The Token Processor allows an Identity Provider (IdP) STS to accept and validate a WAM session token from a Web Service Client (WSC) and then map user attributes into a SAML token for the WSC to send to a Web Service Provider (WSP). The Token Generator allows a Service Provider (SP) STS to issue a WAM session token for a WSP, including mapped attributes from an incoming SAML token.


The Token Translator is designed to work with WAM products from multiple vendors. A WAM plug-in is required to connect the Token Translator with each third-party system. This kit ships with WAM plug-ins compatible with Oracle Access Manager (OAM) 10g and 11g, and with RSA Access Manager 6.1. A simple software development kit (SDK) is also included to create custom WAM plug-ins for other systems.

If you are creating a WAM plug-in for any third-party product other than OAM and RSA Access Manager, you must complete the tasks in the WAM plug-in SDK README.txt file located in the <token_translator_install_dir>/sdk directory.


Ping Identity provides an SDK for enabling Web Service applications (Client or Provider) to interact with the PingFederate STS. The SDK is available for download on the PingFederate server add-ons page.

Intended audience

This document is intended for PingFederate administrators.

If you need help during the setup process, see the following resources:

Please consult the WAM documentation tool if you encounter any difficulties in areas not directly associated with PingFederate or the WAM Token Translator.

System requirements

  • PingFederate 6.x or later
  • WAM plug-in for the desired third-party system, built and deployed per the WAM plug-in SDK documentation
  • Associated vendor-supplied libraries to support the WAM plug-in you are using
  • Fully functional WAM plug-ins for OAM and RSA are included in the WAM Token Translator package.
  • Separate third-party Web Agent configured using the WAM server administrative software