Create a new IdP connection. If the IdP connection is not properly configured, a 422 status code is returned along with a list of validation errors that must be corrected.
| Code | Reason |
|---|---|
| 201 | Connection created. |
| 400 | The request was improperly formatted or contained invalid fields. |
| 403 | PingFederate does not have its SP role enabled. Operation not available. |
| 422 | Validation error(s) occurred. |
IdpConnection : Connection - The set of attributes used to configure an IdP connection.
| Property | Type | Description |
|---|---|---|
| active | boolean | Specifies whether the connection is active and ready to process incoming requests. The default value is false. |
| additionalAllowedEntitiesConfiguration | AdditionalAllowedEntitiesConfiguration | Additional allowed entities or issuers configuration. Currently only used in OIDC IdP (RP) connection. |
| attributeQuery | IdpAttributeQuery | The attribute query settings for requesting user attributes from an attribute authority. |
| baseUrl | string | The fully-qualified hostname and port on which your partner’s federation deployment runs. |
| contactInfo | ContactInfo | The contact information for this partner. |
| credentials | ConnectionCredentials | The certificates and settings for encryption, signing, and signature verification. It is required for SAMLx.x and WS-Fed Connections. |
| defaultVirtualEntityId | string | The default alternate entity ID that identifies the local server to this partner. It is required when virtualEntityIds is not empty and must be included in that list. |
| entityId * | string | The partner’s entity ID (connection ID) or issuer value (for OIDC Connections). |
| errorPageMsgId | string | Identifier that specifies the message displayed on a user-facing error page. |
| extendedProperties | Map[string, ParameterValues] | Extended Properties allows to store additional information for IdP/SP Connections. The names of these extended properties should be defined in /extendedProperties. |
| id | string | The persistent, unique ID for the connection. It can be any combination of [a-zA-Z0-9._-]. This property is system-assigned if not specified. |
| idpBrowserSso | IdpBrowserSso | The browser-based SSO settings used to communicate with your IdP. |
| idpOAuthGrantAttributeMapping | IdpOAuthGrantAttributeMapping | The OAuth Assertion Grant settings used to map from your IdP. |
| licenseConnectionGroup | string | The license connection group. If your PingFederate license is based on connection groups, each connection must be assigned to a group before it can be used. |
| loggingMode | LoggingMode | The level of transaction logging applicable for this connection. Default is STANDARD. |
| metadataReloadSettings | ConnectionMetadataUrl | Connection metadata automatic reload settings. |
| name * | string | The connection name. |
| oidcClientCredentials | OIDCClientCredentials | The OIDC client credentials. This is required for an OIDC connection. |
| type | ConnectionType | The type of this connection. Default is ‘IDP’. |
| virtualEntityIds | array[string] | List of alternate entity IDs that identifies the local server to this partner. |
| wsTrust | IdpWsTrust | The Ws-Trust settings. |
OIDCClientCredentials - The OpenID Connect Client Credentials settings. This is required for an OIDC Connection.
| Property | Type | Description |
|---|---|---|
| clientId * | string | The OpenID Connect client identitification. |
| clientSecret | string | The OpenID Connect client secret. To update the client secret, specify the plaintext value in this field. This field will not be populated for GET requests. |
| encryptedSecret | string | For GET requests, this field contains the encrypted client secret, if one exists. For POST and PUT requests, if you wish to reuse the existing secret, this field should be passed back unchanged. |
IdpBrowserSso - The settings used to enable secure browser-based SSO to resources at your site.
| Property | Type | Description |
|---|---|---|
| adapterMappings | array[SpAdapterMapping] | A list of adapters that map to incoming assertions. |
| artifact | ArtifactSettings | The settings for an artifact binding. |
| assertionsSigned | boolean | Specify whether the incoming SAML assertions are signed rather than the entire SAML response being signed. |
| attributeContract | IdpBrowserSsoAttributeContract | The list of attributes that the IdP sends in the assertion. |
| authenticationPolicyContractMappings | array[AuthenticationPolicyContractMapping] | A list of Authentication Policy Contracts that map to incoming assertions. |
| authnContextMappings | array[AuthnContextMapping] | A list of authentication context mappings between local and remote values. Applicable for SAML 2.0 and OIDC protocol connections. |
| decryptionPolicy | DecryptionPolicy | The SAML 2.0 decryption policy for browser-based SSO. |
| defaultTargetUrl | string | The default target URL for this connection. If defined, this overrides the default URL. |
| enabledProfiles | Set[Profile] | The profiles that are enabled for browser-based SSO. SAML 2.0 supports all profiles whereas SAML 1.x IdP connections support both IdP and SP (non-standard) initiated SSO. This is required for SAMLx.x Connections. |
| idpIdentityMapping * | IdpIdentityMapping | Defines the process in which users authenticated by the IdP are associated with user accounts local to the SP. |
| incomingBindings | Set[Binding] | The SAML bindings that are enabled for browser-based SSO. This is required for SAML 2.0 connections. For SAML 1.x based connections, it is not used for SP Connections and it is optional for IdP Connections. |
| messageCustomizations | array[ProtocolMessageCustomization] | The message customizations for browser-based SSO. Depending on server settings, connection type, and protocol this may or may not be supported. |
| oauthAuthenticationPolicyContractRef | ResourceLink | The Authentication policy contract to map into for OAuth. The policy contract can subsequently be mapped into the OAuth persistent grant. |
| oidcProviderSettings | OIDCProviderSettings | The OpenID Provider configuration settings. Required for an OIDC connection. |
| protocol * | Protocol | The browser-based SSO protocol to use. |
| signAuthnRequests | boolean | Determines whether SAML authentication requests should be signed. |
| sloServiceEndpoints | array[SloServiceEndpoint] | A list of possible endpoints to send SLO requests and responses. |
| ssoOAuthMapping | SsoOAuthMapping | Direct mapping from the IdP connection to the OAuth persistent grant. |
| ssoServiceEndpoints | array[IdpSsoServiceEndpoint] | The IdP SSO endpoints that define where to send your authentication requests. Only required for SP initiated SSO. This is required for SAML x.x and WS-FED Connections. |
| urlWhitelistEntries | array[UrlWhitelistEntry] | For WS-Federation connections, a whitelist of additional allowed domains and paths used to validate wreply for SLO, if enabled. |
OIDCProviderSettings - The OpenID Provider settings.
| Property | Type | Description |
|---|---|---|
| authenticationScheme | OIDCAuthenticationScheme | The OpenID Connect Authentication Scheme. This is required for Authentication using Code Flow. |
| authenticationSigningAlgorithm | SigningAlgorithm | The authentication signing algorithm for token endpoint PRIVATE_KEY_JWT authentication. Only asymmetric algorithms are allowed. For RSASSA-PSS signing algorithm, PingFederate must be integrated with a hardware security module (HSM) or Java 11. |
| authorizationEndpoint * | string | URL of the OpenID Provider’s OAuth 2.0 Authorization Endpoint. |
| jwksURL * | string | URL of the OpenID Provider’s JSON Web Key Set [JWK] document. |
| loginType * | OIDCLoginType | The OpenID Connect login type. These values maps to: CODE: Authentication using Code Flow POST: Authentication using Form Post POST_AT: Authentication using Form Post with Access Token |
| requestParameters | array[OIDCRequestParameter] | A map of request parameter names and values. |
| requestSigningAlgorithm | SigningAlgorithm | The request signing algorithm. Required only if you wish to use signed requests. Only asymmetric algorithms are allowed. For RSASSA-PSS signing algorithm, PingFederate must be integrated with a hardware security module (HSM) or Java 11. |
| scopes * | string | Space separated scope values that the OpenID Provider supports. |
| tokenEndpoint | string | URL of the OpenID Provider’s OAuth 2.0 Token Endpoint. |
| userInfoEndpoint | string | URL of the OpenID Provider’s UserInfo Endpoint. |
OIDCRequestParameter - An OIDC custom request parameter.
| Property | Type | Description |
|---|---|---|
| applicationEndpointOverride * | boolean | Indicates whether the parameter values can be overriden by the Application Endpoint parameters |
| name * | string | A List of parameter value. If more than one value is provided, the parameter is treated as a multi-valued parameter. |
| value * | string | A List of parameter value. If more than one value is provided, the parameter is treated as a multi-valued parameter. |
UrlWhitelistEntry - Url domain and path to be used as whitelist in WS-Federation connection
| Property | Type | Description |
|---|---|---|
| allowQueryAndFragment | boolean | Allow Any Query/Fragment |
| requireHttps | boolean | Require HTTPS |
| validDomain | string | Valid Domain Name (leading wildcard ‘*.’ allowed) |
| validPath | string | Valid Path (leave blank to allow any path) |
ArtifactSettings - The settings for an Artifact binding.
| Property | Type | Description |
|---|---|---|
| lifetime * | integer | The lifetime of the artifact in seconds. |
| resolverLocations * | array[ArtifactResolverLocation] | Remote party URLs that you will use to resolve/translate the artifact and get the actual protocol message |
| sourceId | string | Source ID for SAML1.x connections |
ArtifactResolverLocation - The remote party URLs to resolve the artifact.
| Property | Type | Description |
|---|---|---|
| index * | integer | The priority of the endpoint. |
| url * | string | Remote party URLs that you will use to resolve/translate the artifact and get the actual protocol message |
SloServiceEndpoint - Where SLO logout messages are sent. Only applicable for SAML 2.0.
| Property | Type | Description |
|---|---|---|
| binding * | Binding | The binding of this endpoint, if applicable - usually only required for SAML 2.0 endpoints. |
| responseUrl | string | The absolute or relative URL to which logout responses are sent. A relative URL can be specified if a base URL for the connection has been defined. |
| url * | string | The absolute or relative URL of the endpoint. A relative URL can be specified if a base URL for the connection has been defined. |
IdpSsoServiceEndpoint - The settings that define an endpoint to an IdP SSO service.
| Property | Type | Description |
|---|---|---|
| binding * | Binding | The binding of this endpoint, if applicable - usually only required for SAML 2.0 endpoints. |
| url * | string | The absolute or relative URL of the endpoint. A relative URL can be specified if a base URL for the connection has been defined. |
AuthnContextMapping - The authentication context mapping between local and remote values.
| Property | Type | Description |
|---|---|---|
| local | string | The local authentication context value. |
| remote | string | The remote authentication context value. |
DecryptionPolicy - Defines what to decrypt in the browser-based SSO profile.
| Property | Type | Description |
|---|---|---|
| assertionEncrypted | boolean | Specify whether the incoming SAML assertion is encrypted for an IdP connection. |
| attributesEncrypted | boolean | Specify whether one or more incoming SAML attributes are encrypted for an IdP connection. |
| sloEncryptSubjectNameID | boolean | Encrypt the Subject Name ID in SLO messages to the IdP. |
| sloSubjectNameIDEncrypted | boolean | Allow encrypted Subject Name ID in SLO messages from the IdP. |
| subjectNameIdEncrypted | boolean | Specify whether the incoming Subject Name ID is encrypted for an IdP connection. |
IdpBrowserSsoAttributeContract - A set of user attributes that the IdP sends in the SAML assertion.
| Property | Type | Description |
|---|---|---|
| coreAttributes | array[IdpBrowserSsoAttribute] | A list of read-only assertion attributes that are automatically populated by PingFederate. |
| extendedAttributes | array[IdpBrowserSsoAttribute] | A list of additional attributes that are present in the incoming assertion. |
IdpBrowserSsoAttribute - An attribute for the IdP Browser SSO attribute contract.
| Property | Type | Description |
|---|---|---|
| masked | boolean | Specifies whether this attribute is masked in PingFederate logs. Defaults to false. |
| name * | string | The name of this attribute. |
SpAdapterMapping - A mapping to a SP adapter.
| Property | Type | Description |
|---|---|---|
| adapterOverrideSettings | SpAdapter | Connection specific overridden adapter instance for mapping. |
| attributeContractFulfillment * | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. |
| attributeSources | array[AttributeSource] | A list of configured data stores to look up attributes from. |
| issuanceCriteria | IssuanceCriteria | The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled. |
| restrictVirtualEntityIds | boolean | Restricts this mapping to specific virtual entity IDs. |
| restrictedVirtualEntityIds | array[string] | The list of virtual server IDs that this mapping is restricted to. |
| spAdapterRef * | ResourceLink | Reference to the associated SP adapter. Note: This is ignored if adapter overrides for this mapping exists. In this case, the override’s parent adapter reference is used. |
ResourceLink - A reference to a resource.
| Property | Type | Description |
|---|---|---|
| id * | string | The ID of the resource. |
| location | string | A read-only URL that references the resource. If the resource is not currently URL-accessible, this property will be null. |
SpAdapter - An SP adapter instance.
| Property | Type | Description |
|---|---|---|
| attributeContract | SpAdapterAttributeContract | The list of attributes that the SP adapter provides. |
| configuration * | PluginConfiguration | Plugin instance configuration. |
| id * | string | The ID of the plugin instance. The ID cannot be modified once the instance is created. Note: Ignored when specifying a connection’s adapter override. |
| name * | string | The plugin instance name. The name cannot be modified once the instance is created. Note: Ignored when specifying a connection’s adapter override. |
| parentRef | ResourceLink | The reference to this plugin’s parent instance. The parent reference is only accepted if the plugin type supports parent instances. Note: This parent reference is required if this plugin instance is used as an overriding plugin (e.g. connection adapter overrides) |
| pluginDescriptorRef * | ResourceLink | Reference to the plugin descriptor for this instance. The plugin descriptor cannot be modified once the instance is created. Note: Ignored when specifying a connection’s adapter override. |
| targetApplicationInfo | SpAdapterTargetApplicationInfo | The target application’s name and icon URL |
PluginConfiguration - Configuration settings for a plugin instance.
| Property | Type | Description |
|---|---|---|
| fields | array[ConfigField] | List of configuration fields. |
| tables | array[ConfigTable] | List of configuration tables. |
ConfigTable - A plugin configuration table populated with values.
| Property | Type | Description |
|---|---|---|
| inherited | boolean | Whether this table is inherited from its parent instance. If true, the rows become read-only. The default value is false. |
| name * | string | The name of the table. |
| rows | array[ConfigRow] | List of table rows. |
ConfigRow - A row of configuration values for a plugin configuration table.
| Property | Type | Description |
|---|---|---|
| defaultRow | boolean | Whether this row is the default. |
| fields * | array[ConfigField] | The configuration fields in the row. |
ConfigField - A plugin configuration field value.
| Property | Type | Description |
|---|---|---|
| encryptedValue | string | For encrypted or hashed fields, this attribute contains the encrypted representation of the field’s value, if a value is defined. If you do not want to update the stored value, this attribute should be passed back unchanged. |
| inherited | boolean | Whether this field is inherited from its parent instance. If true, the value/encrypted value properties become read-only. The default value is false. |
| name * | string | The name of the configuration field. |
| value | string | The value for the configuration field. For encrypted or hashed fields, GETs will not return this attribute. To update an encrypted or hashed field, specify the new value in this attribute. |
SpAdapterAttributeContract - A set of attributes exposed by an SP adapter.
| Property | Type | Description |
|---|---|---|
| coreAttributes | array[SpAdapterAttribute] | A list of read-only attributes that are automatically populated by the SP adapter descriptor. |
| extendedAttributes | array[SpAdapterAttribute] | A list of additional attributes that can be returned by the SP adapter. The extended attributes are only used if the adapter supports them. |
| inherited | boolean | Whether this attribute contract is inherited from its parent instance. If true, the rest of the properties in this model become read-only. The default value is false. |
SpAdapterAttribute - An attribute for the SP adapter attribute contract.
| Property | Type | Description |
|---|---|---|
| name * | string | The name of this attribute. |
SpAdapterTargetApplicationInfo - Target Application Information exposed by an SP adapter.
| Property | Type | Description |
|---|---|---|
| applicationIconUrl | string | The application icon URL. |
| applicationName | string | The application name. |
| inherited | boolean | Specifies Whether target application information is inherited from its parent instance. If true, the rest of the properties in this model become read-only. The default value is false. |
AttributeSource - The configured settings to look up attributes from an associated data store.
| Property | Type | Description |
|---|---|---|
| attributeContractFulfillment | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings |
| dataStoreRef * | ResourceLink | Reference to the associated data store. |
| description | string | The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping. Note: Required for APC-to-SP Adapter Mappings |
| id | string | The ID that defines this attribute source. Only alphanumeric characters allowed. Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources. |
| type * | DataStoreType | The data store type of this attribute source. |
AttributeFulfillmentValue - Defines how an attribute in an attribute contract should be populated.
| Property | Type | Description |
|---|---|---|
| source * | SourceTypeIdKey | The attribute value source. |
| value * | string | The value for this attribute. |
SourceTypeIdKey - A key that is meant to reference a source from which an attribute can be retrieved. This model is usually paired with a value which, depending on the SourceType, can be a hardcoded value or a reference to an attribute name specific to that SourceType. Not all values are applicable - a validation error will be returned for incorrect values.
For each SourceType, the value should be:
ACCOUNT_LINK - If account linking was enabled for the browser SSO, the value must be ‘Local User ID’, unless it has been overridden in PingFederate’s server configuration.
ADAPTER - The value is one of the attributes of the IdP Adapter.
ASSERTION - The value is one of the attributes coming from the SAML assertion.
AUTHENTICATION_POLICY_CONTRACT - The value is one of the attributes coming from an authentication policy contract.
LOCAL_IDENTITY_PROFILE - The value is one of the fields coming from a local identity profile.
CONTEXT - The value must be one of the following [‘TargetResource’ or ‘OAuthScopes’ or ‘ClientId’ or ‘AuthenticationCtx’ or ‘ClientIp’ or ‘Locale’ or ‘StsBasicAuthUsername’ or ‘StsSSLClientCertSubjectDN’ or ‘StsSSLClientCertChain’ or ‘VirtualServerId’ or ‘AuthenticatingAuthority’ or ‘DefaultPersistentGrantLifetime’]
CLAIMS - Attributes provided by the OIDC Provider.
CUSTOM_DATA_STORE - The value is one of the attributes returned by this custom data store.
EXPRESSION - The value is an OGNL expression.
EXTENDED_CLIENT_METADATA - The value is from an OAuth extended client metadata parameter. This source type is deprecated and has been replaced by EXTENDED_PROPERTIES.
EXTENDED_PROPERTIES - The value is from an OAuth Client’s extended property.
IDP_CONNECTION - The value is one of the attributes passed in by the IdP connection.
JDBC_DATA_STORE - The value is one of the column names returned from the JDBC attribute source.
LDAP_DATA_STORE - The value is one of the LDAP attributes supported by your LDAP data store.
MAPPED_ATTRIBUTES - The value is the name of one of the mapped attributes that is defined in the associated attribute mapping.
OAUTH_PERSISTENT_GRANT - The value is one of the attributes from the persistent grant.
PASSWORD_CREDENTIAL_VALIDATOR - The value is one of the attributes of the PCV.
NO_MAPPING - A placeholder value to indicate that an attribute currently has no mapped source.TEXT - A hardcoded value that is used to populate the corresponding attribute.
TOKEN - The value is one of the token attributes.
REQUEST - The value is from the request context such as the CIBA identity hint contract or the request contract for Ws-Trust.
TRACKED_HTTP_PARAMS - The value is from the original request parameters.
SUBJECT_TOKEN - The value is one of the OAuth 2.0 Token exchange subject_token attributes.
ACTOR_TOKEN - The value is one of the OAuth 2.0 Token exchange actor_token attributes.
TOKEN_EXCHANGE_PROCESSOR_POLICY - The value is one of the attributes coming from a Token Exchange Processor policy.
| Property | Type | Description |
|---|---|---|
| id | string | The attribute source ID that refers to the attribute source that this key references. In some resources, the ID is optional and will be ignored. In these cases the ID should be omitted. If the source type is not an attribute source then the ID can be omitted. |
| type * | SourceType | The source type of this key. |
LdapAttributeSource : AttributeSource - The configured settings used to look up attributes from a LDAP data store.
| Property | Type | Description |
|---|---|---|
| attributeContractFulfillment | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings |
| baseDn | string | The base DN to search from. If not specified, the search will start at the LDAP’s root. |
| binaryAttributeSettings | Map[string, BinaryLdapAttributeSettings] | The advanced settings for binary LDAP attributes. |
| dataStoreRef * | ResourceLink | Reference to the associated data store. |
| description | string | The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping. Note: Required for APC-to-SP Adapter Mappings |
| id | string | The ID that defines this attribute source. Only alphanumeric characters allowed. Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources. |
| memberOfNestedGroup | boolean | Set this to true to return transitive group memberships for the ‘memberOf’ attribute. This only applies for Active Directory data sources. All other data sources will be set to false. |
| searchFilter * | string | The LDAP filter that will be used to lookup the objects from the directory. |
| searchScope * | LdapSearchScope | Determines the node depth of the query. |
| type * | DataStoreType | The data store type of this attribute source. |
BinaryLdapAttributeSettings - Binary settings for a LDAP attribute.
| Property | Type | Description |
|---|---|---|
| binaryEncoding | LdapAttrEncodingType | Get the encoding type for this attribute. If not specified, the default is BASE64. |
CustomAttributeSource : AttributeSource - The configured settings used to look up attributes from a custom data store.
| Property | Type | Description |
|---|---|---|
| attributeContractFulfillment | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings |
| dataStoreRef * | ResourceLink | Reference to the associated data store. |
| description | string | The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping. Note: Required for APC-to-SP Adapter Mappings |
| filterFields | array[FieldEntry] | The list of fields that can be used to filter a request to the custom data store. |
| id | string | The ID that defines this attribute source. Only alphanumeric characters allowed. Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources. |
| type * | DataStoreType | The data store type of this attribute source. |
FieldEntry - A simple name value pair to represent a field entry.
| Property | Type | Description |
|---|---|---|
| name * | string | The name of this field. |
| value | string | The value of this field. Whether or not the value is required will be determined by plugin validation checks. |
JdbcAttributeSource : AttributeSource - The configured settings used to look up attributes from a JDBC data store.
| Property | Type | Description |
|---|---|---|
| attributeContractFulfillment | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings |
| dataStoreRef * | ResourceLink | Reference to the associated data store. |
| description | string | The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping. Note: Required for APC-to-SP Adapter Mappings |
| filter * | string | The JDBC WHERE clause used to query your data store to locate a user record. |
| id | string | The ID that defines this attribute source. Only alphanumeric characters allowed. Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources. |
| schema | string | Lists the table structure that stores information within a database. Some databases, such as Oracle, require a schema for a JDBC query. Other databases, such as MySQL, do not require a schema. |
| table * | string | The name of the database table. The name is used to construct the SQL query to retrieve data from the data store. |
| type * | DataStoreType | The data store type of this attribute source. |
IssuanceCriteria - A list of criteria that determines whether a transaction (usually a SSO transaction) is continued. All criteria must pass in order for the transaction to continue.
| Property | Type | Description |
|---|---|---|
| conditionalCriteria | array[ConditionalIssuanceCriteriaEntry] | A list of conditional issuance criteria where existing attributes must satisfy their conditions against expected values in order for the transaction to continue. |
| expressionCriteria | array[ExpressionIssuanceCriteriaEntry] | A list of expression issuance criteria where the OGNL expressions must evaluate to true in order for the transaction to continue. |
ConditionalIssuanceCriteriaEntry - An issuance criterion that checks a source attribute against a particular condition and the expected value. If the condition is true then this issuance criterion passes, otherwise the criterion fails.
| Property | Type | Description |
|---|---|---|
| attributeName * | string | The name of the attribute to use in this issuance criterion. |
| condition * | ConditionType | The condition that will be applied to the source attribute’s value and the expected value. |
| errorResult | string | The error result to return if this issuance criterion fails. This error result will show up in the PingFederate server logs. |
| source * | SourceTypeIdKey | The source of the attribute. |
| value * | string | The expected value of this issuance criterion. |
ExpressionIssuanceCriteriaEntry - An issuance criterion that uses a Boolean return value from an OGNL expression to determine whether or not it passes.
| Property | Type | Description |
|---|---|---|
| errorResult | string | The error result to return if this issuance criterion fails. This error result will show up in the PingFederate server logs. |
| expression * | string | The OGNL expression to evaluate. |
AuthenticationPolicyContractMapping - An Authentication Policy Contract mapping into IdP Connection.
| Property | Type | Description |
|---|---|---|
| attributeContractFulfillment * | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. |
| attributeSources | array[AttributeSource] | A list of configured data stores to look up attributes from. |
| authenticationPolicyContractRef * | ResourceLink | Reference to the associated Authentication Policy Contract. |
| issuanceCriteria | IssuanceCriteria | The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled. |
| restrictVirtualServerIds | boolean | Restricts this mapping to specific virtual entity IDs. |
| restrictedVirtualServerIds | array[string] | The list of virtual server IDs that this mapping is restricted to. |
ProtocolMessageCustomization - The message customization that will be executed on outgoing PingFederate messages.
| Property | Type | Description |
|---|---|---|
| contextName | string | The context in which the customization will be applied. Depending on the connection type and protocol, this can either be ‘assertion’, ‘authn-response’ or ‘authn-request’. |
| messageExpression | string | The OGNL expression that will be executed. Refer to the Admin Manual for a list of variables provided by PingFederate. |
SsoOAuthMapping - IdP Browser SSO OAuth Attribute Mapping
| Property | Type | Description |
|---|---|---|
| attributeContractFulfillment * | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. |
| attributeSources | array[AttributeSource] | A list of configured data stores to look up attributes from. |
| issuanceCriteria | IssuanceCriteria | The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled. |
IdpAttributeQuery - The attribute query profile supports local applications in requesting user attributes from an attribute authority.
| Property | Type | Description |
|---|---|---|
| nameMappings | array[AttributeQueryNameMapping] | The attribute name mappings between the SP and the IdP. |
| policy | IdpAttributeQueryPolicy | The attribute query profile’s security policy. |
| url * | string | The URL at your IdP partner’s site where attribute queries are to be sent. |
AttributeQueryNameMapping - The attribute query name mappings between the SP and the IdP.
| Property | Type | Description |
|---|---|---|
| localName * | string | The local attribute name. |
| remoteName * | string | The remote attribute name as defined by the attribute authority. |
IdpAttributeQueryPolicy - The attribute query profile’s security policy.
| Property | Type | Description |
|---|---|---|
| encryptNameId | boolean | Encrypt the name identifier. |
| maskAttributeValues | boolean | Mask attributes in log files. |
| requireEncryptedAssertion | boolean | Require encrypted assertion. |
| requireSignedAssertion | boolean | Require signed assertion. |
| requireSignedResponse | boolean | Require signed response. |
| signAttributeQuery | boolean | Sign the attribute query. |
IdpOAuthGrantAttributeMapping - The OAuth Assertion Grant settings used to map from your IdP.
| Property | Type | Description |
|---|---|---|
| accessTokenManagerMappings | array[AccessTokenManagerMapping] | A mapping in a connection that defines how access tokens are created. |
| idpOAuthAttributeContract | IdpOAuthAttributeContract | A set of user attributes that the IdP sends in the OAuth Assertion Grant. |
AccessTokenManagerMapping - A mapping in a connection that defines how access tokens are created.
| Property | Type | Description |
|---|---|---|
| accessTokenManagerRef | ResourceLink | The access token manager used in OAuth attribute mapping. |
| attributeContractFulfillment * | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. |
| attributeSources | array[AttributeSource] | A list of configured data stores to look up attributes from. |
| issuanceCriteria | IssuanceCriteria | The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled. |
IdpOAuthAttributeContract - A set of user attributes that the IdP sends in the OAuth Assertion Grant.
| Property | Type | Description |
|---|---|---|
| coreAttributes | array[IdpBrowserSsoAttribute] | A list of read-only assertion attributes that are automatically populated by PingFederate. |
| extendedAttributes | array[IdpBrowserSsoAttribute] | A list of additional attributes that are present in the incoming assertion. |
IdpWsTrust - Ws-Trust STS provides validation of incoming tokens which enable SSO access to Web Services. It also allows generation of local tokens for Web Services.
| Property | Type | Description |
|---|---|---|
| attributeContract * | IdpWsTrustAttributeContract | A set of user attributes that the SP receives in the incoming token. |
| generateLocalToken * | boolean | Indicates whether a local token needs to be generated. The default value is false. |
| tokenGeneratorMappings | array[SpTokenGeneratorMapping] | A list of token generators to generate local tokens. Required if a local token needs to be generated. |
IdpWsTrustAttributeContract - A set of user attributes that this server will receive in the token.
| Property | Type | Description |
|---|---|---|
| coreAttributes | array[IdpWsTrustAttribute] | A list of read-only assertion attributes that are automatically populated by PingFederate. |
| extendedAttributes | array[IdpWsTrustAttribute] | A list of additional attributes that are receive in the incoming assertion. |
IdpWsTrustAttribute - An attribute for the Ws-Trust attribute contract.
| Property | Type | Description |
|---|---|---|
| masked | boolean | Specifies whether this attribute is masked in PingFederate logs. Defaults to false. |
| name * | string | The name of this attribute. |
SpTokenGeneratorMapping - The SP Token Generator Mapping.
| Property | Type | Description |
|---|---|---|
| attributeContractFulfillment * | Map[string, AttributeFulfillmentValue] | A list of mappings from attribute names to their fulfillment values. |
| attributeSources | array[AttributeSource] | A list of configured data stores to look up attributes from. |
| defaultMapping | boolean | Indicates whether the token generator mapping is the default mapping. The default value is false. |
| issuanceCriteria | IssuanceCriteria | The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled. |
| restrictedVirtualEntityIds | array[string] | The list of virtual server IDs that this mapping is restricted to. |
| spTokenGeneratorRef * | ResourceLink | Reference to the associated token generator. |
ConnectionMetadataUrl - Configuration settings to enable automatic reload of partner’s metadata.
| Property | Type | Description |
|---|---|---|
| enableAutoMetadataUpdate | boolean | Specifies whether the metadata of the connection will be automatically reloaded. The default value is true. |
| metadataUrlRef * | ResourceLink | ID of the saved Metadata URL. |
ConnectionCredentials - The certificates and settings for encryption, signing, and signature verification.
| Property | Type | Description |
|---|---|---|
| blockEncryptionAlgorithm | string | The algorithm used to encrypt assertions sent to this partner. AES_128, AES_256 and Triple_DES are also supported. Default is AES_128 |
| certs | array[ConnectionCert] | The certificates used for signature verification and XML encryption. |
| decryptionKeyPairRef | ResourceLink | The ID of the primary key pair used to decrypt message content received from this partner. The ID of the key pair is also known as the alias and can be found by viewing the corresponding certificate under ‘Signing & Decryption Keys & Certificates’ in the PingFederate Administrative Console. |
| inboundBackChannelAuth | InboundBackChannelAuth | The SOAP authentication method(s) to use when you receive a message using SOAP back channel. |
| keyTransportAlgorithm | string | The algorithm used to transport keys to this partner. RSA_OAEP and RSA_v15 are supported. Default is RSA_OAEP |
| outboundBackChannelAuth | OutboundBackChannelAuth | The SOAP authentication method(s) to use when you send a message using SOAP back channel. |
| secondaryDecryptionKeyPairRef | ResourceLink | The ID of the secondary key pair used to decrypt message content received from this partner. |
| signingSettings | SigningSettings | Settings related to the manner in which messages sent to the partner are digitally signed. Required for SP Connections. |
| verificationIssuerDN | string | If a verification Subject DN is provided, you can optionally restrict the issuer to a specific trusted CA by specifying its DN in this field. |
| verificationSubjectDN | string | If this property is set, the verification trust model is Anchored. The verification certificate must be signed by a trusted CA and included in the incoming message, and the subject DN of the expected certificate is specified in this property. If this property is not set, then a primary verification certificate must be specified in the certs array. |
ConnectionCert - A certificate used for signature verification or XML encryption.
| Property | Type | Description |
|---|---|---|
| activeVerificationCert | boolean | Indicates whether this is an active signature verification certificate. |
| certView | CertView | Certificate details. This property is read-only and is always ignored on a POST or PUT. |
| encryptionCert | boolean | Indicates whether to use this cert to encrypt outgoing assertions. Only one certificate in the collection can have this flag set. |
| primaryVerificationCert | boolean | Indicates whether this is the primary signature verification certificate. Only one certificate in the collection can have this flag set. |
| secondaryVerificationCert | boolean | Indicates whether this is the secondary signature verification certificate. Only one certificate in the collection can have this flag set. |
| x509File * | X509File | The certificate data. This property must always be supplied on a POST or PUT. |
CertView - Certificate details.
| Property | Type | Description |
|---|---|---|
| cryptoProvider | CryptoProvider | Cryptographic Provider. This is only applicable if Hybrid HSM mode is true. |
| expires | string | The end date up until which the item is valid, in ISO 8601 format (UTC). |
| id | string | The persistent, unique ID for the certificate. |
| issuerDN | string | The issuer’s distinguished name. |
| keyAlgorithm | string | The public key algorithm. |
| keySize | integer | The public key size. |
| serialNumber | string | The serial number assigned by the CA. |
| sha1Fingerprint | string | SHA-1 fingerprint in Hex encoding. |
| sha256Fingerprint | string | SHA-256 fingerprint in Hex encoding. |
| signatureAlgorithm | string | The signature algorithm. |
| status | CertificateValidity | Status of the item. |
| subjectAlternativeNames | array[string] | The subject alternative names (SAN). |
| subjectDN | string | The subject’s distinguished name. |
| validFrom | string | The start date from which the item is valid, in ISO 8601 format (UTC). |
| version | integer | The X.509 version to which the item conforms. |
X509File - Encoded certificate data.
| Property | Type | Description |
|---|---|---|
| cryptoProvider | CryptoProvider | Cryptographic Provider. This is only applicable if Hybrid HSM mode is true. |
| fileData * | string | The certificate data in PEM format. New line characters should be omitted or encoded in this value. |
| id | string | The persistent, unique ID for the certificate. It can be any combination of [a-z0-9._-]. This property is system-assigned if not specified. |
SigningSettings - Settings related to signing messages sent to this partner.
| Property | Type | Description |
|---|---|---|
| algorithm | string | The algorithm used to sign messages sent to this partner. The default is SHA1withDSA for DSA certs, SHA256withRSA for RSA certs, and SHA256withECDSA for EC certs. For RSA certs, SHA1withRSA, SHA384withRSA, and SHA512withRSA are also supported. For EC certs, SHA384withECDSA and SHA512withECDSA are also supported. If the connection is WS-Federation with JWT token type, then the possible values are RSA SHA256, RSA SHA384, RSA SHA512, ECDSA SHA256, ECDSA SHA384, ECDSA SHA512 |
| includeCertInSignature | boolean | Determines whether the signing certificate is included in the signature |
| includeRawKeyInSignature | boolean | Determines whether the |
| signingKeyPairRef * | ResourceLink | The ID of the key pair used to sign messages sent to this partner. The ID of the key pair is also known as the alias and can be found by viewing the corresponding certificate under ‘Signing & Decryption Keys & Certificates’ in the PingFederate admin console. |
OutboundBackChannelAuth : BackChannelAuth
| Property | Type | Description |
|---|---|---|
| digitalSignature | boolean | If incoming or outgoing messages must be signed. |
| httpBasicCredentials | UsernamePasswordCredentials | The credentials to use when you authenticate with the SOAP endpoint. |
| sslAuthKeyPairRef | ResourceLink | The ID of the key pair used to authenticate with your partner’s SOAP endpoint. The ID of the key pair is also known as the alias and can be found by viewing the corresponding certificate under ‘SSL Server Certificates’ in the PingFederate Administrative Console. |
| type | BackChannelAuthType | [“INBOUND” or “OUTBOUND”] |
| validatePartnerCert | boolean | Validate the partner server certificate. Default is true. |
UsernamePasswordCredentials - Username and password credentials.
| Property | Type | Description |
|---|---|---|
| encryptedPassword | string | For GET requests, this field contains the encrypted password, if one exists. For POST and PUT requests, if you wish to reuse the existing password, this field should be passed back unchanged. |
| password | string | User password. To update the password, specify the plaintext value in this field. This field will not be populated for GET requests. |
| username | string | The username. |
InboundBackChannelAuth : BackChannelAuth
| Property | Type | Description |
|---|---|---|
| certs | array[ConnectionCert] | The certificate used for signature verification and XML encryption. |
| digitalSignature | boolean | If incoming or outgoing messages must be signed. |
| httpBasicCredentials | UsernamePasswordCredentials | The credentials to use when you authenticate with the SOAP endpoint. |
| requireSsl | boolean | Incoming HTTP transmissions must use a secure channel. |
| type | BackChannelAuthType | [“INBOUND” or “OUTBOUND”] |
| verificationIssuerDN | string | If a verification Subject DN is provided, you can optionally restrict the issuer to a specific trusted CA by specifying its DN in this field. |
| verificationSubjectDN | string | If this property is set, the verification trust model is Anchored. The verification certificate must be signed by a trusted CA and included in the incoming message, and the subject DN of the expected certificate is specified in this property. If this property is not set, then a primary verification certificate must be specified in the certs array. |
ContactInfo - Contact information.
| Property | Type | Description |
|---|---|---|
| company | string | Company name. |
| string | Contact email address. | |
| firstName | string | Contact first name. |
| lastName | string | Contact last name. |
| phone | string | Contact phone number. |
AdditionalAllowedEntitiesConfiguration - Additional allowed entities or issuers configuration. Currently only used in OIDC IdP (RP) connection.
| Property | Type | Description |
|---|---|---|
| additionalAllowedEntities | array[Entity] | An array of additional allowed entities or issuers to be accepted during entity or issuer validation. |
| allowAdditionalEntities | boolean | Set to true to configure additional entities or issuers to be accepted during entity or issuer validation. |
| allowAllEntities | boolean | Set to true to accept any entity or issuer during entity or issuer validation. (Not Recommended) |
Entity
| Property | Type | Description |
|---|---|---|
| entityDescription | string | Entity description. |
| entityId | string | Unique entity identifier. |
ParameterValues - Parameter Values.
| Property | Type | Description |
|---|---|---|
| values | array[string] | A List of values |