Configuring an X.509 token translator instance

Page created: 24 Jul 2019 |

Page updated: 8 Feb 2022

| 2 min read

Standards, specifications, and protocols X.509 Other Documents Integrations Language English Integration Content Type Product documentation Audience Administrator

Configure the X.509 Token Processor to determine how PingFederate validates and parses X.509 certificates.

Go to Authentication > Token Exchange > Token Processors.
On the Token Processor tab, click Create New Instance.
On the Type tab, set the basic token processor attributes:
1. In the Instance Name field, enter a name for the token processor.
2. In the Instance ID field, enter a unique identifier for the token processor.
3. From the Type list, select X.509 Token Processor. Click Next.
Click Add a new row to ‘Valid Certificate Issuer DNs’ under Action, enter an applicable CA Issuer DN, and click Update.

Note: When this option is configured, only the CAs appearing under Valid DNs can be used to verify digital signatures on incoming tokens. Otherwise, all trusted CAs in the PingFederate or JRE trusted store can be used.
If you don't want the adapter to parse the certificate Subject DN to make its elements available for the extended contract, clear the Parse Subject DN check box. Click Next.
On the Extended Contract tab, add any Subject DN components and SAN settings:
1. Optional: Add any Subject DN components that you want to send individually in the SAML assertion, in addition to the full DN.
  
  Note:
  The DN components are available separately only if the Parse Subject DN check box is selected (the default) on the Instance Configuration tab. The attributes you enter must be in uppercase. Only attributes specified in RFC 2253 are allowed (CN, L, ST, O, OU, C, STREET, DC, and UID).
2. Optional: Select the Include Subject Alternative Name (SAN) check box to include the decoded SAN attributes from the certificate.
  When selected, this includes the following attributes from the X.509 certificate and makes them available in the attribute contract:
  - userPrincipalName
  - RFC822Name
  - fascn_sen
  - fascn_wo_sen
  - deviceId
3. Click Next.
On the Token Attributes tab, select any or all attributes whose values should be masked in PingFederate log files. Click Next.

Additionally, you can select Mask all OGNL-expression generated log values. See the PingFederate Administrator’s Manual for more information.
On the Summary tab, verify your configuration. Click Done.
On the Token Processor tab, click Save.