For both the identity provider (IdP) and service provider (SP) roles, PingFederate employs a partner-connection configuration, which enables the association of web services authentication policies with federation partners.
For Security Token Service (STS) processing, these policies define configurations for handling WS-Trust requests and transferring identity information between security domains. For more information, see Web services standards.
Use the administrative console in an IdP role to configure WS-Trust request-processing policy for your SP partner including:
- The type of SAML token to create in response to an issue request from a web service client (WSC) application
- The mapping of attributes to include within the issued SAML token
- The key used to create a digital signature for the issued SAML token
Use the administrative console in an SP role to configure WS-Trust request-processing policy for your IdP partner including:
- Whether to validate the incoming SAML token only, or to validate the incoming token and also issue a local token
- The mapping of attributes to include in the locally issued token when applicable
- The certificate used to verify the digital signature for the incoming SAML token
- The key used to decrypt the incoming SAML token when needed