Depending on the selected token generator, the Instance Configuration tab presents you with different parameters.

  1. Go to Applications > Token Exchange > Token Generators.
  2. Select an existing generator instance by clicking its name or click Create New Instance to open the Create Token Generator Instance window.
  3. On theInstance Configuration tab, configure the parameters for this instance type. For the integrated SAML 1.0 and 2.0 Token Generators, see the following table and specify parameters for generated SAML tokens.
    SAML token generator instance field names and descriptions
    Field Instructions
    Minutes Before Enter a numerical value. This element in a SAML token allows for any server clock variability.
    Minutes After Enter a numerical value. This element in a SAML token allows for any server clock variability.
    Issuer Enter your SAML 2.0 entity ID or the SAML 1.x issuer as configured in the System > Server > Protocol Settings window.
    Signing Certificate Responses containing SAML tokens must be signed. Select a signing certificate from the list.

    If you have not yet created or imported your certificate into PingFederate, click Manage Signing Certificates. For more information, see Manage digital signing certificates and decryption keys.

    Signing Algorithm Select the signing algorithm corresponding to the selected certificate. Choices include SHA1 for both RSA and DSA, RSA-SHA256, SHA384, and SHA512, as well as, ECDSA-SHA256, SHA384, and SHA512.
    Include Certificate in KeyInfo If selected, the entire public certificate is included with the assertion. Otherwise, a short hash reference to the certificate is sent.
    Include Raw Key in KeyValue If selected, the raw key is included in the KeyInfo element as well.
    Audience A unique identifier for the target web service, used for the audience element of the generated SAML token.
    Confirmation Method Choose from among available methods:
    • urn...cm:sender-vouches Default option.
    • urn...cm:bearer
    • urn...cm:holder-of-key

    For more information, see WSS SAML Token Profile.

    Encryption Certificate The web service provider's public certificate for encryption is required only if holder-of-key is selected as the confirmation method. Select a partner certificate from the list.

    If you have not yet imported the certificate from your partner, click Manage Certificates to do so. For more information, see Managing certificates from partners.

    Message Customization expression Click Show Advanced Fields to see this field.

    An OGNL expression to customize the assertion. The returned type from the expression must be an AssertionType, or the customization will be ignored.

    The available attributes are:

    • #AssertionType: org.sourceid.saml20.xmlbinding.assertion.AssertionType
    • #Attributes: org.sourceid.util.log.AttributeMap

    The following example is for SAML2. The line breaks are provided to improve readability.

    #AssertionType
      .getSubject()
      .getNameID()
      .setStringValue("JoeSAML2IDP"),
    #AssertionType

    The following example is for SAML1.1.

    #AssertionType
      .getAuthenticationStatementArray(0)
      .getSubject().getNameIdentifier()
      .setStringValue("Joe123"),
    #AssertionType

    For information about add-on generators, see SSO integration overview.

  4. Click Next.