Configure the X.509 Token Processor to determine how PingFederate validates and parses X.509 certificates.
- Go to .
- On the Token Processor tab, click Create New Instance.
On the Type tab, set the basic token processor
- In the Instance Name field, enter a name for the token processor.
- In the Instance ID field, enter a unique identifier for the token processor.
- From the Type list, select X.509 Token Processor. Click Next.
Click Add a new row to ‘Valid Certificate
Issuer DNs’ under Action, enter an
applicable CA Issuer DN, and click Update.
Note: When this option is configured, only the CAs appearing under Valid DNs can be used to verify digital signatures on incoming tokens. Otherwise, all trusted CAs in the PingFederate or JRE trusted store can be used.
- If you don't want the adapter to parse the certificate Subject DN to make its elements available for the extended contract, clear the Parse Subject DN check box. Click Next.
On the Extended Contract tab, add any Subject DN components
and SAN settings:
Add any Subject DN components that you want to send individually in the SAML
assertion, in addition to the full DN.
The DN components are available separately only if the Parse Subject DN check box is selected (the default) on the Instance Configuration tab. The attributes you enter must be in uppercase. Only attributes specified in RFC 2253 are allowed (CN, L, ST, O, OU, C, STREET, DC, and UID).
Select the Include Subject Alternative Name (SAN)
check box to include the decoded SAN attributes from the certificate.
When selected, this includes the following attributes from the X.509 certificate and makes them available in the attribute contract:
- Click Next.
- Optional: Add any Subject DN components that you want to send individually in the SAML assertion, in addition to the full DN.
On the Token Attributes tab, select
any or all attributes whose values should be masked in PingFederate log files. Click
Additionally, you can select Mask all OGNL-expression generated log values. See the PingFederate Administrator’s Manual for more information.
- On the Summary tab, verify your configuration. Click Done.
- On the Token Processor tab, click Save.