1. In the PingFederate administrative console, create a new SP adapter instance.
    • For PingFederate 10.1 or later: go to Applications > Integration > SP Adapters. Click Create New Instance.
    • For PingFederate 10.0 or earlier: go to Service Provider > Adapters. Click Create New Instance.
  2. On the Type tab, set the basic adapter instance attributes.
    1. In the Instance Name field, enter a name for the adapter instance.
    2. In the Instance ID field, enter a unique identifier for the adapter instance.
    3. From the Type list, select CoreBlox SP Adapter. Click Next.
  3. Optional: On the Instance Configuration tab, in the Protected Resource Mapping Table section, define conditions that the SAML assertion has to meet for the user to get access to a protected resource.
    Note: The CoreBlox Token Service allows you to grant permissions to specific realms in specific domains by defining the resource, instance, and action fields. These values are defined in your CTS Agent Config Object (ACO) settings. For more information, see page 29 of the CoreBlox Token Service Install and Configuration Guide (1.0 v3) [PDF] documentation and page 27 of the CoreBlox Token Service Installation/Configuration (2.2) [PDF] documentation.
    1. Click Add a new row to 'Protected Resource Mapping Table'.
    2. In the Auth Context field, enter the authentication context that has to exist in the SAML assertion, such as Password or MobileTwoFactorContract.
      For a complete list of authentication contexts, see Authentication Context for the OASIS Security Assertion Markup Language (SAML) 2.0 [PDF] on oasis-open.org.
    3. Optional: In the Attribute Filter field, enter an attribute that has to exist in the assertion, such as ${organization}='WidgetCo'.
      Tip: You can use AND and OR operators to include multiple attributes or create simple rules. For example, ${organization}='WidgetCo' OR ${organization}='WidgetCoLtd'.
    4. In the Resource field, enter the name of the resource that the user can access when the assertion meets the Auth Context and Attribute Filters conditions. For example, /partner_application/partner_landing.html.
    5. In the Instance field, enter the value of the AgentName parameter associated with the default CTS Agent Config Object. For example, partner_site_agent.
    6. In the Action field, enter the action, such as GET, POST, or PUT.
    7. In the Action column, click Update.
    8. To add more attributes, repeat steps a-g.
  4. On the Instance Configuration tab, configure the adapter instance by referring to CoreBlox SP Adapter settings reference. Click Next.
  5. Optional: On the Actions tab, if you set Send Extended Attributes to OpenToken, click Download, and then click Export. Save agent-config.txt. You can use this file to decode the OpenToken token that contains the extended attributes.
  6. On the Extended Contract tab, add any attributes that you expect to retrieve other than the SAML subject. Click Next.
  7. On the Target App Info tab, enter the basic information about your SP application. Click Next.
  8. On the Summary tab, check and save your configuration.
    • For PingFederate 10.1 or later: click Save.
    • For PingFederate 10.0 or earlier: click Done. On the Manage SP Adapter Instances tab, click Save.
  9. Create an IdP connection using this CoreBlox SP Adapter instance. See Service provider SSO configuration in the PingFederate documentation.