Choosing a decryption key (SAML 2.0) - PingFederate - 11.3

PingFederate Server
bundle
pingfederate-113
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.3 (Latest)
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-113
pingfederate
ContentType_ce
Guide > Administrator Guide
Product documentation
Guide
  • PingFederate
  • Release Notes
  • PingFederate 11.3.1 (August 2023)
  • PingFederate 11.3 (June 2023)
  • PingFederate 11.2.7 (August 2023)
  • PingFederate 11.2.6 (June 2023)
  • PingFederate 11.2.5 (May 2023)
  • PingFederate 11.2.4 (March 2023)
  • PingFederate 11.2.3 (February 2023)
  • PingFederate 11.2.2 (February 2023)
  • PingFederate 11.2.1 (February 2023)
  • PingFederate 11.2 (December 2022)
  • PingFederate 11.1.8 (August 2023)
  • PingFederate 11.1.7 (May 2023)
  • PingFederate 11.1.6 (February 2023)
  • PingFederate 11.1.5 (February 2023)
  • PingFederate 11.1.4 (February 2023)
  • PingFederate 11.1.3 (December 2022)
  • PingFederate 11.1.2 (October 2022)
  • PingFederate 11.1.1 (July 2022)
  • PingFederate 11.1 (June 2022)
  • PingFederate 11.0.8 (August 2023)
  • PingFederate 11.0.7 (February 2023)
  • PingFederate 11.0.6 (February 2023)
  • PingFederate 11.0.5 (October 2022)
  • PingFederate 11.0.4 (August 2022)
  • PingFederate 11.0.3 (May 2022)
  • PingFederate 11.0.2 (March 2022)
  • PingFederate 11.0.1 (January 2022)
  • PingFederate 11.0 (December 2021)
  • Previous releases
  • Introduction to PingFederate
  • About identity federation and SSO
  • Service providers and identity providers
  • Federation hub
  • Supported standards
  • Federation roles
  • Terminology
  • Browser-based SSO
  • SAML 1.x profiles
  • SSO—Browser-POST
  • SSO—Browser-Artifact
  • SP-initiated (destination-first) SSO
  • SAML 2.0 profiles
  • Single sign-on
  • SP-initiated SSO—POST-POST
  • SP-initiated SSO—Redirect-POST
  • SP-initiated SSO—Artifact-POST
  • SP-initiated SSO—POST-Artifact
  • SP-initiated SSO—Redirect-Artifact
  • SP-initiated SSO—Artifact-Artifact
  • IdP-initiated SSO—POST
  • IdP-initiated SSO—Artifact
  • Single logout
  • Attribute Query and XASP
  • Standard IdP Discovery
  • WS-Federation
  • About account linking
  • Web services standards
  • Web Services Security
  • WS-Trust
  • Request types
  • OAuth 2.0
  • Web redirect flow
  • Device authorization grant
  • CIBA grant
  • CIBA by poll
  • CIBA by ping
  • Token exchange grant
  • Assertion grant profile for OAuth 2.0 authorization grants
  • OpenID Connect support
  • Client management
  • System for Cross-domain Identity Management (SCIM)
  • Transport and message security
  • Integration overview
  • Bundled adapters and authenticators
  • Additional integrations
  • SSO integration concepts
  • Identity provider integration
  • Service provider integration
  • Security token service
  • OAuth authorization server
  • User account management
  • Enterprise deployment features
  • Additional features
  • Key concepts
  • WS-Trust STS
  • Connection-based policy
  • Token processors and generators
  • WSC and WSP support
  • STS OAuth integration
  • About OAuth
  • Delegated access types
  • Token models and management
  • Grant types
  • Scopes
  • Consent approval
  • Client management and storage
  • Client authentication schemes
  • Dynamic client registration
  • Transient grants and persistent grants
  • Grant storage and management
  • Mapping OAuth attributes
  • OAuth user-facing windows
  • OpenID Connect
  • CORS support for OAuth endpoints
  • Bundled adapters and authenticators
  • Security infrastructure
  • Digital signatures
  • Message signing
  • Certificate validation
  • Digital signing policy coordination
  • Secure sockets layer
  • Encryption
  • Hierarchical plugin configurations
  • Identity mapping
  • Account linking
  • Account mapping
  • User attributes
  • Attribute contracts
  • Adapter contracts
  • STS token contracts
  • Datastores
  • Attribute masking
  • Token authorization
  • User provisioning
  • Outbound provisioning for IdPs
  • Provisioning for SPs
  • Customer identity and access management
  • Federation hub use cases
  • Bridging an IdP to an SP
  • Bridging an IdP to multiple SPs
  • Bridging multiple IdPs to an SP
  • Bridging multiple IdPs to multiple SPs
  • Federation hub and authentication policy contracts
  • Federation hub and virtual server IDs
  • Federation planning checklist
  • Multiple virtual server IDs
  • Configuration data exchange
  • Installing and uninstalling PingFederate
  • System requirements
  • Compatible database drivers
  • Port requirements
  • Installing Java
  • Installing PingFederate 11.3
  • Uninstalling PingFederate
  • Upgrading PingFederate
  • Downloading PingFederate
  • Preparing to upgrade PingFederate
  • Upgrade considerations
  • Upgrade considerations introduced in PingFederate 10.x
  • Upgrade considerations introduced in PingFederate 9.x
  • Upgrade considerations introduced in PingFederate 8.x
  • Upgrade considerations introduced in PingFederate 7.x
  • Upgrade considerations introduced in PingFederate 6.x
  • Upgrading PingFederate installations
  • Custom mode in the Upgrade Utility
  • Post-upgrade tasks
  • Reviewing administrative users
  • Copying customized files or settings
  • User-facing windows
  • Email notifications
  • Jetty or JBoss configuration
  • The size-limits.conf file
  • Cross-origin resource sharing (CORS) support for OAuth endpoints
  • Configuration files in the config-store directory
  • Other configuration files
  • Reviewing database changes
  • Provisioning datastore reset
  • Enabling security enhancement in JDBC datastore queries
  • An improved index in the database table for OAuth clients
  • Logging configurations
  • Merging custom logging configurations
  • Migrating other components
  • Updating the custom authentication selector
  • Migrating to the integrated LDAP Username PCV
  • Migrating to the integrated Username Token Processor
  • Resetting files and variable for HSM
  • Verifying the new installation
  • Updating to the latest maintenance release
  • Getting Started with PingFederate
  • Starting and stopping PingFederate
  • Opening the PingFederate administrative console
  • Setting up PingFederate
  • PingFederate administrative console
  • Navigation tabs and menus
  • Customizing shortcuts
  • Tasks and steps
  • Console buttons
  • Third-party cryptographic solutions
  • Supported hardware security modules
  • Integrating with AWS CloudHSM
  • AWS CloudHSM operational notes
  • Integrating with Thales Luna Network HSM
  • SafeNet Luna Network HSM operational notes
  • Integrating with Entrust nShield Connect HSM
  • nShield Connect HSM operational notes
  • Supported software security package
  • Bouncy Castle FIPS provider
  • Integrating Bouncy Castle FIPS providers
  • Bouncy Castle operational notes
  • Server Clustering Guide
  • Overview of clustering
  • Cluster protocol architecture
  • Runtime state-management architectures
  • Adaptive clustering
  • Multi-region support
  • Configuring multi-region support
  • Directed clustering
  • Sharing all nodes
  • Designating state servers
  • Defining subclusters
  • Runtime state-management services
  • Inter-Request State-Management (IRSM) Service
  • IdP Session Registry Service
  • SP Session Registry Service
  • LRU memory management schemes
  • Assertion Replay Prevention Service
  • Artifact-Message Persistence and Retrieval Service
  • Back-Channel Session Revocation Service
  • Account Locking Service
  • Other services
  • Deploying cluster servers
  • Dynamic cluster discovery
  • Enabling dynamic discovery for clustering
  • Migrating cluster discovery settings
  • Deploying provisioning failover
  • Configuration synchronization
  • Console configuration push
  • Configuration-archive deployment
  • Administrator's Reference Guide
  • Attribute mapping expressions
  • Enabling and disabling expressions
  • Construct OGNL expressions
  • Sample OGNL expressions
  • Issuance criteria and multiple virtual server IDs
  • Expressions for OAuth and OpenID Connect uses cases
  • Using the OGNL edit window
  • Authentication policies
  • Selectors
  • Managing authentication selector instances
  • Choosing a selector type
  • Configuring an authentication selector instance
  • Configuring the CIDR Authentication Selector
  • Configuring the Cluster Node Authentication Selector
  • Configuring the Connection Set Authentication Selector
  • Configuring the Extended Property Authentication Selector
  • Configuring the HTTP Header Authentication Selector
  • Configuring the HTTP Request Parameter Authentication Selector
  • Configuring the OAuth Client Set Authentication Selector
  • Configuring the OAuth Scope Authentication Selector
  • Configuring the Requested AuthN Context Authentication Selector
  • Configuring the Session Authentication Selector
  • Configuring a sample use case
  • Policies
  • Defining authentication policies
  • Specifying incoming user IDs
  • Configuring rules in authentication policies
  • Defining authentication policies based on group membership information
  • Applying policy contracts or identity profiles to authentication policies
  • Configuring contract mapping
  • Configuring local identity mapping
  • Defining issuance criteria for contract or local identity mapping
  • Mapping a policy contract to multiple use cases
  • SP authentication policies
  • Configuring an SP authentication policy for users from one IdP
  • Configuring SP authentication policies for users from multiple IdPs
  • Configuring SP authentication policies for internal users
  • Policy fragments
  • Defining policy fragments
  • Policy contracts
  • Managing policy contracts
  • Editing contract information
  • Defining contract attributes
  • Reviewing the policy contract
  • Special attribute names in contracts
  • Adapter Mappings
  • Configuring authentication policy adapter mappings
  • Defining issuance criteria for adapter mapping
  • Sessions
  • Configuring tracking options for logout
  • Configuring application sessions
  • Configuring authentication sessions
  • Bundled adapters
  • Composite Adapter
  • Configuring a Composite Adapter instance
  • HTML Form Adapter
  • Configuring an HTML Form Adapter instance
  • HTML Form Adapter advanced fields
  • HTTP Basic Adapter
  • Configuring an HTTP Basic Adapter instance
  • Identifier First Adapter
  • Configuring an Identifier First Adapter instance
  • Identifier First Adapter and authentication policies
  • Configuring a policy for multiple user populations
  • Kerberos Adapter
  • Authentication mechanism assurance
  • Configuring a Kerberos Adapter instance for SSO authentication
  • Configuring browsers for Kerberos authentication
  • OpenToken Adapter
  • Configuring an OpenToken IdP Adapter instance
  • Configuring an OpenToken SP Adapter instance
  • Configuring a Passthrough IdP Adapter
  • Configuring a Reference ID Adapter
  • Configuring an X.509 Certificate IdP Adapter
  • Customer IAM configuration
  • Setting up PingDirectory for customer identities
  • Managing local identity profiles
  • Configuring local identity profiles
  • Defining authentication sources
  • Configuring local identity fields
  • Configuring email ownership verification options
  • Configuring registration options
  • Configuring profile management options
  • Managing datastore configuration
  • Selecting a datastore for customer identities
  • Configuring LDAP base DN and attributes
  • Configuring LDAP relative DN and object class
  • Defining datastore mapping configuration
  • Reviewing datastore configuration
  • Reviewing a local identity profile
  • Configuring the HTML Form Adapter for customer identities
  • Setting up self-service registration
  • Enabling third-party identity providers
  • Enabling profile management
  • Creating advanced registration mapping
  • Enabling third-party identity providers without registration
  • Customizing assertions and authentication requests
  • Message types and available variables
  • Sample customizations
  • Fulfillment by datastore queries
  • Attribute mapping with multiple data sources
  • Datastore query configuration
  • Choosing a datastore
  • Specifying database tables and columns
  • Entering a database search filter
  • Specifying directory properties and attributes
  • Defining encoding for binary attributes
  • Entering a directory search filter
  • Specifying data source filters and fields
  • Specifying data source filters for REST API datastores
  • Specifying a dynamic authorization header for a REST API datastore
  • Specifying filters and fields for a custom datastore
  • Specifying filters and fields for an AWS DynamoDB datastore
  • Configuring failsafe options
  • Reviewing datastore query configurations
  • IdP-to-SP bridging
  • Adapter-to-adapter mappings
  • Managing mappings
  • Assigning a license group
  • Identifying the target application
  • Configuring attribute sources and user lookup for adapter-to-adapter mappings
  • Configuring target application information
  • Configuring contract fulfillment for adapter-to-adapter mappings
  • Configuring a default target URL (optional)
  • Defining issuance criteria for adapter-to-adapter mappings
  • Reviewing the adapter-to-adapter mapping
  • Token translator mappings
  • Managing token mappings
  • Configuring attribute sources and user lookup for token mapping
  • Configuring contract fulfillment for token exchange mapping
  • Defining issuance criteria for token translator mapping
  • Reviewing the token exchange mapping
  • Identity provider SSO configuration
  • IdP application integration settings
  • Managing IdP adapters
  • Creating an IdP adapter instance
  • Configuring an IdP adapter instance
  • Invoking IdP adapter actions
  • Extending an IdP adapter contract
  • Setting pseudonym and masking options
  • Defining the IdP adapter contract
  • Defining attribute sources and user lookup
  • Configuring IdP adapter contract fulfillment
  • Defining issuance criteria for IdP adapter contract
  • Reviewing an IdP adapter contract
  • Reviewing and saving an IdP adapter configuration
  • Authentication applications and the authentication API
  • Managing authentication applications
  • Configuring authentication applications
  • Configuring a default URL and error message
  • Viewing IdP application endpoints
  • IdP protocol endpoints
  • SP connection management
  • Accessing SP connections
  • Resolving SP connection errors
  • Importing a connection
  • Updating a SAML connection using metadata
  • Choosing an SP connection template
  • Choosing an SP connection type
  • Choosing SP connection options
  • Importing SP metadata
  • Identifying the SP
  • Populating extended property values for SP connections
  • Configure IdP Browser SSO
  • Choosing SAML 2.0 profiles
  • Setting an SSO token lifetime
  • Configuring SSO token creation
  • Choosing an identity mapping method for IdP SSO
  • Selecting a SAML Name ID type
  • Selecting a WS-Federation Name ID type
  • Setting up an attribute contract
  • Managing authentication source mappings
  • Mapping an adapter instance
  • Mapping an authentication policy
  • Overriding an IdP adapter instance
  • Restricting an authentication source to certain virtual server IDs
  • Selecting an attribute mapping method
  • Configuring default contract fulfillment for IdP Browser SSO
  • Defining issuance criteria for IdP Browser SSO
  • Configuring attribute sources and user lookup
  • Configuring contract fulfillment for IdP Browser SSO
  • Reviewing the authentication source mapping
  • Reviewing the SSO token creation summary
  • Configuring protocol settings
  • Setting Assertion Consumer Service URLs (SAML)
  • Setting a default target URL (SAML 1.x)
  • Specifying the WS-Trust version
  • Defining a service URL (WS-Federation)
  • Specifying SLO service URLs (SAML 2.0)
  • Choosing allowable SAML bindings (SAML 2.0)
  • Setting an artifact lifetime (SAML)
  • Specifying artifact resolver locations (SAML 2.0)
  • Defining signature policy (SAML)
  • Configuring XML encryption policy (SAML 2.0)
  • Reviewing protocol settings
  • Reviewing browser-based SSO settings
  • Configuring the Attribute Query profile in an SP connection
  • Defining retrievable attributes
  • Configuring attribute lookup
  • Choosing a datastore for Attribute Query
  • Configuring mapping fulfillment for Attribute Query
  • Defining issuance criteria for Attribute Query
  • Specifying security policy
  • Reviewing the Attribute Query configuration
  • Configuring credentials
  • Configuring back-channel authentication (SAML)
  • Configuring authentication requirements for outbound messages
  • Configuring authentication requirements for inbound messages
  • Configuring digital signatures for service provider connections
  • Configuring signature verification settings (SAML 2.0)
  • Selecting an encryption certificate
  • Selecting a decryption key (SAML 2.0)
  • Reviewing SP credential settings
  • Configuring outbound provisioning
  • Defining a provisioning target
  • Specifying custom SCIM attributes
  • Managing channels
  • Specifying channel information
  • Identifying the source datastore
  • Modifying source settings
  • Specifying a source location
  • Mapping attributes
  • Specifying mapping details
  • Defining mapping information for a standard attribute
  • Defining mapping information for a custom attribute
  • Reviewing channel settings
  • Reviewing SP connection settings
  • SP affiliations
  • Managing SP affiliations
  • Importing affiliation metadata
  • Entering affiliation information
  • Managing affiliation membership
  • Reviewing an SP affiliation
  • OAuth configuration
  • Configuring OAuth use cases
  • Configuring authorization server settings
  • External consent user interface
  • Scopes and scope management
  • Defining scopes
  • Adding virtual issuers for OpenID Connect
  • Configuring client settings
  • Configuring dynamic client registration settings
  • Supported client metadata
  • Configuring scope constraints
  • Managing client configuration defaults
  • Selecting client registration policies
  • Reviewing client settings
  • Managing Client Registration Policy instances
  • Configuring a Client Registration Policy instance
  • Configuring a Response Type Constraints instance
  • Managing OAuth clients
  • Configuring OAuth clients
  • Grant contract mapping
  • Managing IdP adapter grant mapping
  • Configuring IdP adapter attribute sources and user lookup
  • Fulfilling IdP adapter grant mapping
  • Defining issuance criteria for OAuth IdP adapter mapping
  • Reviewing the IdP adapter mapping
  • Configuring IdP connection grant mapping
  • Choosing an OAuth datastore
  • Fulfilling OAuth attribute mapping
  • Defining issuance criteria for OAuth attribute mapping
  • Reviewing the OAuth attribute mapping summary
  • Managing authentication policy contract grant mapping
  • Configuring policy contract attribute sources and user lookup
  • Fulfilling policy contract grant mapping
  • Defining issuance criteria for policy contract mapping
  • Reviewing authentication policy contract mapping
  • Managing resource owner credentials grant mapping
  • Configuring resource owner attribute sources and user lookup
  • Fulfilling resource owner credentials grant mapping
  • Defining issuance criteria for resource-owner credentials mapping
  • Reviewing the resource owner credentials mapping
  • Token mapping
  • Access token management
  • Managing access token management instances
  • Defining an access token management instance
  • Configuring an access token management instance
  • Managing session validation settings
  • Defining the access token attribute contract
  • Managing resource URIs
  • Defining access control
  • Reviewing the access token management configuration
  • Managing access token mappings
  • Configuring access token attribute sources and user lookup
  • Configuring access token fulfillment
  • Defining issuance criteria for access token mapping
  • Reviewing the access token mapping
  • Configuring an OAuth assertion grant IdP connection
  • Defining an attribute contract for the OAuth assertion grant
  • Configuring access token manager mappings
  • Selecting an access token manager instance
  • Configuring a datastore for OAuth assertion grant attribute mapping
  • Configuring OAuth assertion grant contract fulfillment
  • Defining issuance criteria for OAuth assertion grants
  • Reviewing OAuth assertion grant attribute mapping configuration
  • Reviewing OAuth assertion grant configuration
  • Configuring OpenID Connect policies
  • Configuring policy and ID token settings
  • Configuring the policy attribute contract
  • Configuring attribute scopes
  • Configuring policy attribute sources and user lookup
  • Configuring ID token fulfillment
  • Defining issuance criteria for policy mapping
  • Reviewing your OpenID Connect policy
  • Client Initiated Backchannel Authentication (CIBA)
  • Managing CIBA authenticators
  • Configuring a CIBA authenticator instance
  • Managing CIBA request policies
  • Defining a request policy
  • Configuring identity hint contract
  • Configuring identity hint contract fulfillment
  • Configuring attribute sources and user lookup
  • Fulfilling identity hint contract
  • Defining issuance criteria for identity hint contract
  • Reviewing identity hint contract fulfillment
  • Configuring attribute sources and user lookup for request policy contract
  • Configuring request policy contract fulfillment
  • Defining issuance criteria for CIBA request policy
  • Reviewing your CIBA request policy
  • OAuth attribute mapping using a datastore
  • OAuth client session management
  • Asynchronous Front-Channel Logout
  • Back-Channel Session Revocation
  • OAuth token exchange
  • Configuring OAuth token exchange
  • Defining token exchange processor policies
  • Creating token exchange generator groups
  • Mapping token exchange attributes to token generator attributes
  • Mapping token exchange attributes to access token manager attributes
  • Enabling token exchange in OAuth clients
  • OAuth rich authorization requests
  • Configuring support for OAuth rich authorization requests
  • Configuring authorization detail processors
  • Configuring authorization detail types
  • Security management
  • Certificate and key management
  • Manage trusted certificate authorities
  • Importing trusted certificate authorities
  • Exporting trusted certificate authorities
  • Reviewing trusted certificate authorities
  • Removing trusted certificate authorities
  • Manage SSL server certificates
  • Creating a new certificate
  • Importing a certificate and its private key
  • Creating a certificate-authority signing request (CSR)
  • Importing a certificate-authority response (CSR response)
  • Exporting a certificate
  • Reviewing a certificate
  • Activating or deactivating a certificate
  • Removing a certificate
  • Manage SSL client keys and certificates
  • Creating new certificates
  • Importing certificates and their private keys
  • Creating a certificate signing request (CSR)
  • Importing a certificate-authority response (CSR response)
  • Exporting certificates
  • Reviewing certificates
  • Removing certificates
  • Manage digital signing certificates and decryption keys
  • Certificate rotation
  • Connection and federation metadata
  • Managing certificate rotation settings
  • Managed SP connection to PingOne for Enterprise and signing certificate
  • Creating new certificates
  • Importing certificates and their private keys
  • Creating a certificate signing request (CSR)
  • Importing a certificate-authority response (CSR response)
  • Exporting certificates
  • Reviewing certificates
  • Reviewing a certificate's usage
  • Removing certificates
  • Keys for OAuth and OpenID Connect
  • JSON Web Keys endpoint
  • Configuring static signing keys
  • Configuring static decryption keys
  • Mapping ID token signing keys to virtual issuers
  • Managing certificates from partners
  • Signature verification
  • Encryption
  • Back-channel authentication
  • Configuring certificate revocation
  • Transitioning to an HSM
  • Manage Partner metadata URLs
  • Adding a new metadata URL
  • Updating an existing metadata URL
  • Reviewing a metadata URL usage
  • Removing a metadata URL
  • Rotating system keys
  • Managing configuration encryption keys
  • Rotating configuration encryption keys
  • Re-encrypting sensitive information with configuration encryption keys
  • Deleting unused configuration encryption keys
  • System integration
  • Configuring redirect validation
  • Managing partner redirect validation
  • Configuring incoming proxy settings
  • Configuring service authentication
  • Account lockout protection
  • Configuring account lockout protection
  • Password spraying prevention
  • Configuring password spraying prevention
  • Implementing a MasterKeyEncryptor using AWS KMS
  • Self-service user account management
  • Configuring self-service password management
  • Configuring self-service account recovery
  • Configuring self-service user name recovery
  • Service provider SSO configuration
  • SP application integration settings
  • Managing SP adapters
  • Creating an SP adapter instance
  • Configuring an SP adapter instance
  • Invoking SP adapter actions
  • Extending an SP adapter contract
  • Identifying the target application
  • Reviewing an SP adapter configuration
  • Configuring target URL mapping
  • Configuring Identity Store Provisioners
  • Creating an Identity Store Provisioner instance
  • Defining the Identity Store Provisioner behavior
  • Extending the Identity Store Provisioner contract
  • Extending the Identity Store Provisioner contract for groups
  • Reviewing the Identity Store Provisioner configuration
  • Configuring default URLs
  • Viewing SP application endpoints
  • Federation settings
  • Managing attribute requester mappings
  • Viewing SP protocol endpoints
  • Managing IdP connections
  • Accessing IdP connections
  • Resolving IdP connection errors
  • Choosing an IdP connection type
  • Choosing IdP connection options
  • Importing IdP metadata
  • Identifying the partner
  • Populating extended property values for IdP connections
  • Defining additional issuers
  • Configure SP Browser SSO
  • Selecting SAML profiles
  • Configuring user-session creation
  • Choosing an identity mapping method for SP SSO
  • Defining an attribute contract
  • Managing target session mappings
  • Selecting a target session
  • Overriding an SP adapter instance
  • Restricting a target session to certain virtual server IDs
  • Choosing an attribute mapping method
  • Configuring target session fulfillment
  • Defining issuance criteria for SP Browser SSO
  • Reviewing the target session mapping
  • Reviewing the session creation summary
  • Configuring protocol settings
  • Specifying SSO service URLs (SAML)
  • Specifying a service URL (WS-Federation)
  • Defining SLO service URLs (SAML 2.0)
  • Selecting allowable SAML bindings (SAML)
  • Specifying an artifact lifetime (SAML 2.0)
  • Defining artifact resolver locations (SAML)
  • Configuring OpenID Provider information
  • Configuring default target URLs
  • Overriding authentication context in an IdP connection
  • Configuring signature policy
  • Specifying XML encryption policy (for SAML 2.0)
  • Reviewing protocol settings for SP browser SSO
  • Reviewing Browser SSO settings
  • Manage the Attribute Query profile in an IdP connection
  • Setting the Attribute Authority Service URL
  • Mapping attribute names for Attribute Query
  • Configuring security policy for Attribute Query
  • Reviewing the Attribute Query settings
  • Configuring just-in-time provisioning
  • Selecting attribute sources (SAML 2.0)
  • Identifying the user repository
  • Specifying an LDAP user-record location
  • Entering an LDAP filter
  • Identifying provisioning attributes for LDAP
  • Choosing a SQL method
  • Specifying a database user-record location
  • Specifying a unique ID database column
  • Specifying a stored procedure location
  • Mapping attributes to a user account
  • Choosing an event trigger
  • Configuring an error handling method
  • Reviewing the JIT provisioning configuration
  • Configuring SCIM inbound provisioning
  • Specifying the user repository
  • Identifying an LDAP user-record location
  • Defining a unique user ID
  • Defining a unique group ID
  • Defining custom SCIM attributes
  • Configuring custom SCIM attribute options
  • Writing user information to the datastore
  • Identifying inbound provisioning attributes for LDAP
  • Mapping attributes to user accounts
  • Reviewing user mapping (Write Users) configuration
  • Configuring a SCIM response
  • Identifying expected user attributes for the SCIM response
  • Identifying LDAP attributes for the SCIM response
  • Mapping attributes into the SCIM response
  • Reviewing SCIM response (Read Users) configuration
  • Configuring the handling of SCIM delete requests
  • Writing group information to the datastore
  • Identifying inbound provisioning group attributes for LDAP
  • Mapping attributes to groups
  • Reviewing group mapping (Write Groups) configuration
  • Configuring a SCIM response for groups
  • Identifying expected group attributes for the SCIM response
  • Identifying LDAP group attributes for the SCIM response
  • Mapping group attributes into SCIM response
  • Reviewing SCIM response for groups (Read Groups) configuration
  • Reviewing the inbound provisioning configuration
  • Configuring security credentials
  • IdP connection management
  • Configuring back-channel authentication for outbound messages
  • Configuring back-channel authentication for inbound messages
  • Configuring digital signatures for identity provider connections
  • Managing signature verification settings
  • Choosing an encryption certificate (SAML 2.0)
  • Choosing a decryption key (SAML 2.0)
  • Reviewing IdP credential settings
  • Reviewing an IdP connection
  • OpenID Connect Relying Party support
  • Creating an OpenID Connect IdP connection
  • Configuring request parameters and SSO URLs
  • Query parameters versus request object
  • Configuring IdP discovery using a persistent cookie
  • System administration
  • Configuring PingFederate properties
  • Overriding configuration settings using environment variables
  • Configuring size limits
  • PingFederate log files
  • Log4j 2 logging service and configuration
  • HTTP request logging
  • Administrator audit logging
  • API audit logging
  • Administrative API audit log
  • Runtime APIs audit log
  • Runtime transaction logging
  • Security audit logging
  • Outbound provisioning audit logging
  • Server logging
  • Server log filter
  • Logging in other formats
  • Writing logs to databases
  • Logging in Common Event Format
  • Writing audit log in CEF
  • Writing provisioner audit log in CEF
  • Writing audit logs for Splunk
  • Alternative console authentication
  • Enabling OIDC-based authentication
  • Enabling LDAP authentication
  • Enabling RADIUS authentication
  • Multi-factor console authentication using PingID
  • Solution overview
  • Configuring your PingID account
  • Creating an LDAP Username Password Credential Validator instance
  • Configuring a PingID Password Credential Validator instance
  • Configuring PingFederate to use RADIUS authentication
  • Verifying your setup
  • Enabling certificate-based authentication
  • Configuring automatic connection validation
  • Automating configuration migration
  • Copying the key from the source to the target server
  • Administrative console migration
  • Using the migration tool
  • Outbound provisioning CLI
  • Customizable user-facing pages
  • IdP user-facing pages
  • SP user-facing pages
  • Either IdP or SP user-facing pages
  • OAuth user-facing pages
  • Customizable email notifications
  • Local administrative account management events
  • Certificate events
  • SAML metadata update events
  • Licensing events
  • HTML Form Adapter events
  • Customizable text message
  • Localizing messages for end users
  • Locale overrides by cookies
  • Retrieval of localized messages
  • Configuring a password policy
  • Managing cipher suites
  • Manage externally stored authentication sessions
  • Managing authentication sessions stored in the database
  • Managing authentication sessions stored in PingDirectory
  • OAuth persistent grants cleanup
  • Managing expired persistent grants
  • Managing expired persistent grants in PingDirectory
  • Managing cleanup of persistent grants
  • Specifying the domain of the PF cookie
  • Specifying the domain of the PF.PERSISTENT cookie
  • Extending the lifetime of the PingFederate cookie
  • Configuring forward proxy server settings
  • Adding custom HTTP response headers
  • Configuring validation for the AudienceRestriction element
  • Customizing the OpenID Provider configuration endpoint response
  • Customizing the heartbeat message
  • Customizing the favicon for application and protocol endpoints
  • Configuring the behavior of searching multiple datastores with one mapping
  • Signing algorithms
  • System settings
  • Server
  • Protocol settings
  • Specifying federation information
  • Configuring WS-Trust settings
  • Configuring outbound provisioning settings
  • Configuring standard IdP Discovery
  • Reviewing protocol settings
  • Administrative accounts
  • Enabling native authentication for the administrative console
  • Managing local accounts and role assignments
  • Enabling notification messages for account management events
  • Setting or resetting passwords
  • Changing passwords
  • Configuring OIDC SSO to PingFederate from an external IdP
  • Mapping the policy contract for grant fulfillment
  • Configuring an access token manager
  • Configuring access token mapping
  • Creating the OIDC policy
  • Creating the client
  • Creating an OAuth Set Authentication selector
  • Creating an authentication policy
  • Exporting the signing certificate
  • Importing the certificate to trusted CAs
  • Configuring properties files
  • License management
  • Reviewing license information
  • Requesting a new license key
  • Installing a license key on a new or upgraded PingFederate server
  • Installing a replacement license key
  • Configuring notification for licensing events
  • Configuration archive
  • Configuring a backup schedule
  • Exporting an archive
  • Importing and deploying administrative console configuration data
  • Cluster management
  • Replicating configurations
  • Virtual host names
  • Configuring virtual host names
  • Extended properties
  • Defining extended properties
  • Log settings
  • Removing the Log Settings window
  • General settings
  • Metadata
  • Metadata settings
  • Entering system information
  • Configuring metadata signing
  • Configuring metadata lifetime
  • Reviewing metadata settings
  • Metadata export
  • Exporting connection-specific SAML metadata
  • Exporting selected SAML metadata
  • File signing
  • Signing XML files
  • Monitoring and notifications
  • Runtime notifications
  • Configuring runtime notifications
  • Datastores
  • Adding a new datastore
  • Configuring a PingOne LDAP Gateway datastore
  • Configuring a JDBC connection
  • Configuring an LDAP connection
  • Setting advanced LDAP options
  • Proxied authorization
  • Allowing PingFederate to unlock PingDirectory accounts
  • Configuring the password validation details request control ACI
  • Defining a custom LDAP type for outbound provisioning
  • Configuring other types of datastores
  • Configuring a REST API datastore
  • Configuring a custom datastore
  • Configuring an AWS DynamoDB datastore
  • Defining a datastore for persistent authentication sessions
  • Configuring an external database for authentication sessions
  • Configuring PingDirectory for authentication sessions
  • Configuring an AWS DynamoDB for persistent authentication sessions
  • Using custom solutions for persistent session storage
  • OAuth grant datastores
  • Configuring external databases for grant storage
  • Configuring directories for grant storage
  • Indexing grant attributes in PingDirectory
  • Using custom solutions for grant storage
  • Configuring an Amazon Dynamo database for persistent grants
  • OAuth client datastores
  • Configuring external databases for client storage
  • Configuring an Amazon DynamoDB for client storage
  • Configuring directories for client storage
  • Indexing client attributes in PingDirectory
  • Using custom solutions for client storage
  • Account-linking datastores
  • Configuring external databases for account-link storage
  • Configuring directories for account-link storage
  • Password Credential Validators
  • Choosing a Password Credential Validator
  • Password Credential Validator instance configurations
  • Configuring the LDAP Username Password Credential Validator
  • Configuring the PingOne for Enterprise Directory Password Credential Validator
  • Configuring the RADIUS Username Password Credential Validator
  • Configuring the Simple Username Password Credential Validator
  • Extending the contract for the credential validator
  • Finishing the Password Credential Validator instance configuration
  • Active Directory and Kerberos
  • Configuring Active Directory domains or Kerberos realms
  • Multiple-domain support
  • Configuring the Active Directory environment
  • Adding Active Directory domains and Kerberos realms
  • Managing domain connectivity settings
  • External systems
  • Connections to PingOne
  • Creating connections to PingOne
  • Modifying connections to PingOne
  • Editing connection names and descriptions
  • Disabling and enabling connections
  • Replacing connection credentials
  • Modifying which environments connections can access
  • Connections to PingOne for Enterprise
  • Configuring identity repository settings
  • Use Cases
  • Configuring the RADIUS server to integrate PingID with your VPN
  • Configuring provisioning to PingID
  • Reviewing the PingID VPN (RADIUS) configuration
  • Confirmation
  • Complete
  • Managing PingOne for Enterprise settings
  • Configuring PingOne for Enterprise settings
  • Configuring PingOne for Enterprise SSO settings
  • Enabling and configuring the built-in RADIUS server to integrate PingID with your VPN
  • Configuring SSO from the PingOne for Enterprise admin portal to the PingFederate administrative console
  • Monitoring PingFederate from the PingOne for Enterprise admin portal
  • Updating the PingOne for Enterprise identity repository
  • Managing CAPTCHA providers
  • Managing SMS provider settings
  • Managing notification publisher instances
  • Defining a notification publisher instance
  • Notification publisher instance configurations
  • Configuring an Amazon SNS Notification Publisher instance
  • Event types and variables
  • Configuring an SMTP Notification Publisher instance
  • Finalizing actions for a notification publisher instance
  • Reviewing a notification publisher instance configuration
  • Secret managers
  • Integrating with the CyberArk Credential Provider
  • CyberArk's authentication methods
  • Configuring instances of the secret manager plugin for the CyberArk Credential Provider
  • Using passwords in secret managers to access datastores
  • Troubleshooting
  • Enabling console logging
  • Resolving startup issues
  • Troubleshooting data store issues
  • Resolving URL-related errors
  • Resolving service-related errors
  • Troubleshooting authentication policy issues
  • Troubleshooting registration and profile management issues
  • Troubleshooting runtime errors
  • Activating tracking ID in templates
  • Correlating log messages by PF cookie
  • Correlating log messages by tracking ID
  • Correlating PingFederate events with PingDirectory LDAP activities
  • Troubleshooting OAuth transactions
  • Reviewing an OAuth request and various OAuth settings
  • Other runtime issues
  • Collecting support data
  • WS-Trust STS configuration
  • Server settings
  • Enabling the WS-Trust protocol
  • Configuring STS authentication
  • Identity provider STS configuration
  • Managing token processors
  • Selecting a token processor type
  • Configuring a token processor instance
  • Configuring a Username Token Processor instance
  • Configuring a Kerberos Token Processor instance
  • Configuring an OAuth Token Processor instance
  • Configuring a JWT Token Processor 1.2 instance
  • Configuring a JWT Token Processor 2.0 instance
  • Configuring a SAML Token Processor instance
  • Extending a token processor contract
  • Setting attribute masking
  • Reviewing the token processor configuration
  • Managing STS request parameters
  • Creating a request contract
  • Configuring SP connections for STS
  • Configuring protocol settings for IdP STS
  • Setting a token lifetime
  • Configuring token creation
  • Defining an attribute contract for IdP STS
  • Selecting a request contract
  • Managing IdP token processor mappings
  • Selecting a token processor instance
  • Overriding a token processor instance
  • Restricting a token processor to certain virtual server IDs
  • Selecting an attribute retrieval method for token creation
  • Configuring attribute sources and user lookup for token creation
  • Configuring contract fulfillment for token creation
  • Defining issuance criteria for token creation
  • Reviewing the IdP token processor mapping
  • Selecting a request error handling method
  • Reviewing the token creation configuration
  • Reviewing the IdP STS settings
  • Service provider STS configuration
  • Managing token generators
  • Selecting a token generator type
  • Configuring a token generator instance
  • Extending a token generator contract
  • Reviewing the token generator configuration
  • Configuring IdP connections for STS
  • Configuring protocol settings for SP STS
  • Configuring token generation
  • Defining an attribute contract for SP STS
  • Managing SP token generator mappings
  • Selecting a token generator instance
  • Overriding a token generator instance
  • Restricting a token generator to certain virtual server IDs
  • Selecting an attribute retrieval method for token generation
  • Configuring contract fulfillment for token generation
  • Defining issuance criteria for token generation
  • Reviewing the SP token generator mapping
  • Reviewing the token generation configuration
  • Reviewing the SP STS configuration
  • Performance Tuning Guide
  • Logging
  • Operating system tuning
  • Linux tuning
  • Windows tuning
  • Concurrency
  • Tuning the acceptor queue size
  • Tuning the server thread pool
  • Configuring connection pools to datastores
  • Snapshot isolation for high-volume transactions
  • Memory
  • JVM heap
  • The memoryoptions utility
  • memoryoptions and installation
  • memoryoptions and upgrade
  • Restoring the preserved JVM options
  • Fine-tuning JVM options
  • Hardware security modules
  • Configuration at scale
  • References
  • PingFederate Monitoring Guide
  • Resource metrics
  • Runtime monitoring using JMX
  • Connecting with JMX
  • Connecting to a local process
  • Connecting to a remote process
  • Liveliness and responsiveness
  • Monitoring
  • Thread pool
  • Logging, reporting, and troubleshooting
  • Creating an error-only server log
  • Splunk dashboards and audit logs
  • SDK Developer's Guide
  • SDK directory structure
  • Developing your own plugin
  • Implementation guidelines
  • Shared plugin interfaces
  • Developing IdP adapters
  • Developing authentication API-capable adapters and selectors
  • Authentication API states, actions, and models
  • Specification of the plugin API
  • State model example
  • Action model example
  • AuthnStateSpec and AuthnActionSpec objects
  • Error specifications
  • State model contents
  • Non-interactive plugins
  • Runtime behavior implementation
  • Checking for actions
  • Extracting models from requests
  • Performing additional validation
  • Handling invalid action IDs
  • Handling authentication error exceptions
  • Sending API responses
  • Returning authentication statuses
  • Session state management
  • Error messages and localization
  • Developing SP adapters
  • Developing token processors
  • Developing token generators
  • Developing authentication selectors
  • Developing data source connectors
  • Developing password credential validators
  • Developing identity store provisioners
  • IdentityStoreProvisionerWithFiltering interface implementation
  • IdentityStoreUserProvisioner interface implementation
  • Developing notification publishers
  • Building and deploying with Ant
  • Building and deploying manually
  • Log messages
  • Developer's Reference Guide
  • OAuth 2.0 endpoints
  • Authorization endpoint
  • Client-initiated backchannel authentication endpoint
  • Token endpoint
  • OAuth grant type parameters
  • Introspection endpoint
  • Token revocation endpoint
  • Grant-management endpoint
  • Dynamic client registration endpoint
  • Device authorization endpoint
  • User authorization endpoint
  • OpenID Provider configuration endpoint
  • OAuth authorization server metadata endpoint
  • UserInfo endpoint
  • Pushed authorization requests endpoint
  • OAuth Playground
  • Web service interfaces and APIs
  • Connection Management Service
  • Exporting a connection
  • Importing connections
  • Deleting connections
  • Cluster configuration replication
  • Validation disclaimer
  • SSO Directory Service
  • Coding example
  • SOAP request and response examples
  • OAuth Client Management Service
  • OAuth Access Grant Management Service
  • OAuth Persistent Grant Management API
  • Session Management API by session identifiers
  • Session Management API by user identifiers
  • Session Revocation API endpoint
  • PingFederate administrative API
  • Configure access to the administrative API
  • Enabling native authentication for the administrative API
  • Enabling LDAP authentication
  • Enabling RADIUS authentication
  • Enabling certificate-based authentication
  • Enabling OAuth 2.0 authorization
  • Accessing the API interactive documentation
  • Application endpoints
  • IdP endpoints
  • SP endpoints
  • SP services
  • SCIM inbound provisioning endpoints
  • System-services endpoints
  • Constructing an alternative metadata exchange endpoint
  • Authentication API
  • Exploring the authentication API
  • Mobile application authentication through REST APIs
  • Device authorization through mobile applications
Page created: 5 Jul 2022 |
Page updated: 5 Jul 2022
| 1 min read

Guide Administrator Guide Content Type Product documentation 11.3 Capability Single Sign-on (SSO) Deployment Method Software Audience Administrator System Administrator Product PingFederate

As part of XML encryption, you must identify a certificate and key for PingFederate to use to decrypt incoming assertions or assertion elements.

For more information on XML encryption, see Specifying XML encryption policy (for SAML 2.0).

  1. Select the primary XML decryption key from the list.

    If you have not created or imported your certificate into PingFederate, click Manage Certificates. For more information, see Manage digital signing certificates and decryption keys.

  2. Optional: Select the secondary XML decryption key from the list.
Back to home page