapter
  • Configuring an HTTP Basic Adapter instance
  • Identifier First Adapter
  • Configuring an Identifier First Adapter instance
  • Identifier First Adapter and authentication policies
  • Configuring a policy for multiple user populations
  • Kerberos Adapter
  • Authentication mechanism assurance
  • Configuring a Kerberos Adapter instance for SSO authentication
  • Configuring end-user browsers
  • Configuring Microsoft Internet Explorer
  • Configuring Mozilla Firefox
  • OpenToken Adapter
  • Configuring an OpenToken IdP Adapter instance
  • Configuring an OpenToken SP Adapter instance
  • Customer IAM configuration
  • Setting up PingDirectory for customer identities
  • Managing local identity profiles
  • Defining a local identity profile
  • Defining authentication sources
  • Defining local identity fields
  • Configuring a local identity field
  • Configuring email ownership verification options
  • Configuring registration options
  • Configuring profile management options
  • Managing datastore configuration
  • Selecting a datastore for customer identities
  • Configuring LDAP base DN and attributes
  • Configuring LDAP relative DN and object class
  • Defining datastore mapping configuration
  • Reviewing datastore configuration
  • Reviewing a local identity profile
  • Configuring the HTML Form Adapter for customer identities
  • Setting up self-service registration
  • Enabling third-party identity providers
  • Enabling profile management
  • Creating advanced registration mapping
  • Enabling third-party identity providers without registration
  • Customizing assertions and authentication requests
  • Message types and available variables
  • Sample customizations
  • Fulfillment by datastore queries
  • Attribute mapping with multiple data sources
  • Datastore query configuration
  • Choosing a datastore
  • Specifying database tables and columns
  • Entering a database search filter
  • Specifying directory properties and attributes
  • Defining encoding for binary attributes
  • Entering a directory search filter
  • Specifying data source filter and fields
  • Specifying a resource path for a REST API datastore
  • Specifying a dynamic authorization header for a REST API datastore
  • Specifying filters and fields for a custom datastore
  • Configuring failsafe options
  • Reviewing datastore query configurations
  • IdP-to-SP bridging
  • Adapter-to-adapter mappings
  • Managing mappings
  • Assigning a license group
  • Identifying the target application
  • Configuring attribute sources and user lookup for adapter-to-adapter mappings
  • Configuring target application information
  • Configuring contract fulfillment for adapter-to-adapter mappings
  • Configuring a default target URL (optional)
  • Defining issuance criteria for adapter-to-adapter mappings
  • Reviewing the adapter-to-adapter mapping
  • Token translator mappings
  • Managing token mappings
  • Configuring attribute sources and user lookup for token mapping
  • Configuring contract fulfillment for token exchange mapping
  • Defining issuance criteria for token translator mapping
  • Reviewing the token exchange mapping
  • Identity provider SSO configuration
  • IdP application integration settings
  • Managing IdP adapters
  • Creating an IdP adapter instance
  • Configuring an IdP adapter instance
  • Invoking IdP adapter actions
  • Extending an IdP adapter contract
  • Setting pseudonym and masking options
  • Defining the IdP adapter contract
  • Defining attribute sources and user lookup
  • Configuring IdP adapter contract fulfillment
  • Defining issuance criteria for IdP adapter contract
  • Reviewing an IdP adapter contract
  • Reviewing and saving an IdP adapter configuration
  • Authentication applications and the authentication API
  • Managing authentication applications
  • Configuring authentication applications
  • Denying authentication applications access to the authorization endpoint
  • Configuring a default URL and error message
  • Viewing IdP application endpoints
  • IdP protocol endpoints
  • SP connection management
  • Accessing SP connections
  • Resolving SP connection errors
  • Importing a connection
  • Updating a SAML connection using metadata
  • Choosing an SP connection template
  • Choosing an SP connection type
  • Choosing SP connection options
  • Importing SP metadata
  • Identifying the SP
  • Populating extended property values for SP connections
  • Configure IdP Browser SSO
  • Choosing SAML 2.0 profiles
  • Setting an SSO token lifetime
  • Configuring SSO token creation
  • Choosing an identity mapping method for IdP SSO
  • Selecting a SAML Name ID type
  • Selecting a WS-Federation Name ID type
  • Setting up an attribute contract
  • Managing authentication source mappings
  • Mapping an adapter instance
  • Mapping an authentication policy
  • Overriding an IdP adapter instance
  • Restricting an authentication source to certain virtual server IDs
  • Selecting an attribute mapping method
  • Configuring default contract fulfillment for IdP Browser SSO
  • Defining issuance criteria for IdP Browser SSO
  • Configuring attribute sources and user lookup
  • Configuring contract fulfillment for IdP Browser SSO
  • Reviewing the authentication source mapping
  • Reviewing the SSO token creation summary
  • Configuring protocol settings
  • Setting Assertion Consumer Service URLs (SAML)
  • Setting a default target URL (SAML 1.x)
  • Specifying the WS-Trust version
  • Defining a service URL (WS-Federation)
  • Specifying SLO service URLs (SAML 2.0)
  • Choosing allowable SAML bindings (SAML 2.0)
  • Setting an artifact lifetime (SAML)
  • Specifying artifact resolver locations (SAML 2.0)
  • Defining signature policy (SAML)
  • Configuring XML encryption policy (SAML 2.0)
  • Reviewing protocol settings
  • Reviewing browser-based SSO settings
  • Configuring the Attribute Query profile in an SP connection
  • Defining retrievable attributes
  • Configuring attribute lookup
  • Choosing a datastore for Attribute Query
  • Configuring mapping fulfillment for Attribute Query
  • Defining issuance criteria for Attribute Query
  • Specifying security policy
  • Reviewing the Attribute Query configuration
  • Configuring credentials
  • Configuring back-channel authentication (SAML)
  • Configuring authentication requirements for outbound messages
  • Configuring authentication requirements for inbound messages
  • Configuring digital signature settings
  • Configuring signature verification settings (SAML 2.0)
  • Selecting an encryption certificate
  • Selecting a decryption key (SAML 2.0)
  • Reviewing SP credential settings
  • Configuring outbound provisioning
  • Defining a provisioning target
  • Specifying custom SCIM attributes
  • Managing channels
  • Specifying channel information
  • Identifying the source datastore
  • Modifying source settings
  • Specifying a source location
  • Mapping attributes
  • Specifying mapping details
  • Defining mapping information for a standard attribute
  • Defining mapping information for a custom attribute
  • Reviewing channel settings
  • Reviewing SP connection settings
  • SP affiliations
  • Managing SP affiliations
  • Importing affiliation metadata
  • Entering affiliation information
  • Managing affiliation membership
  • Reviewing an SP affiliation
  • OAuth configuration
  • Configuring OAuth use cases
  • Configuring authorization server settings
  • External consent user interface
  • Scopes and scope management
  • Defining scopes
  • Configuring client settings
  • Configuring dynamic client registration settings
  • Supported client metadata
  • Configuring scope constraints
  • Managing client configuration defaults
  • Selecting client registration policies
  • Reviewing client settings
  • Managing Client Registration Policy instances
  • Configuring a Client Registration Policy instance
  • Configuring a Response Type Constraints instance
  • Managing OAuth clients
  • Configuring an OAuth client
  • Grant contract mapping
  • Managing IdP adapter grant mapping
  • Configuring IdP adapter attribute sources and user lookup
  • Fulfilling IdP adapter grant mapping
  • Defining issuance criteria for OAuth IdP adapter mapping
  • Reviewing the IdP adapter mapping
  • Configuring IdP connection grant mapping
  • Choosing an OAuth datastore
  • Fulfilling OAuth attribute mapping
  • Defining issuance criteria for OAuth attribute mapping
  • Reviewing the OAuth attribute mapping summary
  • Managing authentication policy contract grant mapping
  • Configuring policy contract attribute sources and user lookup
  • Fulfilling policy contract grant mapping
  • Defining issuance criteria for policy contract mapping
  • Reviewing authentication policy contract mapping
  • Managing resource owner credentials grant mapping
  • Configuring resource owner attribute sources and user lookup
  • Fulfilling resource owner credentials grant mapping
  • Defining issuance criteria for resource-owner credentials mapping
  • Reviewing the resource owner credentials mapping
  • Token mapping
  • Access token management
  • Managing access token management instances
  • Defining an access token management instance
  • Configuring an access token management instance
  • Configuring reference token management
  • Configuring JSON token management
  • Managing session validation settings
  • Defining the access token attribute contract
  • Managing resource URIs
  • Defining access control
  • Reviewing the access token management configuration
  • Managing access token mappings
  • Configuring access token attribute sources and user lookup
  • Configuring access token fulfillment
  • Defining issuance criteria for access token mapping
  • Reviewing the access token mapping
  • Configuring an OAuth assertion grant IdP connection
  • Defining an attribute contract for the OAuth assertion grant
  • Configuring access token manager mappings
  • Selecting an access token manager instance
  • Configuring a datastore for OAuth assertion grant attribute mapping
  • Configuring OAuth assertion grant contract fulfillment
  • Defining issuance criteria for OAuth assertion grants
  • Reviewing OAuth assertion grant attribute mapping configuration
  • Reviewing OAuth assertion grant configuration
  • Configuring OpenID Connect policies
  • Configuring policy and ID token settings
  • Configuring the policy attribute contract
  • Configuring attribute scopes
  • Configuring policy attribute sources and user lookup
  • Configuring ID token fulfillment
  • Defining issuance criteria for policy mapping
  • Reviewing your OpenID Connect policy
  • Client Initiated Backchannel Authentication (CIBA)
  • Managing CIBA authenticators
  • Configuring a CIBA authenticator instance
  • Managing CIBA request policies
  • Defining a request policy
  • Configuring identity hint contract
  • Configuring identity hint contract fulfillment
  • Configuring attribute sources and user lookup
  • Fulfilling identity hint contract
  • Defining issuance criteria for identity hint contract
  • Reviewing identity hint contract fulfillment
  • Configuring attribute sources and user lookup for request policy contract
  • Configuring request policy contract fulfillment
  • Defining issuance criteria for CIBA request policy
  • Reviewing your CIBA request policy
  • OAuth attribute mapping using a datastore
  • OAuth client session management
  • Asynchronous Front-Channel Logout
  • Back-Channel Session Revocation
  • OAuth token exchange
  • Configuring OAuth token exchange
  • Defining token exchange processor policies
  • Creating token exchange generator groups
  • Mapping token exchange attributes to token generator attributes
  • Mapping token exchange attributes to access token manager attributes
  • Enabling token exchange in OAuth clients
  • Security management
  • Certificate and key management
  • Manage trusted certificate authorities
  • Importing trusted certificate authorities
  • Exporting trusted certificate authorities
  • Reviewing trusted certificate authorities
  • Removing trusted certificate authorities
  • Manage SSL server certificates
  • Creating a new certificate
  • Importing a certificate and its private key
  • Creating a certificate-authority signing request (CSR)
  • Importing a certificate-authority response (CSR response)
  • Exporting a certificate
  • Reviewing a certificate
  • Activating or deactivating a certificate
  • Removing a certificate
  • Manage SSL client keys and certificates
  • Creating new certificates
  • Importing certificates and their private keys
  • Creating a certificate signing request (CSR)
  • Importing a certificate-authority response (CSR response)
  • Exporting certificates
  • Reviewing certificates
  • Removing certificates
  • Manage digital signing certificates and decryption keys
  • Certificate rotation
  • Connection and federation metadata
  • Managing certificate rotation settings
  • Managed SP connection to PingOne for Enterprise and signing certificate
  • Creating new certificates
  • Importing certificates and their private keys
  • Creating a certificate signing request (CSR)
  • Importing a certificate-authority response (CSR response)
  • Exporting certificates
  • Reviewing certificates
  • Reviewing a certificate's usage
  • Removing certificates
  • Keys for OAuth and OpenID Connect
  • Configuring static signing keys
  • Configuring static decryption keys
  • Managing certificates from partners
  • Signature verification
  • Encryption
  • Back-channel authentication
  • Configuring certificate revocation
  • Transitioning to an HSM
  • Manage Partner metadata URLs
  • Adding a new metadata URL
  • Updating an existing metadata URL
  • Reviewing a metadata URL usage
  • Removing a metadata URL
  • Rotating system keys
  • System integration
  • Configuring redirect validation
  • Managing partner redirect validation
  • Configure incoming proxy settings
  • Configuring service authentication
  • Account lockout protection
  • Configuring account lockout protection
  • Password spraying prevention
  • Configuring password spraying prevention
  • Implementing a MasterKeyEncryptor using AWS KMS
  • Self-service user account management
  • Configuring self-service password management
  • Configuring self-service account recovery
  • Configuring self-service user name recovery
  • Service provider SSO configuration
  • SP application integration settings
  • Managing SP adapters
  • Creating an SP adapter instance
  • Configuring an SP adapter instance
  • Invoking SP adapter actions
  • Extending an SP adapter contract
  • Identifying the target application
  • Reviewing an SP adapter configuration
  • Configuring target URL mapping
  • Configuring Identity Store Provisioners
  • Creating an Identity Store Provisioner instance
  • Defining the Identity Store Provisioner behavior
  • Extending the Identity Store Provisioner contract
  • Extending the Identity Store Provisioner contract for groups
  • Reviewing the Identity Store Provisioner configuration
  • Configuring default URLs
  • Viewing SP application endpoints
  • Federation settings
  • Managing attribute requester mappings
  • Viewing SP protocol endpoints
  • Managing IdP connections
  • Accessing IdP connections
  • Resolving IdP connection errors
  • Choosing an IdP connection type
  • Choosing IdP connection options
  • Importing IdP metadata
  • Identifying the partner
  • Populating extended property values for IdP connections
  • Defining additional issuers
  • Configure SP Browser SSO
  • Selecting SAML profiles
  • Configuring user-session creation
  • Choosing an identity mapping method for SP SSO
  • Defining an attribute contract
  • Managing target session mappings
  • Selecting a target session
  • Overriding an SP adapter instance
  • Restricting a target session to certain virtual server IDs
  • Choosing an attribute mapping method
  • Configuring target session fulfillment
  • Defining issuance criteria for SP Browser SSO
  • Reviewing the target session mapping
  • Reviewing the session creation summary
  • Managing protocol settings
  • Specifying SSO service URLs (SAML)
  • Specifying a service URL (WS-Federation)
  • Defining SLO service URLs (SAML 2.0)
  • Selecting allowable SAML bindings (SAML)
  • Specifying an artifact lifetime (SAML 2.0)
  • Defining artifact resolver locations (SAML)
  • Configuring OpenID Provider information
  • Configuring default target URLs
  • Overriding authentication context in an IdP connection
  • Configuring signature policy
  • Specifying XML encryption policy (for SAML 2.0)
  • Reviewing protocol settings for SP browser SSO
  • Reviewing Browser SSO settings
  • Manage the Attribute Query profile in an IdP connection
  • Setting the Attribute Authority Service URL
  • Mapping attribute names for Attribute Query
  • Configuring security policy for Attribute Query
  • Reviewing the Attribute Query settings
  • Configuring just-in-time provisioning
  • Selecting attribute sources (SAML 2.0)
  • Identifying the user repository
  • Specifying an LDAP user-record location
  • Entering an LDAP filter
  • Identifying provisioning attributes for LDAP
  • Choosing a SQL method
  • Specifying a database user-record location
  • Specifying a unique ID database column
  • Specifying a stored procedure location
  • Mapping attributes to a user account
  • Choosing an event trigger
  • Configuring an error handling method
  • Reviewing the JIT provisioning configuration
  • Configuring SCIM inbound provisioning
  • Specifying the user repository
  • Identifying an LDAP user-record location
  • Defining a unique user ID
  • Defining a unique group ID
  • Defining custom SCIM attributes
  • Configuring custom SCIM attribute options
  • Writing user information to the datastore
  • Identifying inbound provisioning attributes for LDAP
  • Mapping attributes to user accounts
  • Reviewing user mapping (Write Users) configuration
  • Configuring a SCIM response
  • Identifying expected user attributes for the SCIM response
  • Identifying LDAP attributes for the SCIM response
  • Mapping attributes into the SCIM response
  • Reviewing SCIM response (Read Users) configuration
  • Configuring the handling of SCIM delete requests
  • Writing group information to the datastore
  • Identifying inbound provisioning group attributes for LDAP
  • Mapping attributes to groups
  • Reviewing group mapping (Write Groups) configuration
  • Configuring a SCIM response for groups
  • Identifying expected group attributes for the SCIM response
  • Identifying LDAP group attributes for the SCIM response
  • Mapping group attributes into SCIM response
  • Reviewing SCIM response for groups (Read Groups) configuration
  • Reviewing the inbound provisioning configuration
  • Configuring security credentials
  • IdP connection management
  • Configuring back-channel authentication for outbound messages
  • Configuring back-channel authentication for inbound messages
  • Managing digital signature settings
  • Managing signature verification settings
  • Choosing an encryption certificate (SAML 2.0)
  • Choosing a decryption key (SAML 2.0)
  • Reviewing IdP credential settings
  • Reviewing an IdP connection
  • OpenID Connect Relying Party support
  • Creating an OpenID Connect IdP connection
  • Configuring request parameters and SSO URLs
  • Query parameters versus request object
  • Configuring IdP discovery using a persistent cookie
  • System administration
  • Configuring PingFederate properties
  • Enabling OIDC-based authentication
  • Configuring size limits
  • PingFederate log files
  • Log4j 2 logging service and configuration
  • HTTP request logging
  • Administrator audit logging
  • API audit logging
  • Administrative API audit log
  • Runtime APIs audit log
  • Runtime transaction logging
  • Security audit logging
  • Outbound provisioning audit logging
  • Server logging
  • Server log filter
  • Logging in other formats
  • Writing logs to databases
  • Logging in Common Event Format
  • Writing audit log in CEF
  • Writing provisioner audit log in CEF
  • Writing audit log for Splunk
  • Alternative console authentication
  • Enabling LDAP authentication
  • Enabling RADIUS authentication
  • Multi-factor console authentication using PingID
  • Solution overview
  • Configuring your PingID account
  • Creating an LDAP Username Password Credential Validator instance
  • Configuring a PingID Password Credential Validator instance
  • Configuring PingFederate to use RADIUS authentication
  • Verifying your setup
  • Enabling certificate-based authentication
  • Configuring automatic connection validation
  • Automating configuration migration
  • Copying the key from the source to the target server
  • Administrative console migration
  • Using the migration tool
  • Outbound provisioning CLI
  • Customizable user-facing pages
  • IdP user-facing pages
  • SP user-facing pages
  • Either IdP or SP user-facing pages
  • OAuth user-facing pages
  • Customizable email notifications
  • Local administrative account management events
  • Certificate events
  • SAML metadata update events
  • Licensing events
  • HTML Form Adapter events
  • Customizable text message
  • Localizing messages for end users
  • Locale overrides by cookies
  • Retrieval of localized messages
  • Configuring a password policy
  • Managing cipher suites
  • Manage externally stored authentication sessions
  • Managing authentication sessions stored in the database
  • Managing authentication sessions stored in PingDirectory
  • OAuth persistent grants cleanup
  • Managing expired persistent grants
  • Managing expired persistent grants in PingDirectory
  • Managing cleanup of persistent grants
  • Specifying the domain of the PF cookie
  • Specifying the domain of the PF.PERSISTENT cookie
  • Extending the lifetime of the PingFederate cookie
  • Configuring forward proxy server settings
  • Adding custom HTTP response headers
  • Configuring validation for the AudienceRestriction element
  • Customizing the OpenID Provider configuration endpoint response
  • Customizing the heartbeat message
  • Customizing the favicon for application and protocol endpoints
  • Configuring the behavior of searching multiple datastores with one mapping
  • System settings
  • Server
  • Protocol settings
  • Specifying federation information
  • Configuring WS-Trust settings
  • Configuring outbound provisioning settings
  • Configuring standard IdP Discovery
  • Reviewing protocol settings
  • Administrative accounts
  • Enabling native authentication for the administrative console
  • Managing local accounts and role assignments
  • Enabling notification messages for account management events
  • Setting or resetting passwords
  • Changing passwords
  • License management
  • Reviewing license information
  • Requesting a new license key
  • Installing a license key on a new or upgraded PingFederate server
  • Installing a replacement license key
  • Configuring notification for licensing events
  • Configuration archive
  • Configuring a backup schedule
  • Exporting an archive
  • Importing an archive
  • Cluster management
  • Replicating configuration
  • Virtual host names
  • Configuring virtual host names
  • Extended properties
  • Defining extended properties
  • Configuring general settings
  • Metadata
  • Metadata settings
  • Entering system information
  • Configuring metadata signing
  • Configuring metadata lifetime
  • Reviewing metadata settings
  • Metadata export
  • Exporting connection-specific SAML metadata
  • Exporting selected SAML metadata
  • File signing
  • Signing XML files
  • Monitoring and notifications
  • Runtime notifications
  • Configuring runtime notifications
  • Runtime reporting
  • Configuring SNMP monitoring
  • Runtime monitoring using JMX
  • Datastores
  • Adding a new datastore
  • Configuring a JDBC connection
  • Configuring an LDAP connection
  • Setting advanced LDAP options
  • Specifying LDAP binary attributes
  • Proxied authorization
  • Configuring the password validation details request control ACI
  • Defining a custom LDAP type for outbound provisioning
  • Configuring other types of datastores
  • Configuring a REST API datastore
  • Configuring a custom datastore
  • Defining a datastore for persistent authentication sessions
  • Configuring an external database for authentication sessions
  • Configuring PingDirectory for authentication sessions
  • OAuth grant datastores
  • Configuring external databases for grant storage
  • Configuring directories for grant storage
  • Indexing grant attributes in PingDirectory
  • Using custom solutions for grant storage
  • OAuth client datastores
  • Configuring external databases for client storage
  • Configuring directories for client storage
  • Indexing client attributes in PingDirectory
  • Using custom solutions for client storage
  • Account-linking datastores
  • Configuring external databases for account-link storage
  • Configuring directories for account-link storage
  • Password Credential Validators
  • Choosing a Password Credential Validator
  • Password Credential Validator instance configurations
  • Configuring the LDAP Username Password Credential Validator
  • Configuring the PingOne for Enterprise Directory Password Credential Validator
  • Configuring the RADIUS Username Password Credential Validator
  • Configuring the Simple Username Password Credential Validator
  • Extending the contract for the credential validator
  • Finishing the Password Credential Validator instance configuration
  • Active Directory and Kerberos
  • Configuring Active Directory domains or Kerberos realms
  • Multiple-domain support
  • Configuring the Active Directory environment
  • Adding a domain
  • Managing domain connectivity settings
  • External systems
  • Connecting to PingOne for Enterprise after initial setup
  • Configuring identity repository settings
  • Managing PingOne for Enterprise settings
  • Configuring PingOne for Enterprise settings
  • Configuring PingOne SSO settings
  • Enabling and configuring the built-in RADIUS server to integrate PingID with your VPN
  • Configuring SSO from PingOne admin portal to PingFederate administrative console
  • Monitoring PingFederate from the PingOne admin portal
  • Updating the PingOne identity repository
  • Managing CAPTCHA settings
  • Managing SMS provider settings
  • Managing notification publisher instances
  • Defining a notification publisher instance
  • Notification publisher instance configurations
  • Configuring an Amazon SNS Notification Publisher instance
  • Event types and variables
  • Configuring an SMTP Notification Publisher instance
  • Finalizing actions for a notification publisher instance
  • Reviewing a notification publisher instance configuration
  • Troubleshooting
  • Enabling debug messages and console logging
  • Resolving startup issues
  • Troubleshooting data store issues
  • Resolving URL-related errors
  • Resolving service-related errors
  • Troubleshooting authentication policy issues
  • Troubleshooting registration and profile management issues
  • Troubleshooting runtime errors
  • Activating tracking ID in templates
  • Correlating log messages by PF cookie
  • Correlating log messages by tracking ID
  • Correlating PingFederate events with PingDirectory LDAP activities
  • Troubleshooting OAuth transactions
  • Reviewing an OAuth request and various OAuth settings
  • Other runtime issues
  • Collecting support data
  • WS-Trust STS configuration
  • Server settings
  • Enabling the WS-Trust protocol
  • Configuring STS authentication
  • Identity provider STS configuration
  • Managing token processors
  • Selecting a token processor type
  • Configuring a token processor instance
  • Configuring a Username Token Processor instance
  • Configuring a Kerberos Token Processor instance
  • Configuring an OAuth Token Processor instance
  • Configuring a JSON Web Token Processor instance
  • Configuring a SAML Token Processor instance
  • Extending a token processor contract
  • Setting attribute masking
  • Reviewing the token processor configuration
  • Managing STS request parameters
  • Creating a request contract
  • Configuring SP connections for STS
  • Configuring protocol settings for IdP STS
  • Setting a token lifetime
  • Configuring token creation
  • Defining an attribute contract for IdP STS
  • Selecting a request contract
  • Managing IdP token processor mappings
  • Selecting a token processor instance
  • Overriding a token processor instance
  • Restricting a token processor to certain virtual server IDs
  • Selecting an attribute retrieval method for token creation
  • Configuring attribute sources and user lookup for token creation
  • Configuring contract fulfillment for token creation
  • Defining issuance criteria for token creation
  • Reviewing the IdP token processor mapping
  • Selecting a request error handling method
  • Reviewing the token creation configuration
  • Reviewing the IdP STS settings
  • Service provider STS configuration
  • Managing token generators
  • Selecting a token generator type
  • Configuring a token generator instance
  • Extending a token generator contract
  • Reviewing the token generator configuration
  • Configuring IdP connections for STS
  • Configuring protocol settings for SP STS
  • Configuring token generation
  • Defining an attribute contract for SP STS
  • Managing SP token generator mappings
  • Selecting a token generator instance
  • Overriding a token generator instance
  • Restricting a token generator to certain virtual server IDs
  • Selecting an attribute retrieval method for token generation
  • Configuring contract fulfillment for token generation
  • Defining issuance criteria for token generation
  • Reviewing the SP token generator mapping
  • Reviewing the token generation configuration
  • Reviewing the SP STS configuration
  • Performance Tuning Guide
  • Logging
  • Operating system tuning
  • Linux tuning
  • Windows tuning
  • Concurrency
  • Tuning the acceptor queue size
  • Tuning the server thread pool
  • Configuring connection pools to datastores
  • Memory
  • JVM heap
  • Garbage collectors
  • Young generation bias
  • The memoryoptions utility
  • memoryoptions and installation
  • memoryoptions and upgrade
  • Restoring the preserved JVM options
  • Fine-tuning JVM options
  • Hardware security modules
  • Configuration at scale
  • References
  • PingFederate Monitoring Guide
  • Liveliness and responsiveness
  • Resource metrics
  • Connecting with JMX
  • Connecting to a local process
  • Connecting to a remote process
  • Monitoring
  • Thread pool
  • Logging, reporting, and troubleshooting
  • Creating an error-only server log
  • Splunk dashboards and audit logs
  • SDK Developer's Guide
  • SDK directory structure
  • Developing your own plugin
  • Implementation guidelines
  • Shared plugin interfaces
  • Developing IdP adapters
  • Developing SP adapters
  • Developing token processors
  • Developing token generators
  • Developing authentication selectors
  • Developing data source connectors
  • Developing password credential validators
  • Developing identity store provisioners
  • IdentityStoreProvisionerWithFiltering interface implementation
  • IdentityStoreUserProvisioner interface implementation
  • Developing notification publishers
  • Building and deploying with Ant
  • Building and deploying manually
  • Log messages
  • Developer's Reference Guide
  • OAuth 2.0 endpoints
  • Authorization endpoint
  • Client-initiated backchannel authentication endpoint
  • Token endpoint
  • OAuth grant type parameters
  • Introspection endpoint
  • Token revocation endpoint
  • Grant-management endpoint
  • Dynamic client registration endpoint
  • Device authorization endpoint
  • User authorization endpoint
  • OpenID Provider configuration endpoint
  • UserInfo endpoint
  • Web service interfaces and APIs
  • Connection Management Service
  • Exporting a connection
  • Importing connections
  • Deleting connections
  • Cluster configuration replication
  • Validation disclaimer
  • SSO Directory Service
  • Coding example
  • SOAP request and response examples
  • OAuth Client Management Service
  • OAuth Access Grant Management Service
  • OAuth Persistent Grant Management API
  • Session Management API
  • Session Revocation API endpoint
  • PingFederate administrative API
  • Configure access to the administrative API
  • Enabling native authentication for the administrative API
  • Enabling LDAP authentication
  • Enabling RADIUS authentication
  • Enabling certificate-based authentication
  • Enabling OAuth 2.0 authorization
  • Accessing the API interactive documentation
  • Application endpoints
  • IdP endpoints
  • SP endpoints
  • SP services
  • SCIM inbound provisioning endpoints
  • System-services endpoints
  • Constructing an alternative metadata exchange endpoint
  • Authentication API
  • Exploring the authentication API
  • Mobile application authentication through REST APIs
  • Development of authentication API-capable adapters and selectors
  • Authentication API states, actions, and models
  • Specification of the plugin API
  • State model example
  • Action model example
  • Action specification example
  • Error specifications
  • State model contents
  • Non-interactive plugins
  • Runtime behavior implementation
  • Checking for actions
  • Extracting models from requests
  • Performing additional validation
  • Handling invalid action IDs
  • Handling authentication error exceptions
  • Sending API responses
  • Returning authentication statuses
  • Session state management
  • Error messages and localization
  • Legal Information
Page created: 21 Jan 2020 |
Page updated: 15 Jul 2020
| 1 min read

10.1 PingFederate Product Configuration User task Software Deployment Method Single Sign-on (SSO) Capability Administrator Audience SAML Standards, specifications, and protocols Product documentation Content Type

As part of XML encryption, you must identify a certificate and key for PingFederate to use to decrypt incoming assertions or assertion elements.

For more information on XML encryption, see Specifying XML encryption policy (for SAML 2.0).

  1. Select the primary XML decryption key from the list.

    If you have not created or imported your certificate into PingFederate, click Manage Certificates. For more information, see Manage digital signing certificates and decryption keys.

  2. Optional: Select the secondary XML decryption key from the list.
Back to home page