You can configure PingFederate to require that client applications provide credentials to access the STS.
Note:
You can configure STS authentication to either apply globally to all token formats and for all IdP and service provider (SP) partner connections, or token-to-token mappings, using more fine grained controls, at the connection level through issuance criteria.