Configure an instance of the OpenToken IdP Adapter in PingFederate.
- Go to .
- On the IdP Adapters window, click Create New Instance to start the Create Adapter Instance configuration.
On the Type tab, configure the basics of this adapter
- Enter the instance name and ID.
- From the Type list, select the adapter type.
From the Parent Instance list, select an existing type.
If you are creating an instance that is similar to an existing instance, you might consider making it a child instance by specifying a parent. A child instance inherits the configuration of its parent unless overridden. You can specify overrides during the rest of the setup.
On the IdP Adapter tab, configure your OpenToken IdP Adapter
These values depend on your developer's implementation.
For more information, see the Descriptionfield provided on-window and inthe following table.
PingFederate's field names and descriptions for creating an OpenToken IdP Adapter instance Field Description Password
The password to use for generating the encryption key. It is also known as the shared secret. Authentication Service
The URL to which the user is redirected for a single sign-on (SSO) event. This URL is part of an external application, which performs user authentication.
Click Show Advanced Fields in the Instance Configuration tab to review the following settings. Modify as needed.
Transport Mode How the token is transported to and from the application, either through a query parameter, a cookie (default), or as a form POST. Token Name
The name of the cookie or query parameter that contains the token. This name must be unique for each adapter instance. Override the default value
Cipher Suite The algorithm, cipher mode, and key size that should be used for encrypting the token. The default selected value is AES-128/CBC. Logout Service The URL to which the user is redirected for a single-logout event. This URL is part of an external application, which terminates the user session. Cookie Domain The server domain; for example,
example.com. If no domain is specified, the value is obtained from the request.
Cookie Path The path for the cookie that contains the token. Token Lifetime
The duration in seconds for which the token is valid. Valid range is 1 to 28800. The default value is
The duration in seconds for which the token may be re-issued without authentication. Valid range is 1 to 259200. The default value is
Not Before Tolerance
The amount of time in seconds to allow for clock skew between servers. Valid range is 0 to 3600. The default value is
Force SunJCE Provider If selected, the SunJCE provider is forced for encryption and decryption. Use Verbose Error Messages If selected, use verbose TokenException messages. Obfuscate Password If selected, the default, the password is obfuscated and password-strength validation is applied. Clearing the check box allows backward compatibility with previous OpenToken agents. Session Cookie If selected, OpenToken is set as a session cookie, rather than a persistent cookie. Applies only if the Transport Mode field is set as Cookie. The check box is not selected by default. Secure Cookie If selected, the OpenToken cookie is set only if the request is on a secure channel (https). Applies only if the Transport Mode field is set to Cookie. The check box is not selected by default. Delete Cookie If selected, the token cookie is deleted immediately after consumption. Applies only if the Transport Mode field is set to Cookie. The check box is not selected by default. Replay Prevention Selecting this option is recommended only if Query Parameter is the chosen token transport mode and form POST is used by an associated connection to send the SAML assertion. If selected, PingFederate ensures that the token can be used only once. By default, the check box is not selected.Note:
Selecting this option might affect resource utilization and performance.
Skip Malformed Attribute Detection If not selected, the default, it prevents insecure content from affecting the security of your application and the agent. Update your applications with the latest version of the agent. We recommend not to change the value of this flag.
On the Actions tab, click Download
under Action Invocation Link, and then click
Export to save the properties file.
The values in the resulting file, agent-config.txt, represent the console configuration and are used by the Identity Provider (IdP) application. See the documentation of your respective integration kit for more information.
On the Extended Contract tab, configure additional
attributes for this adapter instance as needed.
The OpenToken IdP Adapter contract includes one core attribute: subject.
The OpenToken IdP Adapter always extends the core contract with an attribute
userIdas well and fulfills it with the value of subject for backward compatibility reason.
On the Adapter Attributes tab, configure the pseudonym and
The Override Attributes check box in this window reflects the status of the override option in the Extended Contract tab.
Select the check box under Pseudonym for the user
identifier of the adapter and optionally for the other attributes, if
This selection is used if any of your service provider (SP) partners use pseudonyms for account linking.Note:
A selection is required whether or not you use pseudonyms for account linking. This allows account linking to be used later without having to delete and reconfigure the adapter. Ensure that you choose at least one attribute that is unique for each user, such as a user's email, to prevent assigning the same pseudonym to multiple users.
- Select the check box under Mask Log Values for any attributes that you want PingFederate to mask their values in its logs at runtime.
- Select the Mask all OGNL-expression generated log values check box, if OGNL expressions might be used to map derived values into outgoing assertions and you want those values masked.
- Select the check box under Pseudonym for the user identifier of the adapter and optionally for the other attributes, if available.
On the Adapter Contract Mapping tab, configure the adapter
contract for this instance with the following optional workflows:
- Configure one or more data sources for datastore queries.
- Fulfill adapter contract with values from the adapter, the default, datastore queries, if configured, context of the request, text, or expressions, if enabled.
- Set up the Token Authorization framework to validate one or more criteria prior to the issuance of the adapter contract.
- On the Summary tab, review your configuration and modify as needed. Click Done to exit the Create Adapter Instance configuration window.
When finished in the IdP Adapters window, click
Save to confirm the adapter instance configuration.
If you want to exit without saving the configuration, click Cancel.