The Token Processor allows an Identity Provider (IdP) STS to accept and validate an OpenToken from a Web Service Client (WSC) and then map user attributes into a SAML token for the WSC to send to a Web Service Provider (WSP). The Token Generator allows a Service Provider (SP) STS to issue an OpenToken for a WSP, including mapped attributes from an incoming SAML token.


Ping Identity provides a Java STS-Client Software Development Kit (SDK) for enabling web service applications (client or provider) to interact with the PingFederate STS. You can download the Java Client SDK from the PingFederate server add-ons page.

OpenToken is an open-standard, secure session cookie used to pass user information between an application and PingFederate. For STS purposes, the OpenToken is passed as a Web Services Security (WSS) binary security token in WS-Trust messages. The data within the OpenToken is a set of key/value pairs, encrypted using common encryption algorithms, as illustrated below:

This translator package includes a Java Application Programmer Interface (API) for WSC and WSP developers to use for writing or reading an OpenToken, respectively.

Intended audience

This document is intended for PingFederate administrators.

If you need help during the setup process, see the following resources:

System requirements

  • PingFederate 9.3 or later
  • To use the Java API, J2SE Java Runtime Environment 1.5 or later is required on the WSC and WSP
  • To use strong Advanced Encryption Standard (AES) encryption with a key size of more than 128 bits, the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files must be installed in your JDK on PingFederate, as well as the WSC and WSP.