Use the GET /idp/spConnections endpoint to list all the WS-Fed, WS-Trust, SAML1.0, SAML1.1 and SAML 2.0 service provider connections.
| Parameter | Value | Description |
|---|---|---|
| entityId | string | Entity ID of the connection to fetch. (case-sensitive) |
| page | integer | Page number to retrieve. |
| numberPerPage | integer | Number of connections per page. |
| filter | string | Filter criteria limits the SP connections that are returned to only those that match it. The filter criteria is compared to the SP connection name and partner entity ID fields. The comparison is a case-insensitive partial match. No additional pattern based matching is supported. |
| Code | Reason |
|---|---|
| 200 | Success. |
| 403 | PingFederate does not have its IdP role enabled. Operation not available. |
| 422 | Validation error(s) occurred. |
SpConnections - A collection of SP connections.
| Property | Type | Description |
|---|---|---|
| items | array[SpConnection] | The actual list of connections. |
SpConnection : Connection - The set of attributes used to configure an SP connection.
| Property | Type | Description |
|---|---|---|
| active | boolean | Specifies whether the connection is active and ready to process incoming requests. The default value is false. |
| additionalAllowedEntitiesConfiguration | AdditionalAllowedEntitiesConfiguration | Additional allowed entities or issuers configuration. Currently only used in OIDC IdP (RP) connection. |
| applicationIconUrl | string | The application icon url. |
| applicationName | string | The application name. |
| attributeQuery | SpAttributeQuery | The attribute query settings for supporting SPs in requesting user attributes. |
| baseUrl | string | The fully-qualified hostname and port on which your partner’s federation deployment runs. |
| contactInfo | ContactInfo | The contact information for this partner. |
| credentials | ConnectionCredentials | The certificates and settings for encryption, signing, and signature verification. It is required for SAMLx.x and WS-Fed Connections. |
| defaultVirtualEntityId | string | The default alternate entity ID that identifies the local server to this partner. It is required when virtualEntityIds is not empty and must be included in that list. |
| entityId * | string | The partner’s entity ID (connection ID) or issuer value (for OIDC Connections). |
| extendedProperties | Map[string, ParameterValues] | Extended Properties allows to store additional information for IdP/SP Connections. The names of these extended properties should be defined in /extendedProperties. |
| id | string | The persistent, unique ID for the connection. It can be any combination of [a-zA-Z0-9._-]. This property is system-assigned if not specified. |
| licenseConnectionGroup | string | The license connection group. If your PingFederate license is based on connection groups, each connection must be assigned to a group before it can be used. |
| loggingMode | LoggingMode | The level of transaction logging applicable for this connection. Default is STANDARD. |
| metadataReloadSettings | ConnectionMetadataUrl | Connection metadata automatic reload settings. |
| name * | string | The connection name. |
| outboundProvision | OutboundProvision | The Outbound Provision settings. |
| spBrowserSso | SpBrowserSso | The browser-based SSO settings used to communicate with your SP. |
| type * | ConnectionType | The type of this connection. This must be set to ‘SP’. |
| virtualEntityIds | array[string] | List of alternate entity IDs that identifies the local server to this partner. |
| wsTrust | SpWsTrust | The Ws-Trust settings. |
SpBrowserSso - The SAML settings used to enable secure browser-based SSO to resources at your partner’s site.
| Property | Type | Description |
|---|---|---|
| adapterMappings * | array[IdpAdapterAssertionMapping] | A list of adapters that map to outgoing assertions. |
| artifact | ArtifactSettings | The settings for an artifact binding. |
| assertionLifetime * | AssertionLifetime | The timeframe of validity before and after the issuance of the assertion. |
| attributeContract * | SpBrowserSsoAttributeContract | A set of user attributes that the IdP sends in the SAML assertion. |
| authenticationPolicyContractAssertionMappings | array[AuthenticationPolicyContractAssertionMapping] | A list of authentication policy contracts that map to outgoing assertions. |
| defaultTargetUrl | string | Default Target URL for SAML1.x connections. For SP connections, this default URL represents the destination on the SP where the user will be directed. For IdP connections, entering a URL in the Default Target URL field overrides the SP Default URL SSO setting. |
| enabledProfiles | Set[Profile] | The profiles that are enabled for browser-based SSO. SAML 2.0 supports all profiles whereas SAML 1.x IdP connections support both IdP and SP (non-standard) initiated SSO. This is required for SAMLx.x Connections. |
| encryptionPolicy * | EncryptionPolicy | The SAML 2.0 encryption policy for browser-based SSO. Required for SAML 2.0 connections. |
| incomingBindings | Set[Binding] | The SAML bindings that are enabled for browser-based SSO. This is required for SAML 2.0 connections. For SAML 1.x based connections, it is not used for SP Connections and it is optional for IdP Connections. |
| messageCustomizations | array[ProtocolMessageCustomization] | The message customizations for browser-based SSO. Depending on server settings, connection type, and protocol this may or may not be supported. |
| protocol * | Protocol | The browser-based SSO protocol to use. |
| requireSignedAuthnRequests | boolean | Require AuthN requests to be signed when received via the POST or Redirect bindings. |
| signAssertions | boolean | Always sign the SAML Assertion. |
| signResponseAsRequired | boolean | Sign SAML Response as required by the associated binding and encryption policy. Applicable to SAML2.0 only and is defaulted to true. It can be set to false only on SAML2.0 connections when signAssertions is set to true. |
| sloServiceEndpoints | array[SloServiceEndpoint] | A list of possible endpoints to send SLO requests and responses. |
| spSamlIdentityMapping | SpSamlIdentityMapping | Process in which users authenticated by the IdP are associated with user accounts local to the SP. |
| spWsFedIdentityMapping | SpWsFedIdentityMapping | Process in which users authenticated by the IdP are associated with user accounts local to the SP for WS-Federation connection types. |
| ssoServiceEndpoints * | array[SpSsoServiceEndpoint] | A list of possible endpoints to send assertions to. |
| urlWhitelistEntries | array[UrlWhitelistEntry] | For WS-Federation connections, a whitelist of additional allowed domains and paths used to validate wreply for SLO, if enabled. |
| wsFedTokenType | WsFedTokenType | The WS-Federation Token Type to use. |
| wsTrustVersion | WsTrustVersion | The WS-Trust version for a WS-Federation connection. The default version is WSTRUST12. |
UrlWhitelistEntry - Url domain and path to be used as whitelist in WS-Federation connection
| Property | Type | Description |
|---|---|---|
| allowQueryAndFragment | boolean | Allow Any Query/Fragment |
| requireHttps | boolean | Require HTTPS |
| validDomain | string | Valid Domain Name (leading wildcard ‘*.’ allowed) |
| validPath | string | Valid Path (leave blank to allow any path) |
ArtifactSettings - The settings for an Artifact binding.
| Property | Type | Description |
|---|---|---|
| lifetime * | integer | The lifetime of the artifact in seconds. |
| resolverLocations * | array[ArtifactResolverLocation] | Remote party URLs that you will use to resolve/translate the artifact and get the actual protocol message |
| sourceId | string | Source ID for SAML1.x connections |
ArtifactResolverLocation - The remote party URLs to resolve the artifact.
| Property | Type | Description |
|---|---|---|
| index * | integer | The priority of the endpoint. |
| url * | string | Remote party URLs that you will use to resolve/translate the artifact and get the actual protocol message |
SloServiceEndpoint - Where SLO logout messages are sent. Only applicable for SAML 2.0.
| Property | Type | Description |
|---|---|---|
| binding * | Binding | The binding of this endpoint, if applicable - usually only required for SAML 2.0 endpoints. |
| responseUrl | string | The absolute or relative URL to which logout responses are sent. A relative URL can be specified if a base URL for the connection has been defined. |
| url * | string | The absolute or relative URL of the endpoint. A relative URL can be specified if a base URL for the connection has been defined. |
SpSsoServiceEndpoint - The settings that define a service endpoint to a SP SSO service.
| Property | Type | Description |
|---|---|---|
| binding * | Binding | The binding of this endpoint, if applicable - usually only required for SAML 2.0 endpoints. Supported bindings are Artifact and POST. |
| index * | integer | The priority of the endpoint. |
| isDefault | boolean | Whether or not this endpoint is the default endpoint. Defaults to false. |
| url * | string | The absolute or relative URL of the endpoint. A relative URL can be specified if a base URL for the connection has been defined. |
EncryptionPolicy - Defines what to encrypt in the browser-based SSO profile.
| Property | Type | Description |
|---|---|---|
| encryptAssertion | boolean | Whether the outgoing SAML assertion will be encrypted. |
| encryptSloSubjectNameId | boolean | Encrypt the name-identifier attribute in outbound SLO messages. This can be set if the name id is encrypted. |
| encryptedAttributes | array[string] | The list of outgoing SAML assertion attributes that will be encrypted. The ‘encryptAssertion’ property takes precedence over this. |
| sloSubjectNameIDEncrypted | boolean | Allow the encryption of the name-identifier attribute for inbound SLO messages. This can be set if SP initiated SLO is enabled. |
SpBrowserSsoAttributeContract - A set of user attributes that the IdP sends in the SAML assertion.
| Property | Type | Description |
|---|---|---|
| coreAttributes | array[SpBrowserSsoAttribute] | A list of read-only assertion attributes (for example, SAML_SUBJECT) that are automatically populated by PingFederate. |
| extendedAttributes | array[SpBrowserSsoAttribute] | A list of additional attributes that are added to the outgoing assertion. |
SpBrowserSsoAttribute - An attribute for the SP Browser SSO attribute contract.
| Property | Type | Description |
|---|---|---|
| name * | string | The name of this attribute. |
| nameFormat * | string | The SAML Name Format for the attribute. |
IdpAdapterAssertionMapping - The IdP Adapter Assertion Mapping.
| Property | Type | Description |
|---|---|---|
| abortSsoTransactionAsFailSafe | boolean | If set to true, SSO transaction will be aborted as a fail-safe when the data-store’s attribute mappings fail to complete the attribute contract. Otherwise, the attribute contract with default values is used. By default, this value is false. |
| adapterOverrideSettings | IdpAdapter | Connection specific configuration overrides for the mapped adapter instance. |
| attributeContractFulfillment * | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. |
| attributeSources | array[AttributeSource] | A list of configured data stores to look up attributes from. |
| idpAdapterRef * | ResourceLink | Reference to the associated IdP adapter. Note: This is ignored if adapter overrides for this mapping exists. In this case, the override’s parent adapter reference is used. |
| issuanceCriteria | IssuanceCriteria | The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled. |
| restrictVirtualEntityIds | boolean | Restricts this mapping to specific virtual entity IDs. |
| restrictedVirtualEntityIds | array[string] | The list of virtual server IDs that this mapping is restricted to. |
ResourceLink - A reference to a resource.
| Property | Type | Description |
|---|---|---|
| id * | string | The ID of the resource. |
| location | string | A read-only URL that references the resource. If the resource is not currently URL-accessible, this property will be null. |
IdpAdapter - An IdP adapter instance.
| Property | Type | Description |
|---|---|---|
| attributeContract | IdpAdapterAttributeContract | The list of attributes that the IdP adapter provides. |
| attributeMapping | IdpAdapterContractMapping | The attributes mapping from attribute sources to attribute targets. |
| authnCtxClassRef | string | The fixed value that indicates how the user was authenticated. |
| configuration * | PluginConfiguration | Plugin instance configuration. |
| id * | string | The ID of the plugin instance. The ID cannot be modified once the instance is created. Note: Ignored when specifying a connection’s adapter override. |
| name * | string | The plugin instance name. The name cannot be modified once the instance is created. Note: Ignored when specifying a connection’s adapter override. |
| parentRef | ResourceLink | The reference to this plugin’s parent instance. The parent reference is only accepted if the plugin type supports parent instances. Note: This parent reference is required if this plugin instance is used as an overriding plugin (e.g. connection adapter overrides) |
| pluginDescriptorRef * | ResourceLink | Reference to the plugin descriptor for this instance. The plugin descriptor cannot be modified once the instance is created. Note: Ignored when specifying a connection’s adapter override. |
PluginConfiguration - Configuration settings for a plugin instance.
| Property | Type | Description |
|---|---|---|
| fields | array[ConfigField] | List of configuration fields. |
| tables | array[ConfigTable] | List of configuration tables. |
ConfigTable - A plugin configuration table populated with values.
| Property | Type | Description |
|---|---|---|
| inherited | boolean | Whether this table is inherited from its parent instance. If true, the rows become read-only. The default value is false. |
| name * | string | The name of the table. |
| rows | array[ConfigRow] | List of table rows. |
ConfigRow - A row of configuration values for a plugin configuration table.
| Property | Type | Description |
|---|---|---|
| defaultRow | boolean | Whether this row is the default. |
| fields * | array[ConfigField] | The configuration fields in the row. |
ConfigField - A plugin configuration field value.
| Property | Type | Description |
|---|---|---|
| encryptedValue | string | For encrypted or hashed fields, this attribute contains the encrypted representation of the field’s value, if a value is defined. If you do not want to update the stored value, this attribute should be passed back unchanged. |
| inherited | boolean | Whether this field is inherited from its parent instance. If true, the value/encrypted value properties become read-only. The default value is false. |
| name * | string | The name of the configuration field. |
| value | string | The value for the configuration field. For encrypted or hashed fields, GETs will not return this attribute. To update an encrypted or hashed field, specify the new value in this attribute. |
IdpAdapterContractMapping -
| Property | Type | Description |
|---|---|---|
| attributeContractFulfillment * | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. |
| attributeSources | array[AttributeSource] | A list of configured data stores to look up attributes from. |
| inherited | boolean | Whether this attribute mapping is inherited from its parent instance. If true, the rest of the properties in this model become read-only. The default value is false. |
| issuanceCriteria | IssuanceCriteria | The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled. |
AttributeSource - The configured settings to look up attributes from an associated data store.
| Property | Type | Description |
|---|---|---|
| attributeContractFulfillment | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings |
| dataStoreRef * | ResourceLink | Reference to the associated data store. |
| description | string | The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping. Note: Required for APC-to-SP Adapter Mappings |
| id | string | The ID that defines this attribute source. Only alphanumeric characters allowed. Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources. |
| type * | DataStoreType | The data store type of this attribute source. |
AttributeFulfillmentValue - Defines how an attribute in an attribute contract should be populated.
| Property | Type | Description |
|---|---|---|
| source * | SourceTypeIdKey | The attribute value source. |
| value * | string | The value for this attribute. |
SourceTypeIdKey - A key that is meant to reference a source from which an attribute can be retrieved. This model is usually paired with a value which, depending on the SourceType, can be a hardcoded value or a reference to an attribute name specific to that SourceType. Not all values are applicable - a validation error will be returned for incorrect values.
For each SourceType, the value should be:
ACCOUNT_LINK - If account linking was enabled for the browser SSO, the value must be ‘Local User ID’, unless it has been overridden in PingFederate’s server configuration.
ADAPTER - The value is one of the attributes of the IdP Adapter.
ASSERTION - The value is one of the attributes coming from the SAML assertion.
AUTHENTICATION_POLICY_CONTRACT - The value is one of the attributes coming from an authentication policy contract.
LOCAL_IDENTITY_PROFILE - The value is one of the fields coming from a local identity profile.
CONTEXT - The value must be one of the following [‘TargetResource’ or ‘OAuthScopes’ or ‘ClientId’ or ‘AuthenticationCtx’ or ‘ClientIp’ or ‘Locale’ or ‘StsBasicAuthUsername’ or ‘StsSSLClientCertSubjectDN’ or ‘StsSSLClientCertChain’ or ‘VirtualServerId’ or ‘AuthenticatingAuthority’ or ‘DefaultPersistentGrantLifetime’]
CLAIMS - Attributes provided by the OIDC Provider.
CUSTOM_DATA_STORE - The value is one of the attributes returned by this custom data store.
EXPRESSION - The value is an OGNL expression.
EXTENDED_CLIENT_METADATA - The value is from an OAuth extended client metadata parameter. This source type is deprecated and has been replaced by EXTENDED_PROPERTIES.
EXTENDED_PROPERTIES - The value is from an OAuth Client’s extended property.
IDP_CONNECTION - The value is one of the attributes passed in by the IdP connection.
JDBC_DATA_STORE - The value is one of the column names returned from the JDBC attribute source.
LDAP_DATA_STORE - The value is one of the LDAP attributes supported by your LDAP data store.
MAPPED_ATTRIBUTES - The value is the name of one of the mapped attributes that is defined in the associated attribute mapping.
OAUTH_PERSISTENT_GRANT - The value is one of the attributes from the persistent grant.
PASSWORD_CREDENTIAL_VALIDATOR - The value is one of the attributes of the PCV.
NO_MAPPING - A placeholder value to indicate that an attribute currently has no mapped source.TEXT - A hardcoded value that is used to populate the corresponding attribute.
TOKEN - The value is one of the token attributes.
REQUEST - The value is from the request context such as the CIBA identity hint contract or the request contract for Ws-Trust.
TRACKED_HTTP_PARAMS - The value is from the original request parameters.
SUBJECT_TOKEN - The value is one of the OAuth 2.0 Token exchange subject_token attributes.
ACTOR_TOKEN - The value is one of the OAuth 2.0 Token exchange actor_token attributes.
TOKEN_EXCHANGE_PROCESSOR_POLICY - The value is one of the attributes coming from a Token Exchange Processor policy.
| Property | Type | Description |
|---|---|---|
| id | string | The attribute source ID that refers to the attribute source that this key references. In some resources, the ID is optional and will be ignored. In these cases the ID should be omitted. If the source type is not an attribute source then the ID can be omitted. |
| type * | SourceType | The source type of this key. |
LdapAttributeSource : AttributeSource - The configured settings used to look up attributes from a LDAP data store.
| Property | Type | Description |
|---|---|---|
| attributeContractFulfillment | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings |
| baseDn | string | The base DN to search from. If not specified, the search will start at the LDAP’s root. |
| binaryAttributeSettings | Map[string, BinaryLdapAttributeSettings] | The advanced settings for binary LDAP attributes. |
| dataStoreRef * | ResourceLink | Reference to the associated data store. |
| description | string | The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping. Note: Required for APC-to-SP Adapter Mappings |
| id | string | The ID that defines this attribute source. Only alphanumeric characters allowed. Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources. |
| memberOfNestedGroup | boolean | Set this to true to return transitive group memberships for the ‘memberOf’ attribute. This only applies for Active Directory data sources. All other data sources will be set to false. |
| searchFilter * | string | The LDAP filter that will be used to lookup the objects from the directory. |
| searchScope * | LdapSearchScope | Determines the node depth of the query. |
| type * | DataStoreType | The data store type of this attribute source. |
BinaryLdapAttributeSettings - Binary settings for a LDAP attribute.
| Property | Type | Description |
|---|---|---|
| binaryEncoding | LdapAttrEncodingType | Get the encoding type for this attribute. If not specified, the default is BASE64. |
CustomAttributeSource : AttributeSource - The configured settings used to look up attributes from a custom data store.
| Property | Type | Description |
|---|---|---|
| attributeContractFulfillment | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings |
| dataStoreRef * | ResourceLink | Reference to the associated data store. |
| description | string | The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping. Note: Required for APC-to-SP Adapter Mappings |
| filterFields | array[FieldEntry] | The list of fields that can be used to filter a request to the custom data store. |
| id | string | The ID that defines this attribute source. Only alphanumeric characters allowed. Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources. |
| type * | DataStoreType | The data store type of this attribute source. |
FieldEntry - A simple name value pair to represent a field entry.
| Property | Type | Description |
|---|---|---|
| name * | string | The name of this field. |
| value | string | The value of this field. Whether or not the value is required will be determined by plugin validation checks. |
JdbcAttributeSource : AttributeSource - The configured settings used to look up attributes from a JDBC data store.
| Property | Type | Description |
|---|---|---|
| attributeContractFulfillment | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings |
| dataStoreRef * | ResourceLink | Reference to the associated data store. |
| description | string | The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping. Note: Required for APC-to-SP Adapter Mappings |
| filter * | string | The JDBC WHERE clause used to query your data store to locate a user record. |
| id | string | The ID that defines this attribute source. Only alphanumeric characters allowed. Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources. |
| schema | string | Lists the table structure that stores information within a database. Some databases, such as Oracle, require a schema for a JDBC query. Other databases, such as MySQL, do not require a schema. |
| table * | string | The name of the database table. The name is used to construct the SQL query to retrieve data from the data store. |
| type * | DataStoreType | The data store type of this attribute source. |
IssuanceCriteria - A list of criteria that determines whether a transaction (usually a SSO transaction) is continued. All criteria must pass in order for the transaction to continue.
| Property | Type | Description |
|---|---|---|
| conditionalCriteria | array[ConditionalIssuanceCriteriaEntry] | A list of conditional issuance criteria where existing attributes must satisfy their conditions against expected values in order for the transaction to continue. |
| expressionCriteria | array[ExpressionIssuanceCriteriaEntry] | A list of expression issuance criteria where the OGNL expressions must evaluate to true in order for the transaction to continue. |
ConditionalIssuanceCriteriaEntry - An issuance criterion that checks a source attribute against a particular condition and the expected value. If the condition is true then this issuance criterion passes, otherwise the criterion fails.
| Property | Type | Description |
|---|---|---|
| attributeName * | string | The name of the attribute to use in this issuance criterion. |
| condition * | ConditionType | The condition that will be applied to the source attribute’s value and the expected value. |
| errorResult | string | The error result to return if this issuance criterion fails. This error result will show up in the PingFederate server logs. |
| source * | SourceTypeIdKey | The source of the attribute. |
| value * | string | The expected value of this issuance criterion. |
ExpressionIssuanceCriteriaEntry - An issuance criterion that uses a Boolean return value from an OGNL expression to determine whether or not it passes.
| Property | Type | Description |
|---|---|---|
| errorResult | string | The error result to return if this issuance criterion fails. This error result will show up in the PingFederate server logs. |
| expression * | string | The OGNL expression to evaluate. |
IdpAdapterAttributeContract - A set of attributes exposed by an IdP adapter.
| Property | Type | Description |
|---|---|---|
| coreAttributes * | array[IdpAdapterAttribute] | A list of IdP adapter attributes that correspond to the attributes exposed by the IdP adapter type. |
| extendedAttributes | array[IdpAdapterAttribute] | A list of additional attributes that can be returned by the IdP adapter. The extended attributes are only used if the adapter supports them. |
| inherited | boolean | Whether this attribute contract is inherited from its parent instance. If true, the rest of the properties in this model become read-only. The default value is false. |
| maskOgnlValues | boolean | Whether or not all OGNL expressions used to fulfill an outgoing assertion contract should be masked in the logs. Defaults to false. |
IdpAdapterAttribute - An attribute for the IdP adapter attribute contract.
| Property | Type | Description |
|---|---|---|
| masked | boolean | Specifies whether this attribute is masked in PingFederate logs. Defaults to false. |
| name * | string | The name of this attribute. |
| pseudonym | boolean | Specifies whether this attribute is used to construct a pseudonym for the SP. Defaults to false. |
AuthenticationPolicyContractAssertionMapping - The Authentication Policy Contract Assertion Mapping.
| Property | Type | Description |
|---|---|---|
| abortSsoTransactionAsFailSafe | boolean | If set to true, SSO transaction will be aborted as a fail-safe when the data-store’s attribute mappings fail to complete the attribute contract. Otherwise, the attribute contract with default values is used. By default, this value is false. |
| attributeContractFulfillment * | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. |
| attributeSources | array[AttributeSource] | A list of configured data stores to look up attributes from. |
| authenticationPolicyContractRef * | ResourceLink | Reference to the associated Authentication Policy Contract. |
| issuanceCriteria | IssuanceCriteria | The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled. |
| restrictVirtualEntityIds | boolean | Restricts this mapping to specific virtual entity IDs. |
| restrictedVirtualEntityIds | array[string] | The list of virtual server IDs that this mapping is restricted to. |
ProtocolMessageCustomization - The message customization that will be executed on outgoing PingFederate messages.
| Property | Type | Description |
|---|---|---|
| contextName | string | The context in which the customization will be applied. Depending on the connection type and protocol, this can either be ‘assertion’, ‘authn-response’ or ‘authn-request’. |
| messageExpression | string | The OGNL expression that will be executed. Refer to the Admin Manual for a list of variables provided by PingFederate. |
AssertionLifetime - The timeframe of validity before and after the issuance of the assertion.
| Property | Type | Description |
|---|---|---|
| minutesAfter * | integer | Assertion validity in minutes after the assertion issuance. |
| minutesBefore * | integer | Assertion validity in minutes before the assertion issuance. |
SpAttributeQuery - The attribute query profile supports SPs in requesting user attributes.
| Property | Type | Description |
|---|---|---|
| attributeContractFulfillment * | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. |
| attributeSources * | array[AttributeSource] | A list of configured data stores to look up attributes from. |
| attributes * | array[string] | The list of attributes that may be returned to the SP in the response to an attribute request. |
| issuanceCriteria | IssuanceCriteria | The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled. |
| policy | SpAttributeQueryPolicy | The attribute query profile’s security policy. |
SpAttributeQueryPolicy - The attribute query profile’s security policy.
| Property | Type | Description |
|---|---|---|
| encryptAssertion | boolean | Encrypt the assertion. |
| requireEncryptedNameId | boolean | Require an encrypted name identifier. |
| requireSignedAttributeQuery | boolean | Require signed attribute query. |
| signAssertion | boolean | Sign the assertion. |
| signResponse | boolean | Sign the response. |
SpWsTrust - Ws-Trust STS provides security-token validation and creation to extend SSO access to identity-enabled Web Services
| Property | Type | Description |
|---|---|---|
| abortIfNotFulfilledFromRequest | boolean | If the attribute contract cannot be fulfilled using data from the Request, abort the transaction. |
| attributeContract * | SpWsTrustAttributeContract | A set of user attributes that the IdP sends in the token. |
| defaultTokenType | SamlTokenType | The default token type when a web service client (WSC) does not specify in the token request which token type the STS should issue. Defaults to SAML 2.0. |
| encryptSaml2Assertion | boolean | When selected, the STS encrypts the SAML 2.0 assertion. Applicable only to SAML 2.0 security token. This option does not apply to OAuth assertion profiles. |
| generateKey | boolean | When selected, the STS generates a symmetric key to be used in conjunction with the “Holder of Key” (HoK) designation for the assertion’s Subject Confirmation Method. This option does not apply to OAuth assertion profiles. |
| messageCustomizations | array[ProtocolMessageCustomization] | The message customizations for WS-Trust. Depending on server settings, connection type, and protocol this may or may not be supported. |
| minutesAfter | integer | The amount of time after the SAML token was issued during which it is to be considered valid. The default value is 30. |
| minutesBefore | integer | The amount of time before the SAML token was issued during which it is to be considered valid. The default value is 5. |
| oAuthAssertionProfiles | boolean | When selected, four additional token-type requests become available. |
| partnerServiceIds * | array[string] | The partner service identifiers. |
| requestContractRef | ResourceLink | Request Contract to be used to map attribute values into the security token. |
| tokenProcessorMappings * | array[IdpTokenProcessorMapping] | A list of token processors to validate incoming tokens. |
SpWsTrustAttributeContract - A set of user attributes that this server will send in the token.
| Property | Type | Description |
|---|---|---|
| coreAttributes | array[SpWsTrustAttribute] | A list of read-only assertion attributes that are automatically populated by PingFederate. |
| extendedAttributes | array[SpWsTrustAttribute] | A list of additional attributes that are added to the outgoing assertion. |
SpWsTrustAttribute - An attribute for the Ws-Trust attribute contract.
| Property | Type | Description |
|---|---|---|
| name * | string | The name of this attribute. |
| namespace * | string | The attribute namespace. This is required when the Default Token Type is SAML2.0 or SAML1.1 or SAML1.1 for Office 365. |
IdpTokenProcessorMapping - The IdP Token Processor Mapping.
| Property | Type | Description |
|---|---|---|
| attributeContractFulfillment * | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. |
| attributeSources | array[AttributeSource] | A list of configured data stores to look up attributes from. |
| idpTokenProcessorRef * | ResourceLink | Reference to the associated token processor. |
| issuanceCriteria | IssuanceCriteria | The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled. |
| restrictedVirtualEntityIds | array[string] | The list of virtual server IDs that this mapping is restricted to. |
ConnectionMetadataUrl - Configuration settings to enable automatic reload of partner’s metadata.
| Property | Type | Description |
|---|---|---|
| enableAutoMetadataUpdate | boolean | Specifies whether the metadata of the connection will be automatically reloaded. The default value is true. |
| metadataUrlRef * | ResourceLink | ID of the saved Metadata URL. |
ConnectionCredentials - The certificates and settings for encryption, signing, and signature verification.
| Property | Type | Description |
|---|---|---|
| blockEncryptionAlgorithm | string | The algorithm used to encrypt assertions sent to this partner. AES_128, AES_256 and Triple_DES are also supported. Default is AES_128 |
| certs | array[ConnectionCert] | The certificates used for signature verification and XML encryption. |
| decryptionKeyPairRef | ResourceLink | The ID of the primary key pair used to decrypt message content received from this partner. The ID of the key pair is also known as the alias and can be found by viewing the corresponding certificate under ‘Signing & Decryption Keys & Certificates’ in the PingFederate Administrative Console. |
| inboundBackChannelAuth | InboundBackChannelAuth | The SOAP authentication method(s) to use when you receive a message using SOAP back channel. |
| keyTransportAlgorithm | string | The algorithm used to transport keys to this partner. RSA_OAEP and RSA_v15 are supported. Default is RSA_OAEP |
| outboundBackChannelAuth | OutboundBackChannelAuth | The SOAP authentication method(s) to use when you send a message using SOAP back channel. |
| secondaryDecryptionKeyPairRef | ResourceLink | The ID of the secondary key pair used to decrypt message content received from this partner. |
| signingSettings | SigningSettings | Settings related to the manner in which messages sent to the partner are digitally signed. Required for SP Connections. |
| verificationIssuerDN | string | If a verification Subject DN is provided, you can optionally restrict the issuer to a specific trusted CA by specifying its DN in this field. |
| verificationSubjectDN | string | If this property is set, the verification trust model is Anchored. The verification certificate must be signed by a trusted CA and included in the incoming message, and the subject DN of the expected certificate is specified in this property. If this property is not set, then a primary verification certificate must be specified in the certs array. |
ConnectionCert - A certificate used for signature verification or XML encryption.
| Property | Type | Description |
|---|---|---|
| activeVerificationCert | boolean | Indicates whether this is an active signature verification certificate. |
| certView | CertView | Certificate details. This property is read-only and is always ignored on a POST or PUT. |
| encryptionCert | boolean | Indicates whether to use this cert to encrypt outgoing assertions. Only one certificate in the collection can have this flag set. |
| primaryVerificationCert | boolean | Indicates whether this is the primary signature verification certificate. Only one certificate in the collection can have this flag set. |
| secondaryVerificationCert | boolean | Indicates whether this is the secondary signature verification certificate. Only one certificate in the collection can have this flag set. |
| x509File * | X509File | The certificate data. This property must always be supplied on a POST or PUT. |
CertView - Certificate details.
| Property | Type | Description |
|---|---|---|
| cryptoProvider | CryptoProvider | Cryptographic Provider. This is only applicable if Hybrid HSM mode is true. |
| expires | string | The end date up until which the item is valid, in ISO 8601 format (UTC). |
| id | string | The persistent, unique ID for the certificate. |
| issuerDN | string | The issuer’s distinguished name. |
| keyAlgorithm | string | The public key algorithm. |
| keySize | integer | The public key size. |
| serialNumber | string | The serial number assigned by the CA. |
| sha1Fingerprint | string | SHA-1 fingerprint in Hex encoding. |
| sha256Fingerprint | string | SHA-256 fingerprint in Hex encoding. |
| signatureAlgorithm | string | The signature algorithm. |
| status | CertificateValidity | Status of the item. |
| subjectAlternativeNames | array[string] | The subject alternative names (SAN). |
| subjectDN | string | The subject’s distinguished name. |
| validFrom | string | The start date from which the item is valid, in ISO 8601 format (UTC). |
| version | integer | The X.509 version to which the item conforms. |
X509File - Encoded certificate data.
| Property | Type | Description |
|---|---|---|
| cryptoProvider | CryptoProvider | Cryptographic Provider. This is only applicable if Hybrid HSM mode is true. |
| fileData * | string | The certificate data in PEM format. New line characters should be omitted or encoded in this value. |
| id | string | The persistent, unique ID for the certificate. It can be any combination of [a-z0-9._-]. This property is system-assigned if not specified. |
SigningSettings - Settings related to signing messages sent to this partner.
| Property | Type | Description |
|---|---|---|
| algorithm | string | The algorithm used to sign messages sent to this partner. The default is SHA1withDSA for DSA certs, SHA256withRSA for RSA certs, and SHA256withECDSA for EC certs. For RSA certs, SHA1withRSA, SHA384withRSA, and SHA512withRSA are also supported. For EC certs, SHA384withECDSA and SHA512withECDSA are also supported. If the connection is WS-Federation with JWT token type, then the possible values are RSA SHA256, RSA SHA384, RSA SHA512, ECDSA SHA256, ECDSA SHA384, ECDSA SHA512 |
| includeCertInSignature | boolean | Determines whether the signing certificate is included in the signature |
| includeRawKeyInSignature | boolean | Determines whether the |
| signingKeyPairRef * | ResourceLink | The ID of the key pair used to sign messages sent to this partner. The ID of the key pair is also known as the alias and can be found by viewing the corresponding certificate under ‘Signing & Decryption Keys & Certificates’ in the PingFederate admin console. |
OutboundBackChannelAuth : BackChannelAuth -
| Property | Type | Description |
|---|---|---|
| digitalSignature | boolean | If incoming or outgoing messages must be signed. |
| httpBasicCredentials | UsernamePasswordCredentials | The credentials to use when you authenticate with the SOAP endpoint. |
| sslAuthKeyPairRef | ResourceLink | The ID of the key pair used to authenticate with your partner’s SOAP endpoint. The ID of the key pair is also known as the alias and can be found by viewing the corresponding certificate under ‘SSL Server Certificates’ in the PingFederate Administrative Console. |
| type | BackChannelAuthType | [“INBOUND” or “OUTBOUND”] |
| validatePartnerCert | boolean | Validate the partner server certificate. Default is true. |
UsernamePasswordCredentials - Username and password credentials.
| Property | Type | Description |
|---|---|---|
| encryptedPassword | string | For GET requests, this field contains the encrypted password, if one exists. For POST and PUT requests, if you wish to reuse the existing password, this field should be passed back unchanged. |
| password | string | User password. To update the password, specify the plaintext value in this field. This field will not be populated for GET requests. |
| username | string | The username. |
InboundBackChannelAuth : BackChannelAuth -
| Property | Type | Description |
|---|---|---|
| certs | array[ConnectionCert] | The certificate used for signature verification and XML encryption. |
| digitalSignature | boolean | If incoming or outgoing messages must be signed. |
| httpBasicCredentials | UsernamePasswordCredentials | The credentials to use when you authenticate with the SOAP endpoint. |
| requireSsl | boolean | Incoming HTTP transmissions must use a secure channel. |
| type | BackChannelAuthType | [“INBOUND” or “OUTBOUND”] |
| verificationIssuerDN | string | If a verification Subject DN is provided, you can optionally restrict the issuer to a specific trusted CA by specifying its DN in this field. |
| verificationSubjectDN | string | If this property is set, the verification trust model is Anchored. The verification certificate must be signed by a trusted CA and included in the incoming message, and the subject DN of the expected certificate is specified in this property. If this property is not set, then a primary verification certificate must be specified in the certs array. |
ContactInfo - Contact information.
| Property | Type | Description |
|---|---|---|
| company | string | Company name. |
| string | Contact email address. | |
| firstName | string | Contact first name. |
| lastName | string | Contact last name. |
| phone | string | Contact phone number. |
AdditionalAllowedEntitiesConfiguration - Additional allowed entities or issuers configuration. Currently only used in OIDC IdP (RP) connection.
| Property | Type | Description |
|---|---|---|
| additionalAllowedEntities | array[Entity] | An array of additional allowed entities or issuers to be accepted during entity or issuer validation. |
| allowAdditionalEntities | boolean | Set to true to configure additional entities or issuers to be accepted during entity or issuer validation. |
| allowAllEntities | boolean | Set to true to accept any entity or issuer during entity or issuer validation. (Not Recommended) |
Entity
| Property | Type | Description |
|---|---|---|
| entityDescription | string | Entity description. |
| entityId | string | Unique entity identifier. |
ParameterValues - Parameter Values.
| Property | Type | Description |
|---|---|---|
| values | array[string] | A List of values |
OutboundProvision - Outbound Provisioning allows an IdP to create and maintain user accounts at standards-based partner sites using SCIM as well as select-proprietary provisioning partner sites that are protocol-enabled.
| Property | Type | Description |
|---|---|---|
| channels * | array[Channel] | Includes settings of a source data store, managing provisioning threads and mapping of attributes. |
| customSchema | Schema | Custom SCIM attribute configuration. |
| targetSettings * | array[ConfigField] | Configuration fields that includes credentials to target SaaS application. |
| type * | string | The SaaS plugin type. |
Schema - Custom SCIM Attributes configuration.
| Property | Type | Description |
|---|---|---|
| attributes | array[SchemaAttribute] | |
| namespace | string |
SchemaAttribute - A custom SCIM attribute.
| Property | Type | Description |
|---|---|---|
| multiValued | boolean | Indicates whether the attribute is multi-valued. |
| name | string | Name of the attribute. |
| subAttributes | array[string] | List of sub-attributes for an attribute. |
| types | array[string] | Represents the name of each attribute type in case of multi-valued attribute. |
Channel - A channel is a combination of a source data store and a provisioning target. It include settings of a source data store, managing provisioning threads and mapping of attributes.
| Property | Type | Description |
|---|---|---|
| active * | boolean | Indicates whether the channel is the active channel for this connection. |
| attributeMapping * | array[SaasAttributeMapping] | The mapping of attributes from the local data store into Fields specified by the service provider. |
| channelSource * | ChannelSource | The LDAP settings that apply to the source user-data store. |
| maxThreads * | integer | The number of processing threads. The default value is 1. |
| name * | string | The name of the channel. |
| timeout * | integer | Timeout is the number of seconds that can be adjusted if more time is needed for provisioning a large amount of data. It is applicable when the number of processing thread is more than 1. The default value is 60. |
ChannelSource - The source data source and LDAP settings.
| Property | Type | Description |
|---|---|---|
| accountManagementSettings * | AccountManagementSettings | Account management settings that includes the status and algorithms. |
| baseDn * | string | The base DN where the user records are located. |
| changeDetectionSettings * | ChangeDetectionSettings | Settings to detect a during provisioning. |
| dataSource * | ResourceLink | Reference to an LDAP datastore. |
| groupMembershipDetection * | GroupMembershipDetection | Settings to detect group memberships. |
| groupSourceLocation | ChannelSourceLocation | The group provisioning source location settings. |
| guidAttributeName * | string | the GUID attribute name. |
| guidBinary * | boolean | Indicates whether the GUID is stored in binary format. |
| userSourceLocation * | ChannelSourceLocation | The user provisioning source location settings. |
ChangeDetectionSettings - Setting to detect changes to a user or a group.
| Property | Type | Description |
|---|---|---|
| changedUsersAlgorithm * | SaasChangedUsersAlgorithm | The changed user algorithm. |
ACTIVE_DIRECTORY_USN - For Active Directory only, this algorithm queries for update sequence numbers on user records that are larger than the last time records were checked. TIMESTAMP - Queries for timestamps on user records that are not older than the last time records were checked. This check is more efficient from the point of view of the PingFederate provisioner but can be more time consuming on the LDAP side, particularly with the Oracle Directory Server. TIMESTAMP_NO_NEGATION - Queries for timestamps on user records that are newer than the last time records were checked. This algorithm is recommended for the Oracle Directory Server.| |groupObjectClass *|string|The group object class.| |timeStampAttributeName *|string|The timestamp attribute name.| |userObjectClass *|string|The user object class.| |usnAttributeName|string|The USN attribute name.|
GroupMembershipDetection - Settings to detect group memberships.
| Property | Type | Description |
|---|---|---|
| groupMemberAttributeName * | string | The name of the attribute that represents group members in a group, also known as group member attribute. |
| memberOfGroupAttributeName | string | The name of the attribute that indicates the entity is a member of a group, also known as member of attribute. |
AccountManagementSettings - Account management settings.
| Property | Type | Description |
|---|---|---|
| accountStatusAlgorithm * | SaasAccountStatusAlgorithm | The account status algorithm name. |
ACCOUNT_STATUS_ALGORITHM_AD - Algorithm name for Active Directory, which uses a bitmap for each user entry. ACCOUNT_STATUS_ALGORITHM_FLAG - Algorithm name for Oracle Directory Server and other LDAP directories that use a separate attribute to store the user’s status. When this option is selected, the Flag Comparison Value and Flag Comparison Status fields should be used.| |accountStatusAttributeName *|string|The account status attribute name.| |defaultStatus|boolean|The default status of the account.| |flagComparisonStatus|boolean|The flag that represents comparison status.| |flagComparisonValue|string|The flag that represents comparison value.|
ChannelSourceLocation - The location settings that includes a DN and a LDAP filter.
| Property | Type | Description |
|---|---|---|
| filter | string | An LDAP filter. |
| groupDN | string | The group DN for users or groups. |
| nestedSearch | boolean | Indicates whether the search is nested. |
SaasAttributeMapping - Settings to map the source record attributes to target attributes.
| Property | Type | Description |
|---|---|---|
| fieldName * | string | The name of target field. |
| saasFieldInfo * | SaasFieldConfiguration | The settings that represent how attribute values from source data store will be mapped into Fields specified by the service provider. |
SaasFieldConfiguration - The settings that represent how attribute values from source data store will be mapped into Fields specified by the service provider.
| Property | Type | Description |
|---|---|---|
| attributeNames | array[string] | The list of source attribute names used to generate or map to a target field |
| characterCase | CharacterCase | The character case of the field value. |
| createOnly | boolean | Indicates whether this field is a create only field and cannot be updated. |
| defaultValue | string | The default value for the target field |
| expression | string | An OGNL expression to obtain a value. |
| masked | boolean | Indicates whether the attribute should be masked in server logs. |
| parser | SaasFieldParsing | Indicates how the field shall be parsed. |
| trim | boolean | Indicates whether field should be trimmed before provisioning. |