Use the GET /idp/spConnections/{{spConnectionId}} endpoint to retrieve the service provider connection with the specified ID. A 404 status code is returned for nonexistent IDs.

Path parameters

Parameter Value Description
spConnectionId string(required) ID of the SP Connection to fetch.

Status codes

Code Reason
200 Success.
403 PingFederate does not have its IdP role enabled. Operation not available.
404 Resource not found.

SpConnection : Connection - The set of attributes used to configure an SP connection.

Property Type Description
active boolean Specifies whether the connection is active and ready to process incoming requests. The default value is false.
additionalAllowedEntitiesConfiguration AdditionalAllowedEntitiesConfiguration Additional allowed entities or issuers configuration. Currently only used in OIDC IdP (RP) connection.
applicationIconUrl string The application icon url.
applicationName string The application name.
attributeQuery SpAttributeQuery The attribute query settings for supporting SPs in requesting user attributes.
baseUrl string The fully-qualified hostname and port on which your partner’s federation deployment runs.
contactInfo ContactInfo The contact information for this partner.
credentials ConnectionCredentials The certificates and settings for encryption, signing, and signature verification. It is required for SAMLx.x and WS-Fed Connections.
defaultVirtualEntityId string The default alternate entity ID that identifies the local server to this partner. It is required when virtualEntityIds is not empty and must be included in that list.
entityId * string The partner’s entity ID (connection ID) or issuer value (for OIDC Connections).
extendedProperties Map[string, ParameterValues] Extended Properties allows to store additional information for IdP/SP Connections. The names of these extended properties should be defined in /extendedProperties.
id string The persistent, unique ID for the connection. It can be any combination of [a-zA-Z0-9._-]. This property is system-assigned if not specified.
licenseConnectionGroup string The license connection group. If your PingFederate license is based on connection groups, each connection must be assigned to a group before it can be used.
loggingMode LoggingMode The level of transaction logging applicable for this connection. Default is STANDARD.
metadataReloadSettings ConnectionMetadataUrl Connection metadata automatic reload settings.
name * string The connection name.
outboundProvision OutboundProvision The Outbound Provision settings.
spBrowserSso SpBrowserSso The browser-based SSO settings used to communicate with your SP.
type * ConnectionType The type of this connection. This must be set to ‘SP’.
virtualEntityIds array[string] List of alternate entity IDs that identifies the local server to this partner.
wsTrust SpWsTrust The Ws-Trust settings.

SpBrowserSso - The SAML settings used to enable secure browser-based SSO to resources at your partner’s site.

Property Type Description
adapterMappings * array[IdpAdapterAssertionMapping] A list of adapters that map to outgoing assertions.
artifact ArtifactSettings The settings for an artifact binding.
assertionLifetime * AssertionLifetime The timeframe of validity before and after the issuance of the assertion.
attributeContract * SpBrowserSsoAttributeContract A set of user attributes that the IdP sends in the SAML assertion.
authenticationPolicyContractAssertionMappings array[AuthenticationPolicyContractAssertionMapping] A list of authentication policy contracts that map to outgoing assertions.
defaultTargetUrl string Default Target URL for SAML1.x connections. For SP connections, this default URL represents the destination on the SP where the user will be directed. For IdP connections, entering a URL in the Default Target URL field overrides the SP Default URL SSO setting.
enabledProfiles Set[Profile] The profiles that are enabled for browser-based SSO. SAML 2.0 supports all profiles whereas SAML 1.x IdP connections support both IdP and SP (non-standard) initiated SSO. This is required for SAMLx.x Connections.
encryptionPolicy * EncryptionPolicy The SAML 2.0 encryption policy for browser-based SSO. Required for SAML 2.0 connections.
incomingBindings Set[Binding] The SAML bindings that are enabled for browser-based SSO. This is required for SAML 2.0 connections. For SAML 1.x based connections, it is not used for SP Connections and it is optional for IdP Connections.
messageCustomizations array[ProtocolMessageCustomization] The message customizations for browser-based SSO. Depending on server settings, connection type, and protocol this may or may not be supported.
protocol * Protocol The browser-based SSO protocol to use.
requireSignedAuthnRequests boolean Require AuthN requests to be signed when received via the POST or Redirect bindings.
signAssertions boolean Always sign the SAML Assertion.
signResponseAsRequired boolean Sign SAML Response as required by the associated binding and encryption policy. Applicable to SAML2.0 only and is defaulted to true. It can be set to false only on SAML2.0 connections when signAssertions is set to true.
sloServiceEndpoints array[SloServiceEndpoint] A list of possible endpoints to send SLO requests and responses.
spSamlIdentityMapping SpSamlIdentityMapping Process in which users authenticated by the IdP are associated with user accounts local to the SP.
spWsFedIdentityMapping SpWsFedIdentityMapping Process in which users authenticated by the IdP are associated with user accounts local to the SP for WS-Federation connection types.
ssoServiceEndpoints * array[SpSsoServiceEndpoint] A list of possible endpoints to send assertions to.
urlWhitelistEntries array[UrlWhitelistEntry] For WS-Federation connections, a whitelist of additional allowed domains and paths used to validate wreply for SLO, if enabled.
wsFedTokenType WsFedTokenType The WS-Federation Token Type to use.
wsTrustVersion WsTrustVersion The WS-Trust version for a WS-Federation connection. The default version is WSTRUST12.

UrlWhitelistEntry - Url domain and path to be used as whitelist in WS-Federation connection

Property Type Description
allowQueryAndFragment boolean Allow Any Query/Fragment
requireHttps boolean Require HTTPS
validDomain string Valid Domain Name (leading wildcard ‘*.’ allowed)
validPath string Valid Path (leave blank to allow any path)

ArtifactSettings - The settings for an Artifact binding.

Property Type Description
lifetime * integer The lifetime of the artifact in seconds.
resolverLocations * array[ArtifactResolverLocation] Remote party URLs that you will use to resolve/translate the artifact and get the actual protocol message
sourceId string Source ID for SAML1.x connections

ArtifactResolverLocation - The remote party URLs to resolve the artifact.

Property Type Description
index * integer The priority of the endpoint.
url * string Remote party URLs that you will use to resolve/translate the artifact and get the actual protocol message

SloServiceEndpoint - Where SLO logout messages are sent. Only applicable for SAML 2.0.

Property Type Description
binding * Binding The binding of this endpoint, if applicable - usually only required for SAML 2.0 endpoints.
responseUrl string The absolute or relative URL to which logout responses are sent. A relative URL can be specified if a base URL for the connection has been defined.
url * string The absolute or relative URL of the endpoint. A relative URL can be specified if a base URL for the connection has been defined.

SpSsoServiceEndpoint - The settings that define a service endpoint to a SP SSO service.

Property Type Description
binding * Binding The binding of this endpoint, if applicable - usually only required for SAML 2.0 endpoints. Supported bindings are Artifact and POST.
index * integer The priority of the endpoint.
isDefault boolean Whether or not this endpoint is the default endpoint. Defaults to false.
url * string The absolute or relative URL of the endpoint. A relative URL can be specified if a base URL for the connection has been defined.

EncryptionPolicy - Defines what to encrypt in the browser-based SSO profile.

Property Type Description
encryptAssertion boolean Whether the outgoing SAML assertion will be encrypted.
encryptSloSubjectNameId boolean Encrypt the name-identifier attribute in outbound SLO messages. This can be set if the name id is encrypted.
encryptedAttributes array[string] The list of outgoing SAML assertion attributes that will be encrypted. The ‘encryptAssertion’ property takes precedence over this.
sloSubjectNameIDEncrypted boolean Allow the encryption of the name-identifier attribute for inbound SLO messages. This can be set if SP initiated SLO is enabled.

SpBrowserSsoAttributeContract - A set of user attributes that the IdP sends in the SAML assertion.

Property Type Description
coreAttributes array[SpBrowserSsoAttribute] A list of read-only assertion attributes (for example, SAML_SUBJECT) that are automatically populated by PingFederate.
extendedAttributes array[SpBrowserSsoAttribute] A list of additional attributes that are added to the outgoing assertion.

SpBrowserSsoAttribute - An attribute for the SP Browser SSO attribute contract.

Property Type Description
name * string The name of this attribute.
nameFormat * string The SAML Name Format for the attribute.

IdpAdapterAssertionMapping - The IdP Adapter Assertion Mapping.

Property Type Description
abortSsoTransactionAsFailSafe boolean If set to true, SSO transaction will be aborted as a fail-safe when the data-store’s attribute mappings fail to complete the attribute contract. Otherwise, the attribute contract with default values is used. By default, this value is false.
adapterOverrideSettings IdpAdapter Connection specific configuration overrides for the mapped adapter instance.
attributeContractFulfillment * Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values.
attributeSources array[AttributeSource] A list of configured data stores to look up attributes from.
idpAdapterRef * ResourceLink Reference to the associated IdP adapter.
Note: This is ignored if adapter overrides for this mapping exists. In this case, the override’s parent adapter reference is used.
issuanceCriteria IssuanceCriteria The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled.
restrictVirtualEntityIds boolean Restricts this mapping to specific virtual entity IDs.
restrictedVirtualEntityIds array[string] The list of virtual server IDs that this mapping is restricted to.

ResourceLink - A reference to a resource.

Property Type Description
id * string The ID of the resource.
location string A read-only URL that references the resource. If the resource is not currently URL-accessible, this property will be null.

IdpAdapter - An IdP adapter instance.

Property Type Description
attributeContract IdpAdapterAttributeContract The list of attributes that the IdP adapter provides.
attributeMapping IdpAdapterContractMapping The attributes mapping from attribute sources to attribute targets.
authnCtxClassRef string The fixed value that indicates how the user was authenticated.
configuration * PluginConfiguration Plugin instance configuration.
id * string The ID of the plugin instance. The ID cannot be modified once the instance is created.
Note: Ignored when specifying a connection’s adapter override.
name * string The plugin instance name. The name cannot be modified once the instance is created.
Note: Ignored when specifying a connection’s adapter override.
parentRef ResourceLink The reference to this plugin’s parent instance. The parent reference is only accepted if the plugin type supports parent instances.
Note: This parent reference is required if this plugin instance is used as an overriding plugin (e.g. connection adapter overrides)
pluginDescriptorRef * ResourceLink Reference to the plugin descriptor for this instance. The plugin descriptor cannot be modified once the instance is created.
Note: Ignored when specifying a connection’s adapter override.

PluginConfiguration - Configuration settings for a plugin instance.

Property Type Description
fields array[ConfigField] List of configuration fields.
tables array[ConfigTable] List of configuration tables.

ConfigTable - A plugin configuration table populated with values.

Property Type Description
inherited boolean Whether this table is inherited from its parent instance. If true, the rows become read-only. The default value is false.
name * string The name of the table.
rows array[ConfigRow] List of table rows.

ConfigRow - A row of configuration values for a plugin configuration table.

Property Type Description
defaultRow boolean Whether this row is the default.
fields * array[ConfigField] The configuration fields in the row.

ConfigField - A plugin configuration field value.

Property Type Description
encryptedValue string For encrypted or hashed fields, this attribute contains the encrypted representation of the field’s value, if a value is defined. If you do not want to update the stored value, this attribute should be passed back unchanged.
inherited boolean Whether this field is inherited from its parent instance. If true, the value/encrypted value properties become read-only. The default value is false.
name * string The name of the configuration field.
value string The value for the configuration field. For encrypted or hashed fields, GETs will not return this attribute. To update an encrypted or hashed field, specify the new value in this attribute.

IdpAdapterContractMapping -

Property Type Description
attributeContractFulfillment * Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values.
attributeSources array[AttributeSource] A list of configured data stores to look up attributes from.
inherited boolean Whether this attribute mapping is inherited from its parent instance. If true, the rest of the properties in this model become read-only. The default value is false.
issuanceCriteria IssuanceCriteria The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled.

AttributeSource - The configured settings to look up attributes from an associated data store.

Property Type Description
attributeContractFulfillment Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings
dataStoreRef * ResourceLink Reference to the associated data store.
description string The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping.
Note: Required for APC-to-SP Adapter Mappings
id string The ID that defines this attribute source. Only alphanumeric characters allowed.
Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources.
type * DataStoreType The data store type of this attribute source.

AttributeFulfillmentValue - Defines how an attribute in an attribute contract should be populated.

Property Type Description
source * SourceTypeIdKey The attribute value source.
value * string The value for this attribute.

SourceTypeIdKey - A key that is meant to reference a source from which an attribute can be retrieved. This model is usually paired with a value which, depending on the SourceType, can be a hardcoded value or a reference to an attribute name specific to that SourceType. Not all values are applicable - a validation error will be returned for incorrect values.
For each SourceType, the value should be:
ACCOUNT_LINK - If account linking was enabled for the browser SSO, the value must be ‘Local User ID’, unless it has been overridden in PingFederate’s server configuration.
ADAPTER - The value is one of the attributes of the IdP Adapter.
ASSERTION - The value is one of the attributes coming from the SAML assertion.
AUTHENTICATION_POLICY_CONTRACT - The value is one of the attributes coming from an authentication policy contract.
LOCAL_IDENTITY_PROFILE - The value is one of the fields coming from a local identity profile.
CONTEXT - The value must be one of the following [‘TargetResource’ or ‘OAuthScopes’ or ‘ClientId’ or ‘AuthenticationCtx’ or ‘ClientIp’ or ‘Locale’ or ‘StsBasicAuthUsername’ or ‘StsSSLClientCertSubjectDN’ or ‘StsSSLClientCertChain’ or ‘VirtualServerId’ or ‘AuthenticatingAuthority’ or ‘DefaultPersistentGrantLifetime’]
CLAIMS - Attributes provided by the OIDC Provider.
CUSTOM_DATA_STORE - The value is one of the attributes returned by this custom data store.
EXPRESSION - The value is an OGNL expression.
EXTENDED_CLIENT_METADATA - The value is from an OAuth extended client metadata parameter. This source type is deprecated and has been replaced by EXTENDED_PROPERTIES.
EXTENDED_PROPERTIES - The value is from an OAuth Client’s extended property.
IDP_CONNECTION - The value is one of the attributes passed in by the IdP connection.
JDBC_DATA_STORE - The value is one of the column names returned from the JDBC attribute source.
LDAP_DATA_STORE - The value is one of the LDAP attributes supported by your LDAP data store.
MAPPED_ATTRIBUTES - The value is the name of one of the mapped attributes that is defined in the associated attribute mapping.
OAUTH_PERSISTENT_GRANT - The value is one of the attributes from the persistent grant.
PASSWORD_CREDENTIAL_VALIDATOR - The value is one of the attributes of the PCV.
NO_MAPPING - A placeholder value to indicate that an attribute currently has no mapped source.TEXT - A hardcoded value that is used to populate the corresponding attribute.
TOKEN - The value is one of the token attributes.
REQUEST - The value is from the request context such as the CIBA identity hint contract or the request contract for Ws-Trust.
TRACKED_HTTP_PARAMS - The value is from the original request parameters.
SUBJECT_TOKEN - The value is one of the OAuth 2.0 Token exchange subject_token attributes.
ACTOR_TOKEN - The value is one of the OAuth 2.0 Token exchange actor_token attributes.
TOKEN_EXCHANGE_PROCESSOR_POLICY - The value is one of the attributes coming from a Token Exchange Processor policy.

Property Type Description
id string The attribute source ID that refers to the attribute source that this key references. In some resources, the ID is optional and will be ignored. In these cases the ID should be omitted. If the source type is not an attribute source then the ID can be omitted.
type * SourceType The source type of this key.

LdapAttributeSource : AttributeSource - The configured settings used to look up attributes from a LDAP data store.

Property Type Description
attributeContractFulfillment Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings
baseDn string The base DN to search from. If not specified, the search will start at the LDAP’s root.
binaryAttributeSettings Map[string, BinaryLdapAttributeSettings] The advanced settings for binary LDAP attributes.
dataStoreRef * ResourceLink Reference to the associated data store.
description string The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping.
Note: Required for APC-to-SP Adapter Mappings
id string The ID that defines this attribute source. Only alphanumeric characters allowed.
Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources.
memberOfNestedGroup boolean Set this to true to return transitive group memberships for the ‘memberOf’ attribute. This only applies for Active Directory data sources. All other data sources will be set to false.
searchFilter * string The LDAP filter that will be used to lookup the objects from the directory.
searchScope * LdapSearchScope Determines the node depth of the query.
type * DataStoreType The data store type of this attribute source.

BinaryLdapAttributeSettings - Binary settings for a LDAP attribute.

Property Type Description
binaryEncoding LdapAttrEncodingType Get the encoding type for this attribute. If not specified, the default is BASE64.

CustomAttributeSource : AttributeSource - The configured settings used to look up attributes from a custom data store.

Property Type Description
attributeContractFulfillment Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings
dataStoreRef * ResourceLink Reference to the associated data store.
description string The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping.
Note: Required for APC-to-SP Adapter Mappings
filterFields array[FieldEntry] The list of fields that can be used to filter a request to the custom data store.
id string The ID that defines this attribute source. Only alphanumeric characters allowed.
Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources.
type * DataStoreType The data store type of this attribute source.

FieldEntry - A simple name value pair to represent a field entry.

Property Type Description
name * string The name of this field.
value string The value of this field. Whether or not the value is required will be determined by plugin validation checks.

JdbcAttributeSource : AttributeSource - The configured settings used to look up attributes from a JDBC data store.

Property Type Description
attributeContractFulfillment Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings
dataStoreRef * ResourceLink Reference to the associated data store.
description string The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping.
Note: Required for APC-to-SP Adapter Mappings
filter * string The JDBC WHERE clause used to query your data store to locate a user record.
id string The ID that defines this attribute source. Only alphanumeric characters allowed.
Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources.
schema string Lists the table structure that stores information within a database. Some databases, such as Oracle, require a schema for a JDBC query. Other databases, such as MySQL, do not require a schema.
table * string The name of the database table. The name is used to construct the SQL query to retrieve data from the data store.
type * DataStoreType The data store type of this attribute source.

IssuanceCriteria - A list of criteria that determines whether a transaction (usually a SSO transaction) is continued. All criteria must pass in order for the transaction to continue.

Property Type Description
conditionalCriteria array[ConditionalIssuanceCriteriaEntry] A list of conditional issuance criteria where existing attributes must satisfy their conditions against expected values in order for the transaction to continue.
expressionCriteria array[ExpressionIssuanceCriteriaEntry] A list of expression issuance criteria where the OGNL expressions must evaluate to true in order for the transaction to continue.

ConditionalIssuanceCriteriaEntry - An issuance criterion that checks a source attribute against a particular condition and the expected value. If the condition is true then this issuance criterion passes, otherwise the criterion fails.

Property Type Description
attributeName * string The name of the attribute to use in this issuance criterion.
condition * ConditionType The condition that will be applied to the source attribute’s value and the expected value.
errorResult string The error result to return if this issuance criterion fails. This error result will show up in the PingFederate server logs.
source * SourceTypeIdKey The source of the attribute.
value * string The expected value of this issuance criterion.

ExpressionIssuanceCriteriaEntry - An issuance criterion that uses a Boolean return value from an OGNL expression to determine whether or not it passes.

Property Type Description
errorResult string The error result to return if this issuance criterion fails. This error result will show up in the PingFederate server logs.
expression * string The OGNL expression to evaluate.

IdpAdapterAttributeContract - A set of attributes exposed by an IdP adapter.

Property Type Description
coreAttributes * array[IdpAdapterAttribute] A list of IdP adapter attributes that correspond to the attributes exposed by the IdP adapter type.
extendedAttributes array[IdpAdapterAttribute] A list of additional attributes that can be returned by the IdP adapter. The extended attributes are only used if the adapter supports them.
inherited boolean Whether this attribute contract is inherited from its parent instance. If true, the rest of the properties in this model become read-only. The default value is false.
maskOgnlValues boolean Whether or not all OGNL expressions used to fulfill an outgoing assertion contract should be masked in the logs. Defaults to false.

IdpAdapterAttribute - An attribute for the IdP adapter attribute contract.

Property Type Description
masked boolean Specifies whether this attribute is masked in PingFederate logs. Defaults to false.
name * string The name of this attribute.
pseudonym boolean Specifies whether this attribute is used to construct a pseudonym for the SP. Defaults to false.

AuthenticationPolicyContractAssertionMapping - The Authentication Policy Contract Assertion Mapping.

Property Type Description
abortSsoTransactionAsFailSafe boolean If set to true, SSO transaction will be aborted as a fail-safe when the data-store’s attribute mappings fail to complete the attribute contract. Otherwise, the attribute contract with default values is used. By default, this value is false.
attributeContractFulfillment * Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values.
attributeSources array[AttributeSource] A list of configured data stores to look up attributes from.
authenticationPolicyContractRef * ResourceLink Reference to the associated Authentication Policy Contract.
issuanceCriteria IssuanceCriteria The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled.
restrictVirtualEntityIds boolean Restricts this mapping to specific virtual entity IDs.
restrictedVirtualEntityIds array[string] The list of virtual server IDs that this mapping is restricted to.

ProtocolMessageCustomization - The message customization that will be executed on outgoing PingFederate messages.

Property Type Description
contextName string The context in which the customization will be applied. Depending on the connection type and protocol, this can either be ‘assertion’, ‘authn-response’ or ‘authn-request’.
messageExpression string The OGNL expression that will be executed. Refer to the Admin Manual for a list of variables provided by PingFederate.

AssertionLifetime - The timeframe of validity before and after the issuance of the assertion.

Property Type Description
minutesAfter * integer Assertion validity in minutes after the assertion issuance.
minutesBefore * integer Assertion validity in minutes before the assertion issuance.

SpAttributeQuery - The attribute query profile supports SPs in requesting user attributes.

Property Type Description
attributeContractFulfillment * Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values.
attributeSources * array[AttributeSource] A list of configured data stores to look up attributes from.
attributes * array[string] The list of attributes that may be returned to the SP in the response to an attribute request.
issuanceCriteria IssuanceCriteria The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled.
policy SpAttributeQueryPolicy The attribute query profile’s security policy.

SpAttributeQueryPolicy - The attribute query profile’s security policy.

Property Type Description
encryptAssertion boolean Encrypt the assertion.
requireEncryptedNameId boolean Require an encrypted name identifier.
requireSignedAttributeQuery boolean Require signed attribute query.
signAssertion boolean Sign the assertion.
signResponse boolean Sign the response.

SpWsTrust - Ws-Trust STS provides security-token validation and creation to extend SSO access to identity-enabled Web Services

Property Type Description
abortIfNotFulfilledFromRequest boolean If the attribute contract cannot be fulfilled using data from the Request, abort the transaction.
attributeContract * SpWsTrustAttributeContract A set of user attributes that the IdP sends in the token.
defaultTokenType SamlTokenType The default token type when a web service client (WSC) does not specify in the token request which token type the STS should issue. Defaults to SAML 2.0.
encryptSaml2Assertion boolean When selected, the STS encrypts the SAML 2.0 assertion. Applicable only to SAML 2.0 security token. This option does not apply to OAuth assertion profiles.
generateKey boolean When selected, the STS generates a symmetric key to be used in conjunction with the “Holder of Key” (HoK) designation for the assertion’s Subject Confirmation Method. This option does not apply to OAuth assertion profiles.
messageCustomizations array[ProtocolMessageCustomization] The message customizations for WS-Trust. Depending on server settings, connection type, and protocol this may or may not be supported.
minutesAfter integer The amount of time after the SAML token was issued during which it is to be considered valid. The default value is 30.
minutesBefore integer The amount of time before the SAML token was issued during which it is to be considered valid. The default value is 5.
oAuthAssertionProfiles boolean When selected, four additional token-type requests become available.
partnerServiceIds * array[string] The partner service identifiers.
requestContractRef ResourceLink Request Contract to be used to map attribute values into the security token.
tokenProcessorMappings * array[IdpTokenProcessorMapping] A list of token processors to validate incoming tokens.

SpWsTrustAttributeContract - A set of user attributes that this server will send in the token.

Property Type Description
coreAttributes array[SpWsTrustAttribute] A list of read-only assertion attributes that are automatically populated by PingFederate.
extendedAttributes array[SpWsTrustAttribute] A list of additional attributes that are added to the outgoing assertion.

SpWsTrustAttribute - An attribute for the Ws-Trust attribute contract.

Property Type Description
name * string The name of this attribute.
namespace * string The attribute namespace. This is required when the Default Token Type is SAML2.0 or SAML1.1 or SAML1.1 for Office 365.

IdpTokenProcessorMapping - The IdP Token Processor Mapping.

Property Type Description
attributeContractFulfillment * Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values.
attributeSources array[AttributeSource] A list of configured data stores to look up attributes from.
idpTokenProcessorRef * ResourceLink Reference to the associated token processor.
issuanceCriteria IssuanceCriteria The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled.
restrictedVirtualEntityIds array[string] The list of virtual server IDs that this mapping is restricted to.

ConnectionMetadataUrl - Configuration settings to enable automatic reload of partner’s metadata.

Property Type Description
enableAutoMetadataUpdate boolean Specifies whether the metadata of the connection will be automatically reloaded. The default value is true.
metadataUrlRef * ResourceLink ID of the saved Metadata URL.

ConnectionCredentials - The certificates and settings for encryption, signing, and signature verification.

Property Type Description
blockEncryptionAlgorithm string The algorithm used to encrypt assertions sent to this partner. AES_128, AES_256 and Triple_DES are also supported. Default is AES_128
certs array[ConnectionCert] The certificates used for signature verification and XML encryption.
decryptionKeyPairRef ResourceLink The ID of the primary key pair used to decrypt message content received from this partner. The ID of the key pair is also known as the alias and can be found by viewing the corresponding certificate under ‘Signing & Decryption Keys & Certificates’ in the PingFederate Administrative Console.
inboundBackChannelAuth InboundBackChannelAuth The SOAP authentication method(s) to use when you receive a message using SOAP back channel.
keyTransportAlgorithm string The algorithm used to transport keys to this partner. RSA_OAEP and RSA_v15 are supported. Default is RSA_OAEP
outboundBackChannelAuth OutboundBackChannelAuth The SOAP authentication method(s) to use when you send a message using SOAP back channel.
secondaryDecryptionKeyPairRef ResourceLink The ID of the secondary key pair used to decrypt message content received from this partner.
signingSettings SigningSettings Settings related to the manner in which messages sent to the partner are digitally signed. Required for SP Connections.
verificationIssuerDN string If a verification Subject DN is provided, you can optionally restrict the issuer to a specific trusted CA by specifying its DN in this field.
verificationSubjectDN string If this property is set, the verification trust model is Anchored. The verification certificate must be signed by a trusted CA and included in the incoming message, and the subject DN of the expected certificate is specified in this property. If this property is not set, then a primary verification certificate must be specified in the certs array.

ConnectionCert - A certificate used for signature verification or XML encryption.

Property Type Description
activeVerificationCert boolean Indicates whether this is an active signature verification certificate.
certView CertView Certificate details. This property is read-only and is always ignored on a POST or PUT.
encryptionCert boolean Indicates whether to use this cert to encrypt outgoing assertions. Only one certificate in the collection can have this flag set.
primaryVerificationCert boolean Indicates whether this is the primary signature verification certificate. Only one certificate in the collection can have this flag set.
secondaryVerificationCert boolean Indicates whether this is the secondary signature verification certificate. Only one certificate in the collection can have this flag set.
x509File * X509File The certificate data. This property must always be supplied on a POST or PUT.

CertView - Certificate details.

Property Type Description
cryptoProvider CryptoProvider Cryptographic Provider. This is only applicable if Hybrid HSM mode is true.
expires string The end date up until which the item is valid, in ISO 8601 format (UTC).
id string The persistent, unique ID for the certificate.
issuerDN string The issuer’s distinguished name.
keyAlgorithm string The public key algorithm.
keySize integer The public key size.
serialNumber string The serial number assigned by the CA.
sha1Fingerprint string SHA-1 fingerprint in Hex encoding.
sha256Fingerprint string SHA-256 fingerprint in Hex encoding.
signatureAlgorithm string The signature algorithm.
status CertificateValidity Status of the item.
subjectAlternativeNames array[string] The subject alternative names (SAN).
subjectDN string The subject’s distinguished name.
validFrom string The start date from which the item is valid, in ISO 8601 format (UTC).
version integer The X.509 version to which the item conforms.

X509File - Encoded certificate data.

Property Type Description
cryptoProvider CryptoProvider Cryptographic Provider. This is only applicable if Hybrid HSM mode is true.
fileData * string The certificate data in PEM format. New line characters should be omitted or encoded in this value.
id string The persistent, unique ID for the certificate. It can be any combination of [a-z0-9._-]. This property is system-assigned if not specified.

SigningSettings - Settings related to signing messages sent to this partner.

Property Type Description
algorithm string The algorithm used to sign messages sent to this partner. The default is SHA1withDSA for DSA certs, SHA256withRSA for RSA certs, and SHA256withECDSA for EC certs. For RSA certs, SHA1withRSA, SHA384withRSA, and SHA512withRSA are also supported. For EC certs, SHA384withECDSA and SHA512withECDSA are also supported. If the connection is WS-Federation with JWT token type, then the possible values are RSA SHA256, RSA SHA384, RSA SHA512, ECDSA SHA256, ECDSA SHA384, ECDSA SHA512
includeCertInSignature boolean Determines whether the signing certificate is included in the signature element.
includeRawKeyInSignature boolean Determines whether the element with the raw public key is included in the signature element.
signingKeyPairRef * ResourceLink The ID of the key pair used to sign messages sent to this partner. The ID of the key pair is also known as the alias and can be found by viewing the corresponding certificate under ‘Signing & Decryption Keys & Certificates’ in the PingFederate admin console.

OutboundBackChannelAuth : BackChannelAuth -

Property Type Description
digitalSignature boolean If incoming or outgoing messages must be signed.
httpBasicCredentials UsernamePasswordCredentials The credentials to use when you authenticate with the SOAP endpoint.
sslAuthKeyPairRef ResourceLink The ID of the key pair used to authenticate with your partner’s SOAP endpoint. The ID of the key pair is also known as the alias and can be found by viewing the corresponding certificate under ‘SSL Server Certificates’ in the PingFederate Administrative Console.
type BackChannelAuthType [“INBOUND” or “OUTBOUND”]
validatePartnerCert boolean Validate the partner server certificate. Default is true.

UsernamePasswordCredentials - Username and password credentials.

Property Type Description
encryptedPassword string For GET requests, this field contains the encrypted password, if one exists. For POST and PUT requests, if you wish to reuse the existing password, this field should be passed back unchanged.
password string User password. To update the password, specify the plaintext value in this field. This field will not be populated for GET requests.
username string The username.

InboundBackChannelAuth : BackChannelAuth -

Property Type Description
certs array[ConnectionCert] The certificate used for signature verification and XML encryption.
digitalSignature boolean If incoming or outgoing messages must be signed.
httpBasicCredentials UsernamePasswordCredentials The credentials to use when you authenticate with the SOAP endpoint.
requireSsl boolean Incoming HTTP transmissions must use a secure channel.
type BackChannelAuthType [“INBOUND” or “OUTBOUND”]
verificationIssuerDN string If a verification Subject DN is provided, you can optionally restrict the issuer to a specific trusted CA by specifying its DN in this field.
verificationSubjectDN string If this property is set, the verification trust model is Anchored. The verification certificate must be signed by a trusted CA and included in the incoming message, and the subject DN of the expected certificate is specified in this property. If this property is not set, then a primary verification certificate must be specified in the certs array.

ContactInfo - Contact information.

Property Type Description
company string Company name.
email string Contact email address.
firstName string Contact first name.
lastName string Contact last name.
phone string Contact phone number.

AdditionalAllowedEntitiesConfiguration - Additional allowed entities or issuers configuration. Currently only used in OIDC IdP (RP) connection.

Property Type Description
additionalAllowedEntities array[Entity] An array of additional allowed entities or issuers to be accepted during entity or issuer validation.
allowAdditionalEntities boolean Set to true to configure additional entities or issuers to be accepted during entity or issuer validation.
allowAllEntities boolean Set to true to accept any entity or issuer during entity or issuer validation. (Not Recommended)

Entity

Property Type Description
entityDescription string Entity description.
entityId string Unique entity identifier.

ParameterValues - Parameter Values.

Property Type Description
values array[string] A List of values

OutboundProvision - Outbound Provisioning allows an IdP to create and maintain user accounts at standards-based partner sites using SCIM as well as select-proprietary provisioning partner sites that are protocol-enabled.

Property Type Description
channels * array[Channel] Includes settings of a source data store, managing provisioning threads and mapping of attributes.
customSchema Schema Custom SCIM attribute configuration.
targetSettings * array[ConfigField] Configuration fields that includes credentials to target SaaS application.
type * string The SaaS plugin type.

Schema - Custom SCIM Attributes configuration.

Property Type Description
attributes array[SchemaAttribute]
namespace string

SchemaAttribute - A custom SCIM attribute.

Property Type Description
multiValued boolean Indicates whether the attribute is multi-valued.
name string Name of the attribute.
subAttributes array[string] List of sub-attributes for an attribute.
types array[string] Represents the name of each attribute type in case of multi-valued attribute.

Channel - A channel is a combination of a source data store and a provisioning target. It include settings of a source data store, managing provisioning threads and mapping of attributes.

Property Type Description
active * boolean Indicates whether the channel is the active channel for this connection.
attributeMapping * array[SaasAttributeMapping] The mapping of attributes from the local data store into Fields specified by the service provider.
channelSource * ChannelSource The LDAP settings that apply to the source user-data store.
maxThreads * integer The number of processing threads. The default value is 1.
name * string The name of the channel.
timeout * integer Timeout is the number of seconds that can be adjusted if more time is needed for provisioning a large amount of data. It is applicable when the number of processing thread is more than 1. The default value is 60.

ChannelSource - The source data source and LDAP settings.

Property Type Description
accountManagementSettings * AccountManagementSettings Account management settings that includes the status and algorithms.
baseDn * string The base DN where the user records are located.
changeDetectionSettings * ChangeDetectionSettings Settings to detect a during provisioning.
dataSource * ResourceLink Reference to an LDAP datastore.
groupMembershipDetection * GroupMembershipDetection Settings to detect group memberships.
groupSourceLocation ChannelSourceLocation The group provisioning source location settings.
guidAttributeName * string the GUID attribute name.
guidBinary * boolean Indicates whether the GUID is stored in binary format.
userSourceLocation * ChannelSourceLocation The user provisioning source location settings.

ChangeDetectionSettings - Setting to detect changes to a user or a group.

Property Type Description
changedUsersAlgorithm * SaasChangedUsersAlgorithm The changed user algorithm.

ACTIVE_DIRECTORY_USN - For Active Directory only, this algorithm queries for update sequence numbers on user records that are larger than the last time records were checked. TIMESTAMP - Queries for timestamps on user records that are not older than the last time records were checked. This check is more efficient from the point of view of the PingFederate provisioner but can be more time consuming on the LDAP side, particularly with the Oracle Directory Server. TIMESTAMP_NO_NEGATION - Queries for timestamps on user records that are newer than the last time records were checked. This algorithm is recommended for the Oracle Directory Server.| |groupObjectClass *|string|The group object class.| |timeStampAttributeName *|string|The timestamp attribute name.| |userObjectClass *|string|The user object class.| |usnAttributeName|string|The USN attribute name.|

GroupMembershipDetection - Settings to detect group memberships.

Property Type Description
groupMemberAttributeName * string The name of the attribute that represents group members in a group, also known as group member attribute.
memberOfGroupAttributeName string The name of the attribute that indicates the entity is a member of a group, also known as member of attribute.

AccountManagementSettings - Account management settings.

Property Type Description
accountStatusAlgorithm * SaasAccountStatusAlgorithm The account status algorithm name.

ACCOUNT_STATUS_ALGORITHM_AD - Algorithm name for Active Directory, which uses a bitmap for each user entry. ACCOUNT_STATUS_ALGORITHM_FLAG - Algorithm name for Oracle Directory Server and other LDAP directories that use a separate attribute to store the user’s status. When this option is selected, the Flag Comparison Value and Flag Comparison Status fields should be used.| |accountStatusAttributeName *|string|The account status attribute name.| |defaultStatus|boolean|The default status of the account.| |flagComparisonStatus|boolean|The flag that represents comparison status.| |flagComparisonValue|string|The flag that represents comparison value.|

ChannelSourceLocation - The location settings that includes a DN and a LDAP filter.

Property Type Description
filter string An LDAP filter.
groupDN string The group DN for users or groups.
nestedSearch boolean Indicates whether the search is nested.

SaasAttributeMapping - Settings to map the source record attributes to target attributes.

Property Type Description
fieldName * string The name of target field.
saasFieldInfo * SaasFieldConfiguration The settings that represent how attribute values from source data store will be mapped into Fields specified by the service provider.

SaasFieldConfiguration - The settings that represent how attribute values from source data store will be mapped into Fields specified by the service provider.

Property Type Description
attributeNames array[string] The list of source attribute names used to generate or map to a target field
characterCase CharacterCase The character case of the field value.
createOnly boolean Indicates whether this field is a create only field and cannot be updated.
defaultValue string The default value for the target field
expression string An OGNL expression to obtain a value.
masked boolean Indicates whether the attribute should be masked in server logs.
parser SaasFieldParsing Indicates how the field shall be parsed.
trim boolean Indicates whether field should be trimmed before provisioning.