This configuration is provided for use cases in which the PingFederate WS-Trust STS exchanges one type of security token for another without needing to generate a SAML token in between. See WS-Trust STS. Use this configuration, for example, to convert a user's Kerberos token to a third-party proprietary web access management (WAM) session token.

In effect, this configuration provides an alternative to setting up complete STS connections to make such an exchange using the same instance of PingFederate. Instead, incoming user attributes from an IdP token processor are mapped directly to an SP token generator.

To use this configuration, ensure that you have enabled both the IdP and SP roles for PingFederate, including the WS-Trust protocol. See Enabling the WS-Trust protocol. Make sure to configure the required token-translator instances. You might reuse instances that are also in use for STS connection configurations.