If you are using PingFederate as a Service Provider (SP), configure the Token Generator using the following steps:

Important: You must first create a third-party WAM Web Agent within your WAM tool. Several properties used to configure the agent are then used on the Instance Configuration screen. Refer to your WAM documentation for details on agent configuration.
  1. Log on to the PingFederate administrative console and click Token Generators under Application Integration Settings in the SP Configuration section of the Main Menu.

    If you do not see Token Generators on the Main Menu, enable WS-Trust under Server Settings on the Roles & Protocols screen by selecting WS-Trust for the SP role.

    Note: To enable token exchange, you may be prompted to provide SAML 1.x and SAML 2.0 federation identifiers for the STS on the Federation Info screen. Refer to the Federation Info screen’s Help page for more information.
  2. On the Manage Token Generator Instances screen, click Create New Instance.
  3. On the Type screen, enter an Instance Name and Instance Id.

    The Name is any you choose for identifying this instance. The ID is used internally and may not contain spaces or non-alphanumeric characters.

  4. Select WAM Token Generator 2.0 as the Type and click Next.
    Note: If you are configuring the adapter for a custom plug-in (not bundled with this kit), then continue to step 5. If you are configuring the RSA Dispatcher server, then continue with step 6. If you are configuring OAM, continue at step 7.
  5. (Only for custom plug-ins for WAM servers other than OAM or RSA) On the Instance Configuration screen, click Add a new row to ‘WAM Server’ and provide the following information into the table:
    1. Enter the Hostname or the IP address where the WAM server is running.
    2. Specify the remaining WAM server values that are required for your configuration.
    3. Click Update in the Action column.
    4. Repeat this step as needed, for additional WAM plug-ins.

    Skip the next step.

  6. (Only for the RSA bundled plug-in) On the Instance Configuration screen, click Add a new row to ‘RSA AM Dispatcher Server’ and provide the following information in the table:
    Note: You must specify at least one RSA AM Dispatcher Server
    1. Enter the Hostname or the IP address and the (optional) Dispatcher Port where the RSA AM Dispatcher server is running.
      Note: You must specify the authentication method that is used by the dispatcher server. If you have specified multiple dispatcher servers, each server can have individual authentication methods.
    2. Specify the Authentication Type used by the RSA Dispatcher Server.
      • Clear – clear text, no encryption
      • Anon – anonymous SSL, SSL encryption only
      • Auth – mutually authenticated SSL, SSL encryption with certificate-based encryption
    3. If the selected Authentication Type is Auth, you must specify the following RSA server values:
      • Keystore Path – String filename of the private Keystore file (PKCS12 only)
      • Keystore Password – password for the private Keystore
      • Key Alias – the alias to your private key in the Keystore
      • Key Password – private Key Password for Keystore
    4. Optional: Specify the Timeout value required for your configuration.
    5. Click Update in the Action column.
    6. Repeat this step as needed for additional RSA Servers.
  7. Provide entries on the Instance Configuration screen, as described on the screen and in the table below.
    Note: The selected WAM Plug-in Type may override optional/required fields. For example, if the selected WAM Plug-n Type is OAM, the Agent Config Location becomes a required field. Leaving this field blank generates an error message.
    Field Description
    WAM Plug-in Type

    Class name for the specific WAM implementation.

    Note: WAM Plug Type determines optional/required fields.
    Agent Name This value must match the value used when the third-party WAM Web Agent was configured.
    Agent Secret This value must match the value used when the third-party WAM Web Agent was configured.
    Agent Config Location Required for OAM, this value must contain the full path to an XML network-configuration file generated by the access-management system.
    Failover The default is false, indicating load balancing is enabled and user-session states and configuration data are shared among multiple WAM servers. Select true to enable failover, indicating that when one server fails, the next server is used.
    Protected Resource (Required) All files in the root directory (/*) is the default. Specify a different path to the resources in the protected realm, if necessary.
    User Identifier (Required) Defines which attribute that is parsed from the WAM session token is the user identifier for use in the assertion.
    Session Token LOGGEDOFF Value (Required) Value representing a logged out session token.
    Authentication Scheme Secret (Required, except for RSA) The shared secret between the adapter and the custom authentication scheme deployed on the WAM server.
    Encode Token (Advanced Field) The default is false. Check this box to url encode token string (if required).
  8. Click Next.
  9. Optional: On the Extended Contract screen, add attributes you expect to retrieve in addition to the SAML subject (user ID). For more information, see Extending an SP adapter contract in the PingFederate documentation.
  10. Click Next.
  11. On the Summary screen, verify that the information is correct and click Done.
  12. On the Manage Token Generator Instances screen, click Save.