Configuring protocol settings for IdP STS - PingFederate - 11.0

PingFederate Server

bundle
pingfederate-110
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.0
category
Product
pf-110
pingfederate
ContentType_ce

Specify the WS-Trust protocol details for web service clients related to this connection.

  1. Go to Applications > Integration > SP Connections.
  2. Click on an existing connection in the SP Connection column, or click Create Connection to configure a new SP connection to open the SP Connection configuration window.
  3. On the WS-Trust STS tab, click Configure WS-Trust STS to open the WS-Trust STS configuration window.
    Note: The WS-Trust STS tab is only available after you enable the WS-Trust role on theConnection Type tab. For more information, see Configuring SP Connections for STS.
  4. On the Protocol Settings tab, enter a URL for your partner's web service in the Partner Service Identifier field. Click Add.
    This identifier compares to the AppliesTo element in the Requests for Security Token (RST) messages and can be either a complete URL or a base URL for matching variable ports or paths.

    Repeat this step to add additional identifiers.

  5. Select any of the following WS-Trust protocol setting options that are applicable to your use case.
    OptionDescription
    OAuth Assertion Profiles When selected, four additional token-type requests become available based on these OAuth grant types:
    • JWT Bearer Token grant type
    • OAuth Access Token via JWT Bearer Token grant type
    • SAML 2.0 Bearer Assertion grant type
    • OAuth Access Token via SAML 2.0 Bearer Assertion grant type

    See STS OAuth integration for more information on the use of these token-type requests.

    Default Token Type The default token type when a web service client (WSC) does not specify in the token request which token type the STS should issue. The choices are:
    • SAML 2.0
    • SAML 1.1
    • SAML 1.1 for Office 365

    The default token type does not need to match the protocol selected for the browser-based SSO, if enabled, and does not apply to OAuth assertion profiles because those RST messages must contain the requested token type.

    Generate Key for SAML Holder of Key Subject Confirmation Method When selected, the STS generates a symmetric key to be used in conjunction with the "Holder of Key" (HoK) designation for the assertion's Subject Confirmation Method.

    For information about HoK assertions, see Web Services Security SAML Token Profile.

    This option does not apply to OAuth assertion profiles.

    Encrypt SAML 2.0 Assertion When selected, the STS encrypts the SAML 2.0 assertion. Applicable only to SAML 2.0 security token.

    This option does not apply to OAuth assertion profiles.

  6. On the Protocol Settings tab, customize SAML messages and assertions for WS-Trust connections. Message customizations are OGNL expressions that allow you to customize the security token sent from PingFederate to the service provider (SP).
    1. Click Show Advanced Customizations.
    2. From the Message Type list, select a type option and enter an expression. The message type is used to override the message type returned from the OGNL expression.
      The following tables describe the relationship between message type and available variables, and the corresponding class or interface information in Java.
      SP connections SAML 2.0 message types and expressions
      Message types Available variables and classes/interfaces in Javadoc
      AssertionType #AssertionType

      org.sourceid.saml20.xmlbinding.assertion.AssertionType

      #AssertionTypes

      org.sourceid.saml20.xmlbinding.assertion.AssertionType[]

      #Attributes

      org.sourceid.util.log.AttributeMap

      ResponseDocument #ResponseDocument

      For a connection with WS-Trust v1.3, #ResponseDocument will be of type org.oasisOpen.docs.wsSx.wsTrust.x200512. RequestSecurityTokenResponseCollectionDocument

      For a connection with WS-Trust v1.2, #ResponseDocument will be of type org.xmlsoap.schemas.ws.x2005.x02.trust. RequestSecurityTokenResponseDocument

      #Attributes

      org.sourceid.util.log.AttributeMap

      SP Connections SAML 1.x message types and expressions
      Message types Available variables and classes/interfaces in Javadoc
      AssertionType #AssertionType

      org.sourceid.protocol.saml11.xml.AssertionType

      #AssertionTypes

      org.sourceid.protocol.saml11.xml.AssertionType[]

      #Attributes

      org.sourceid.util.log.AttributeMap

      ResponseDocument #ResponseDocument

      For a connection with WS-Trust v1.3, #ResponseDocument will be of type org.oasisOpen.docs.wsSx.wsTrust.x200512. RequestSecurityTokenResponseCollectionDocument

      For a connection with WS-Trust v1.2, #ResponseDocument will be of type org.xmlsoap.schemas.ws.x2005.x02.trust. RequestSecurityTokenResponseDocument

      #Attributes

      org.sourceid.util.log.AttributeMap

    • Example of an AssertionType expression for SAML1.1.
      #AssertionType.getAuthenticationStatementArray(0)
      .getSubject().getNameIdentifier().setStringValue("JoeSAML2IDP"),
      #AssertionType
    • Example of a ResponseDocument expression for a connection with WS-Trust v1.3.
      #RequestSecurityTokenResponseCollectionDocument.getRequestSecurityTokenResponseCollection()
      .getRequestSecurityTokenResponseArray(0).setContext(‘context1’){code}
    • Example of a ResponseDocument expression for a connection with WS-Trust v1.2.
      #RequestSecurityTokenResponseDocument.getRequestSecurityTokenResponse().setContext(‘context1’)
  7. ClickNext.