To configure OAuth token exchange, see the included topic links to perform the necessary steps.

Tip:

Temporary AWS security credentials are security token service (STS) tokens. To exchange inbound STS tokens, use PingFederate's SAML 2.0 token processor and the configured SAML 2.0 token processor policy in the token exchange processor policy instance. The details depend on your requirements.

  1. Define token exchange processor policies to handle incoming token exchange requests. See Defining token exchange processor policies.
  2. If you need token generator instances to generate the requested tokens, complete the following tasks.
    1. Configure the token generator instances. See Managing token generators.
    2. Create token exchange generator groups. See Creating token exchange generator groups.
    3. Map the attributes from the token exchange processor policies to the attributes from the token generator instances. See Mapping token exchange attributes to token generator attributes.
  3. Access token managers to generate the requested tokens.
    1. Configure the access token manager instances. See Managing access token management instances.
    2. Map the attributes from the token exchange processor policies to the attributes from the access token manager instances. See Mapping token exchange attributes to access token manager attributes.
  4. Enable token exchange in the OAuth clients that will send the token exchange requests to the authorization server. See Enabling token exchange in OAuth clients.