Choosing an IdP connection type - PingFederate - 11.0

PingFederate Server

bundle
pingfederate-110
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.0
category
Product
pf-110
pingfederate
ContentType_ce

You can use the administrative console to choose an identity provider (IdP) connection type.

You can indicate on the Connection Type tab whether the connection to this partner is for browser single sign-on (SSO), WS-Trust security token service (STS), OAuth, SAML, inbound provisioning, or a combination of them.

Note:

You can add STS, OAuth, and outbound provisioning support to any existing SSO connection, or vice versa, at any time. However, when OpenID Connect is the chosen protocol for browser SSO, the other types become unavailable.

Select the applicable protocol on the Connection Type tab when establishing a new connection.
Note:

If your partner's deployment also supports multiple protocols and you intend to communicate using more than one, you must set up a separate connection for each protocol. Each connection must use a unique partner connection ID.

  • On the Connection Type tab, indicate the desired type of connection to your partner.
    ChoiceAction
    Configure a connection for secure browser-based SSO

    PingFederate[pingfed]

    Select the Browser SSO Profiles check box and a protocol from the list, if necessary.
    Configure an STS connection Select the WS-Trust STS check box and the default token type from the list.
    Configure a connection that exchanges SAML assertions or JSON web tokens (JWTs) for access tokens Select the OAuth Assertion Grant check box.
    Note:

    The OAuth Assertion Grant option is available only if at least one Access Token Manager instance has been configured on the Applications > OAuth > Access Token Management window

    For more information about these standards, see Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants and JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants.

    Configure an inbound provisioning connection Select the Inbound Provisioning check box and choose to support provisioning of users only (User Support) or users and groups (User and Group Support). For groups, nested group membership, if any, is preserved.
  • Optional: If your PingFederate license manages connections by groups, you can select a group for this connection.
    This option is not displayed for unrestricted or other types of licenses.