If you are using PingFederate as an IdP server, configure the Token Processor using the following steps:

Important: You must first create a third-party WAM Web Agent within your WAM tool. Several properties used to configure the agent are then used on the Instance Configuration screen. Refer to your WAM documentation for details on agent configuration.
  1. Log on to the PingFederate administrative console and click Token Processors under Application Integration Settings in the IdP Configuration section of the Main Menu.

    If you do not see Token Processors on the Main Menu, enable WS-Trust under Server Settings on the Roles & Protocols screen by selecting WS-Trust for the IdP role.

    Note: To enable token exchange, you may be prompted to provide SAML 1.x and SAML 2.0 federation identifiers for the STS on the Federation Info screen. Refer to the Federation Info screen’s Help page for more information.
  2. On the Manage Token Processor Instances screen, click Create New Instance.
  3. On the Type screen, enter an Instance Name and Instance Id.

    The Name is any you choose for identifying this instance. The ID is used internally and may not contain spaces or non-alphanumeric characters.

  4. Select WAM Token Processor 2.0 as the Type and click Next.
    Note: If you are configuring the adapter for a custom plug-in (not bundled with this kit), then continue to step 5. If you are configuring the RSA Dispatcher server, then continue with step 6. If you are configuring OAM, continue at step 7.
  5. (Only for custom plug-ins for WAM servers other than OAM or RSA) On the Instance Configuration screen, click Add a new row to ‘WAM Server’ and provide the following information into the table:
    1. Enter the Hostname or the IP address where the WAM server is running.
    2. Specify the remaining WAM server values required for your configuration.
    3. Click Update in the Action column.
    4. Repeat this step as needed, for additional WAM plug-ins.

    Skip the next step.

  6. (Only for the RSA bundled plug-in) On the Instance Configuration screen, click Add a new row to ‘RSA AM Dispatcher Server’ and provide the following information in the table:
    Note: You must specify at least one RSA AM Dispatcher Server
    1. Enter the Hostname or the IP address and the (optional) Dispatcher Port where the RSA AM Dispatcher server is running.
      Note: You must specify the authentication method that is used by the dispatcher server. If you have specified multiple dispatcher servers, each server can have individual authentication methods.
    2. Specify the Authentication Type used by the RSA Dispatcher Server.
      • Clear – clear text, no encryption
      • Anon – anonymous SSL, SSL encryption only
      • Auth – mutually authenticated SSL, SSL encryption with certificate-based encryption
    3. If the selected Authentication Type is Auth, you must specify the following RSA server values:
      • Keystore Path – String filename of the private Keystore file (PKCS12 only)
      • Keystore Password – password for the private Keystore
      • Key Alias – the alias to your private key in the Keystore
      • Key Password – private Key Password for Keystore
    4. Optional: Specify the Timeout value required for your configuration.
    5. Click Update in the Action column.
    6. Repeat this step as needed for additional RSA Servers.
  7. Provide entries on the Instance Configuration screen, as described on the screen and in the following table.
    Note: selected WAM Plug-in Type may override optional/required fields. For example, if the selected WAM Plug-n Type is OAM, the Agent Config Location becomes a required field. Leaving this field blank generates an error message.
    Field Description
    WAM Plug-in Type

    Class name for the specific WAM implementation.

    Note: WAM Plug-in Type determines optional/required fields.
    Agent Name This value must match the value used when the third-party WAM Web Agent was configured.
    Agent Secret This value must match the value used when the third-party WAM Web Agent was configured.
    Agent Config Location Required for OAM, this value must contain the full path to an XML network-configuration file generated by the access-management system.
    Failover The default is false, indicating load balancing is enabled and user-session states and configuration data are shared among multiple WAM servers. Select true to enable failover, indicating that when one server fails, the next server is used.
    Protected Resource (Required) All files in the root directory (/*) is the default. Specify a different path to the resources in the protected realm, if necessary.
    User Identifier (Required) Defines which attribute that is parsed from the WAM session token is the user identifier for use in the assertion.
    Session Token LOGGEDOFF Value (Required) Value representing a logged-out session token.
    Repad Token String Enable this to pad the incoming session token string for Base64 encoding (if required).
  8. Click Next.
  9. Optional: On the Token Attributes screen, select any or all attributes whose value you want to mask in the PingFederate log file.

    For more information about this screen, see the PingFederate Administrator’s Manual. More information is available on the Help page.

  10. Click Next.
  11. On the Summary screen, verify that the information is correct and click Done.
  12. On the Manage Token Processor Instances screen, click Save.