Create a new IdP connection. If the IdP connection is not properly configured, a 422 status code is returned along with a list of validation errors that must be corrected.

Error status codes

Code Reason
201 Connection created.
400 The request was improperly formatted or contained invalid fields.
403 PingFederate does not have its SP role enabled. Operation not available.
422 Validation error(s) occurred.

IdpConnection : Connection - The set of attributes used to configure an IdP connection.

Property Type Description
active boolean Specifies whether the connection is active and ready to process incoming requests. The default value is false.
additionalAllowedEntitiesConfiguration AdditionalAllowedEntitiesConfiguration Additional allowed entities or issuers configuration. Currently only used in OIDC IdP (RP) connection.
attributeQuery IdpAttributeQuery The attribute query settings for requesting user attributes from an attribute authority.
baseUrl string The fully-qualified hostname and port on which your partner’s federation deployment runs.
contactInfo ContactInfo The contact information for this partner.
credentials ConnectionCredentials The certificates and settings for encryption, signing, and signature verification. It is required for SAMLx.x and WS-Fed Connections.
defaultVirtualEntityId string The default alternate entity ID that identifies the local server to this partner. It is required when virtualEntityIds is not empty and must be included in that list.
entityId * string The partner’s entity ID (connection ID) or issuer value (for OIDC Connections).
errorPageMsgId string Identifier that specifies the message displayed on a user-facing error page.
extendedProperties Map[string, ParameterValues] Extended Properties allows to store additional information for IdP/SP Connections. The names of these extended properties should be defined in /extendedProperties.
id string The persistent, unique ID for the connection. It can be any combination of [a-zA-Z0-9._-]. This property is system-assigned if not specified.
idpBrowserSso IdpBrowserSso The browser-based SSO settings used to communicate with your IdP.
idpOAuthGrantAttributeMapping IdpOAuthGrantAttributeMapping The OAuth Assertion Grant settings used to map from your IdP.
licenseConnectionGroup string The license connection group. If your PingFederate license is based on connection groups, each connection must be assigned to a group before it can be used.
loggingMode LoggingMode The level of transaction logging applicable for this connection. Default is STANDARD.
metadataReloadSettings ConnectionMetadataUrl Connection metadata automatic reload settings.
name * string The connection name.
oidcClientCredentials OIDCClientCredentials The OIDC client credentials. This is required for an OIDC connection.
type ConnectionType The type of this connection. Default is ‘IDP’.
virtualEntityIds array[string] List of alternate entity IDs that identifies the local server to this partner.
wsTrust IdpWsTrust The Ws-Trust settings.

OIDCClientCredentials - The OpenID Connect Client Credentials settings. This is required for an OIDC Connection.

Property Type Description
clientId * string The OpenID Connect client identitification.
clientSecret string The OpenID Connect client secret. To update the client secret, specify the plaintext value in this field. This field will not be populated for GET requests.
encryptedSecret string For GET requests, this field contains the encrypted client secret, if one exists. For POST and PUT requests, if you wish to reuse the existing secret, this field should be passed back unchanged.

IdpBrowserSso - The settings used to enable secure browser-based SSO to resources at your site.

Property Type Description
adapterMappings array[SpAdapterMapping] A list of adapters that map to incoming assertions.
artifact ArtifactSettings The settings for an artifact binding.
assertionsSigned boolean Specify whether the incoming SAML assertions are signed rather than the entire SAML response being signed.
attributeContract IdpBrowserSsoAttributeContract The list of attributes that the IdP sends in the assertion.
authenticationPolicyContractMappings array[AuthenticationPolicyContractMapping] A list of Authentication Policy Contracts that map to incoming assertions.
authnContextMappings array[AuthnContextMapping] A list of authentication context mappings between local and remote values. Applicable for SAML 2.0 and OIDC protocol connections.
decryptionPolicy DecryptionPolicy The SAML 2.0 decryption policy for browser-based SSO.
defaultTargetUrl string The default target URL for this connection. If defined, this overrides the default URL.
enabledProfiles Set[Profile] The profiles that are enabled for browser-based SSO. SAML 2.0 supports all profiles whereas SAML 1.x IdP connections support both IdP and SP (non-standard) initiated SSO. This is required for SAMLx.x Connections.
idpIdentityMapping * IdpIdentityMapping Defines the process in which users authenticated by the IdP are associated with user accounts local to the SP.
incomingBindings Set[Binding] The SAML bindings that are enabled for browser-based SSO. This is required for SAML 2.0 connections. For SAML 1.x based connections, it is not used for SP Connections and it is optional for IdP Connections.
messageCustomizations array[ProtocolMessageCustomization] The message customizations for browser-based SSO. Depending on server settings, connection type, and protocol this may or may not be supported.
oauthAuthenticationPolicyContractRef ResourceLink The Authentication policy contract to map into for OAuth. The policy contract can subsequently be mapped into the OAuth persistent grant.
oidcProviderSettings OIDCProviderSettings The OpenID Provider configuration settings. Required for an OIDC connection.
protocol * Protocol The browser-based SSO protocol to use.
signAuthnRequests boolean Determines whether SAML authentication requests should be signed.
sloServiceEndpoints array[SloServiceEndpoint] A list of possible endpoints to send SLO requests and responses.
ssoOAuthMapping SsoOAuthMapping Direct mapping from the IdP connection to the OAuth persistent grant.
ssoServiceEndpoints array[IdpSsoServiceEndpoint] The IdP SSO endpoints that define where to send your authentication requests. Only required for SP initiated SSO. This is required for SAML x.x and WS-FED Connections.
urlWhitelistEntries array[UrlWhitelistEntry] For WS-Federation connections, a whitelist of additional allowed domains and paths used to validate wreply for SLO, if enabled.

OIDCProviderSettings - The OpenID Provider settings.

Property Type Description
authenticationScheme OIDCAuthenticationScheme The OpenID Connect Authentication Scheme. This is required for Authentication using Code Flow.
authenticationSigningAlgorithm SigningAlgorithm The authentication signing algorithm for token endpoint PRIVATE_KEY_JWT authentication. Only asymmetric algorithms are allowed. For RSASSA-PSS signing algorithm, PingFederate must be integrated with a hardware security module (HSM) or Java 11.
authorizationEndpoint * string URL of the OpenID Provider’s OAuth 2.0 Authorization Endpoint.
jwksURL * string URL of the OpenID Provider’s JSON Web Key Set [JWK] document.
loginType * OIDCLoginType The OpenID Connect login type. These values maps to:
CODE: Authentication using Code Flow
POST: Authentication using Form Post
POST_AT: Authentication using Form Post with Access Token
requestParameters array[OIDCRequestParameter] A map of request parameter names and values.
requestSigningAlgorithm SigningAlgorithm The request signing algorithm. Required only if you wish to use signed requests. Only asymmetric algorithms are allowed. For RSASSA-PSS signing algorithm, PingFederate must be integrated with a hardware security module (HSM) or Java 11.
scopes * string Space separated scope values that the OpenID Provider supports.
tokenEndpoint string URL of the OpenID Provider’s OAuth 2.0 Token Endpoint.
userInfoEndpoint string URL of the OpenID Provider’s UserInfo Endpoint.

OIDCRequestParameter - An OIDC custom request parameter.

Property Type Description
applicationEndpointOverride * boolean Indicates whether the parameter values can be overriden by the Application Endpoint parameters
name * string A List of parameter value. If more than one value is provided, the parameter is treated as a multi-valued parameter.
value * string A List of parameter value. If more than one value is provided, the parameter is treated as a multi-valued parameter.

UrlWhitelistEntry - Url domain and path to be used as whitelist in WS-Federation connection

Property Type Description
allowQueryAndFragment boolean Allow Any Query/Fragment
requireHttps boolean Require HTTPS
validDomain string Valid Domain Name (leading wildcard ‘*.’ allowed)
validPath string Valid Path (leave blank to allow any path)

ArtifactSettings - The settings for an Artifact binding.

Property Type Description
lifetime * integer The lifetime of the artifact in seconds.
resolverLocations * array[ArtifactResolverLocation] Remote party URLs that you will use to resolve/translate the artifact and get the actual protocol message
sourceId string Source ID for SAML1.x connections

ArtifactResolverLocation - The remote party URLs to resolve the artifact.

Property Type Description
index * integer The priority of the endpoint.
url * string Remote party URLs that you will use to resolve/translate the artifact and get the actual protocol message

SloServiceEndpoint - Where SLO logout messages are sent. Only applicable for SAML 2.0.

Property Type Description
binding * Binding The binding of this endpoint, if applicable - usually only required for SAML 2.0 endpoints.
responseUrl string The absolute or relative URL to which logout responses are sent. A relative URL can be specified if a base URL for the connection has been defined.
url * string The absolute or relative URL of the endpoint. A relative URL can be specified if a base URL for the connection has been defined.

IdpSsoServiceEndpoint - The settings that define an endpoint to an IdP SSO service.

Property Type Description
binding * Binding The binding of this endpoint, if applicable - usually only required for SAML 2.0 endpoints.
url * string The absolute or relative URL of the endpoint. A relative URL can be specified if a base URL for the connection has been defined.

AuthnContextMapping - The authentication context mapping between local and remote values.

Property Type Description
local string The local authentication context value.
remote string The remote authentication context value.

DecryptionPolicy - Defines what to decrypt in the browser-based SSO profile.

Property Type Description
assertionEncrypted boolean Specify whether the incoming SAML assertion is encrypted for an IdP connection.
attributesEncrypted boolean Specify whether one or more incoming SAML attributes are encrypted for an IdP connection.
sloEncryptSubjectNameID boolean Encrypt the Subject Name ID in SLO messages to the IdP.
sloSubjectNameIDEncrypted boolean Allow encrypted Subject Name ID in SLO messages from the IdP.
subjectNameIdEncrypted boolean Specify whether the incoming Subject Name ID is encrypted for an IdP connection.

IdpBrowserSsoAttributeContract - A set of user attributes that the IdP sends in the SAML assertion.

Property Type Description
coreAttributes array[IdpBrowserSsoAttribute] A list of read-only assertion attributes that are automatically populated by PingFederate.
extendedAttributes array[IdpBrowserSsoAttribute] A list of additional attributes that are present in the incoming assertion.

IdpBrowserSsoAttribute - An attribute for the IdP Browser SSO attribute contract.

Property Type Description
masked boolean Specifies whether this attribute is masked in PingFederate logs. Defaults to false.
name * string The name of this attribute.

SpAdapterMapping - A mapping to a SP adapter.

Property Type Description
adapterOverrideSettings SpAdapter Connection specific overridden adapter instance for mapping.
attributeContractFulfillment * Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values.
attributeSources array[AttributeSource] A list of configured data stores to look up attributes from.
issuanceCriteria IssuanceCriteria The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled.
restrictVirtualEntityIds boolean Restricts this mapping to specific virtual entity IDs.
restrictedVirtualEntityIds array[string] The list of virtual server IDs that this mapping is restricted to.
spAdapterRef * ResourceLink Reference to the associated SP adapter.
Note: This is ignored if adapter overrides for this mapping exists. In this case, the override’s parent adapter reference is used.

ResourceLink - A reference to a resource.

Property Type Description
id * string The ID of the resource.
location string A read-only URL that references the resource. If the resource is not currently URL-accessible, this property will be null.

SpAdapter - An SP adapter instance.

Property Type Description
attributeContract SpAdapterAttributeContract The list of attributes that the SP adapter provides.
configuration * PluginConfiguration Plugin instance configuration.
id * string The ID of the plugin instance. The ID cannot be modified once the instance is created.
Note: Ignored when specifying a connection’s adapter override.
name * string The plugin instance name. The name cannot be modified once the instance is created.
Note: Ignored when specifying a connection’s adapter override.
parentRef ResourceLink The reference to this plugin’s parent instance. The parent reference is only accepted if the plugin type supports parent instances.
Note: This parent reference is required if this plugin instance is used as an overriding plugin (e.g. connection adapter overrides)
pluginDescriptorRef * ResourceLink Reference to the plugin descriptor for this instance. The plugin descriptor cannot be modified once the instance is created.
Note: Ignored when specifying a connection’s adapter override.
targetApplicationInfo SpAdapterTargetApplicationInfo The target application’s name and icon URL

PluginConfiguration - Configuration settings for a plugin instance.

Property Type Description
fields array[ConfigField] List of configuration fields.
tables array[ConfigTable] List of configuration tables.

ConfigTable - A plugin configuration table populated with values.

Property Type Description
inherited boolean Whether this table is inherited from its parent instance. If true, the rows become read-only. The default value is false.
name * string The name of the table.
rows array[ConfigRow] List of table rows.

ConfigRow - A row of configuration values for a plugin configuration table.

Property Type Description
defaultRow boolean Whether this row is the default.
fields * array[ConfigField] The configuration fields in the row.

ConfigField - A plugin configuration field value.

Property Type Description
encryptedValue string For encrypted or hashed fields, this attribute contains the encrypted representation of the field’s value, if a value is defined. If you do not want to update the stored value, this attribute should be passed back unchanged.
inherited boolean Whether this field is inherited from its parent instance. If true, the value/encrypted value properties become read-only. The default value is false.
name * string The name of the configuration field.
value string The value for the configuration field. For encrypted or hashed fields, GETs will not return this attribute. To update an encrypted or hashed field, specify the new value in this attribute.

SpAdapterAttributeContract - A set of attributes exposed by an SP adapter.

Property Type Description
coreAttributes array[SpAdapterAttribute] A list of read-only attributes that are automatically populated by the SP adapter descriptor.
extendedAttributes array[SpAdapterAttribute] A list of additional attributes that can be returned by the SP adapter. The extended attributes are only used if the adapter supports them.
inherited boolean Whether this attribute contract is inherited from its parent instance. If true, the rest of the properties in this model become read-only. The default value is false.

SpAdapterAttribute - An attribute for the SP adapter attribute contract.

Property Type Description
name * string The name of this attribute.

SpAdapterTargetApplicationInfo - Target Application Information exposed by an SP adapter.

Property Type Description
applicationIconUrl string The application icon URL.
applicationName string The application name.
inherited boolean Specifies Whether target application information is inherited from its parent instance. If true, the rest of the properties in this model become read-only. The default value is false.

AttributeSource - The configured settings to look up attributes from an associated data store.

Property Type Description
attributeContractFulfillment Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings
dataStoreRef * ResourceLink Reference to the associated data store.
description string The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping.
Note: Required for APC-to-SP Adapter Mappings
id string The ID that defines this attribute source. Only alphanumeric characters allowed.
Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources.
type * DataStoreType The data store type of this attribute source.

AttributeFulfillmentValue - Defines how an attribute in an attribute contract should be populated.

Property Type Description
source * SourceTypeIdKey The attribute value source.
value * string The value for this attribute.

SourceTypeIdKey - A key that is meant to reference a source from which an attribute can be retrieved. This model is usually paired with a value which, depending on the SourceType, can be a hardcoded value or a reference to an attribute name specific to that SourceType. Not all values are applicable - a validation error will be returned for incorrect values.
For each SourceType, the value should be:
ACCOUNT_LINK - If account linking was enabled for the browser SSO, the value must be ‘Local User ID’, unless it has been overridden in PingFederate’s server configuration.
ADAPTER - The value is one of the attributes of the IdP Adapter.
ASSERTION - The value is one of the attributes coming from the SAML assertion.
AUTHENTICATION_POLICY_CONTRACT - The value is one of the attributes coming from an authentication policy contract.
LOCAL_IDENTITY_PROFILE - The value is one of the fields coming from a local identity profile.
CONTEXT - The value must be one of the following [‘TargetResource’ or ‘OAuthScopes’ or ‘ClientId’ or ‘AuthenticationCtx’ or ‘ClientIp’ or ‘Locale’ or ‘StsBasicAuthUsername’ or ‘StsSSLClientCertSubjectDN’ or ‘StsSSLClientCertChain’ or ‘VirtualServerId’ or ‘AuthenticatingAuthority’ or ‘DefaultPersistentGrantLifetime’]
CLAIMS - Attributes provided by the OIDC Provider.
CUSTOM_DATA_STORE - The value is one of the attributes returned by this custom data store.
EXPRESSION - The value is an OGNL expression.
EXTENDED_CLIENT_METADATA - The value is from an OAuth extended client metadata parameter. This source type is deprecated and has been replaced by EXTENDED_PROPERTIES.
EXTENDED_PROPERTIES - The value is from an OAuth Client’s extended property.
IDP_CONNECTION - The value is one of the attributes passed in by the IdP connection.
JDBC_DATA_STORE - The value is one of the column names returned from the JDBC attribute source.
LDAP_DATA_STORE - The value is one of the LDAP attributes supported by your LDAP data store.
MAPPED_ATTRIBUTES - The value is the name of one of the mapped attributes that is defined in the associated attribute mapping.
OAUTH_PERSISTENT_GRANT - The value is one of the attributes from the persistent grant.
PASSWORD_CREDENTIAL_VALIDATOR - The value is one of the attributes of the PCV.
NO_MAPPING - A placeholder value to indicate that an attribute currently has no mapped source.TEXT - A hardcoded value that is used to populate the corresponding attribute.
TOKEN - The value is one of the token attributes.
REQUEST - The value is from the request context such as the CIBA identity hint contract or the request contract for Ws-Trust.
TRACKED_HTTP_PARAMS - The value is from the original request parameters.
SUBJECT_TOKEN - The value is one of the OAuth 2.0 Token exchange subject_token attributes.
ACTOR_TOKEN - The value is one of the OAuth 2.0 Token exchange actor_token attributes.
TOKEN_EXCHANGE_PROCESSOR_POLICY - The value is one of the attributes coming from a Token Exchange Processor policy.

Property Type Description
id string The attribute source ID that refers to the attribute source that this key references. In some resources, the ID is optional and will be ignored. In these cases the ID should be omitted. If the source type is not an attribute source then the ID can be omitted.
type * SourceType The source type of this key.

LdapAttributeSource : AttributeSource - The configured settings used to look up attributes from a LDAP data store.

Property Type Description
attributeContractFulfillment Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings
baseDn string The base DN to search from. If not specified, the search will start at the LDAP’s root.
binaryAttributeSettings Map[string, BinaryLdapAttributeSettings] The advanced settings for binary LDAP attributes.
dataStoreRef * ResourceLink Reference to the associated data store.
description string The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping.
Note: Required for APC-to-SP Adapter Mappings
id string The ID that defines this attribute source. Only alphanumeric characters allowed.
Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources.
memberOfNestedGroup boolean Set this to true to return transitive group memberships for the ‘memberOf’ attribute. This only applies for Active Directory data sources. All other data sources will be set to false.
searchFilter * string The LDAP filter that will be used to lookup the objects from the directory.
searchScope * LdapSearchScope Determines the node depth of the query.
type * DataStoreType The data store type of this attribute source.

BinaryLdapAttributeSettings - Binary settings for a LDAP attribute.

Property Type Description
binaryEncoding LdapAttrEncodingType Get the encoding type for this attribute. If not specified, the default is BASE64.

CustomAttributeSource : AttributeSource - The configured settings used to look up attributes from a custom data store.

Property Type Description
attributeContractFulfillment Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings
dataStoreRef * ResourceLink Reference to the associated data store.
description string The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping.
Note: Required for APC-to-SP Adapter Mappings
filterFields array[FieldEntry] The list of fields that can be used to filter a request to the custom data store.
id string The ID that defines this attribute source. Only alphanumeric characters allowed.
Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources.
type * DataStoreType The data store type of this attribute source.

FieldEntry - A simple name value pair to represent a field entry.

Property Type Description
name * string The name of this field.
value string The value of this field. Whether or not the value is required will be determined by plugin validation checks.

JdbcAttributeSource : AttributeSource - The configured settings used to look up attributes from a JDBC data store.

Property Type Description
attributeContractFulfillment Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values. This field is only valid for the SP Connection’s Browser SSO mappings
dataStoreRef * ResourceLink Reference to the associated data store.
description string The description of this attribute source. The description needs to be unique amongst the attribute sources for the mapping.
Note: Required for APC-to-SP Adapter Mappings
filter * string The JDBC WHERE clause used to query your data store to locate a user record.
id string The ID that defines this attribute source. Only alphanumeric characters allowed.
Note: Required for OpenID Connect policy attribute sources, OAuth IdP adapter mappings, OAuth access token mappings and APC-to-SP Adapter Mappings. IdP Connections will ignore this property since it only allows one attribute source to be defined per mapping. IdP-to-SP Adapter Mappings can contain multiple attribute sources.
schema string Lists the table structure that stores information within a database. Some databases, such as Oracle, require a schema for a JDBC query. Other databases, such as MySQL, do not require a schema.
table * string The name of the database table. The name is used to construct the SQL query to retrieve data from the data store.
type * DataStoreType The data store type of this attribute source.

IssuanceCriteria - A list of criteria that determines whether a transaction (usually a SSO transaction) is continued. All criteria must pass in order for the transaction to continue.

Property Type Description
conditionalCriteria array[ConditionalIssuanceCriteriaEntry] A list of conditional issuance criteria where existing attributes must satisfy their conditions against expected values in order for the transaction to continue.
expressionCriteria array[ExpressionIssuanceCriteriaEntry] A list of expression issuance criteria where the OGNL expressions must evaluate to true in order for the transaction to continue.

ConditionalIssuanceCriteriaEntry - An issuance criterion that checks a source attribute against a particular condition and the expected value. If the condition is true then this issuance criterion passes, otherwise the criterion fails.

Property Type Description
attributeName * string The name of the attribute to use in this issuance criterion.
condition * ConditionType The condition that will be applied to the source attribute’s value and the expected value.
errorResult string The error result to return if this issuance criterion fails. This error result will show up in the PingFederate server logs.
source * SourceTypeIdKey The source of the attribute.
value * string The expected value of this issuance criterion.

ExpressionIssuanceCriteriaEntry - An issuance criterion that uses a Boolean return value from an OGNL expression to determine whether or not it passes.

Property Type Description
errorResult string The error result to return if this issuance criterion fails. This error result will show up in the PingFederate server logs.
expression * string The OGNL expression to evaluate.

AuthenticationPolicyContractMapping - An Authentication Policy Contract mapping into IdP Connection.

Property Type Description
attributeContractFulfillment * Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values.
attributeSources array[AttributeSource] A list of configured data stores to look up attributes from.
authenticationPolicyContractRef * ResourceLink Reference to the associated Authentication Policy Contract.
issuanceCriteria IssuanceCriteria The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled.
restrictVirtualServerIds boolean Restricts this mapping to specific virtual entity IDs.
restrictedVirtualServerIds array[string] The list of virtual server IDs that this mapping is restricted to.

ProtocolMessageCustomization - The message customization that will be executed on outgoing PingFederate messages.

Property Type Description
contextName string The context in which the customization will be applied. Depending on the connection type and protocol, this can either be ‘assertion’, ‘authn-response’ or ‘authn-request’.
messageExpression string The OGNL expression that will be executed. Refer to the Admin Manual for a list of variables provided by PingFederate.

SsoOAuthMapping - IdP Browser SSO OAuth Attribute Mapping

Property Type Description
attributeContractFulfillment * Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values.
attributeSources array[AttributeSource] A list of configured data stores to look up attributes from.
issuanceCriteria IssuanceCriteria The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled.

IdpAttributeQuery - The attribute query profile supports local applications in requesting user attributes from an attribute authority.

Property Type Description
nameMappings array[AttributeQueryNameMapping] The attribute name mappings between the SP and the IdP.
policy IdpAttributeQueryPolicy The attribute query profile’s security policy.
url * string The URL at your IdP partner’s site where attribute queries are to be sent.

AttributeQueryNameMapping - The attribute query name mappings between the SP and the IdP.

Property Type Description
localName * string The local attribute name.
remoteName * string The remote attribute name as defined by the attribute authority.

IdpAttributeQueryPolicy - The attribute query profile’s security policy.

Property Type Description
encryptNameId boolean Encrypt the name identifier.
maskAttributeValues boolean Mask attributes in log files.
requireEncryptedAssertion boolean Require encrypted assertion.
requireSignedAssertion boolean Require signed assertion.
requireSignedResponse boolean Require signed response.
signAttributeQuery boolean Sign the attribute query.

IdpOAuthGrantAttributeMapping - The OAuth Assertion Grant settings used to map from your IdP.

Property Type Description
accessTokenManagerMappings array[AccessTokenManagerMapping] A mapping in a connection that defines how access tokens are created.
idpOAuthAttributeContract IdpOAuthAttributeContract A set of user attributes that the IdP sends in the OAuth Assertion Grant.

AccessTokenManagerMapping - A mapping in a connection that defines how access tokens are created.

Property Type Description
accessTokenManagerRef ResourceLink The access token manager used in OAuth attribute mapping.
attributeContractFulfillment * Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values.
attributeSources array[AttributeSource] A list of configured data stores to look up attributes from.
issuanceCriteria IssuanceCriteria The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled.

IdpOAuthAttributeContract - A set of user attributes that the IdP sends in the OAuth Assertion Grant.

Property Type Description
coreAttributes array[IdpBrowserSsoAttribute] A list of read-only assertion attributes that are automatically populated by PingFederate.
extendedAttributes array[IdpBrowserSsoAttribute] A list of additional attributes that are present in the incoming assertion.

IdpWsTrust - Ws-Trust STS provides validation of incoming tokens which enable SSO access to Web Services. It also allows generation of local tokens for Web Services.

Property Type Description
attributeContract * IdpWsTrustAttributeContract A set of user attributes that the SP receives in the incoming token.
generateLocalToken * boolean Indicates whether a local token needs to be generated. The default value is false.
tokenGeneratorMappings array[SpTokenGeneratorMapping] A list of token generators to generate local tokens. Required if a local token needs to be generated.

IdpWsTrustAttributeContract - A set of user attributes that this server will receive in the token.

Property Type Description
coreAttributes array[IdpWsTrustAttribute] A list of read-only assertion attributes that are automatically populated by PingFederate.
extendedAttributes array[IdpWsTrustAttribute] A list of additional attributes that are receive in the incoming assertion.

IdpWsTrustAttribute - An attribute for the Ws-Trust attribute contract.

Property Type Description
masked boolean Specifies whether this attribute is masked in PingFederate logs. Defaults to false.
name * string The name of this attribute.

SpTokenGeneratorMapping - The SP Token Generator Mapping.

Property Type Description
attributeContractFulfillment * Map[string, AttributeFulfillmentValue] A list of mappings from attribute names to their fulfillment values.
attributeSources array[AttributeSource] A list of configured data stores to look up attributes from.
defaultMapping boolean Indicates whether the token generator mapping is the default mapping. The default value is false.
issuanceCriteria IssuanceCriteria The issuance criteria that this transaction must meet before the corresponding attribute contract is fulfilled.
restrictedVirtualEntityIds array[string] The list of virtual server IDs that this mapping is restricted to.
spTokenGeneratorRef * ResourceLink Reference to the associated token generator.

ConnectionMetadataUrl - Configuration settings to enable automatic reload of partner’s metadata.

Property Type Description
enableAutoMetadataUpdate boolean Specifies whether the metadata of the connection will be automatically reloaded. The default value is true.
metadataUrlRef * ResourceLink ID of the saved Metadata URL.

ConnectionCredentials - The certificates and settings for encryption, signing, and signature verification.

Property Type Description
blockEncryptionAlgorithm string The algorithm used to encrypt assertions sent to this partner. AES_128, AES_256 and Triple_DES are also supported. Default is AES_128
certs array[ConnectionCert] The certificates used for signature verification and XML encryption.
decryptionKeyPairRef ResourceLink The ID of the primary key pair used to decrypt message content received from this partner. The ID of the key pair is also known as the alias and can be found by viewing the corresponding certificate under ‘Signing & Decryption Keys & Certificates’ in the PingFederate Administrative Console.
inboundBackChannelAuth InboundBackChannelAuth The SOAP authentication method(s) to use when you receive a message using SOAP back channel.
keyTransportAlgorithm string The algorithm used to transport keys to this partner. RSA_OAEP and RSA_v15 are supported. Default is RSA_OAEP
outboundBackChannelAuth OutboundBackChannelAuth The SOAP authentication method(s) to use when you send a message using SOAP back channel.
secondaryDecryptionKeyPairRef ResourceLink The ID of the secondary key pair used to decrypt message content received from this partner.
signingSettings SigningSettings Settings related to the manner in which messages sent to the partner are digitally signed. Required for SP Connections.
verificationIssuerDN string If a verification Subject DN is provided, you can optionally restrict the issuer to a specific trusted CA by specifying its DN in this field.
verificationSubjectDN string If this property is set, the verification trust model is Anchored. The verification certificate must be signed by a trusted CA and included in the incoming message, and the subject DN of the expected certificate is specified in this property. If this property is not set, then a primary verification certificate must be specified in the certs array.

ConnectionCert - A certificate used for signature verification or XML encryption.

Property Type Description
activeVerificationCert boolean Indicates whether this is an active signature verification certificate.
certView CertView Certificate details. This property is read-only and is always ignored on a POST or PUT.
encryptionCert boolean Indicates whether to use this cert to encrypt outgoing assertions. Only one certificate in the collection can have this flag set.
primaryVerificationCert boolean Indicates whether this is the primary signature verification certificate. Only one certificate in the collection can have this flag set.
secondaryVerificationCert boolean Indicates whether this is the secondary signature verification certificate. Only one certificate in the collection can have this flag set.
x509File * X509File The certificate data. This property must always be supplied on a POST or PUT.

CertView - Certificate details.

Property Type Description
cryptoProvider CryptoProvider Cryptographic Provider. This is only applicable if Hybrid HSM mode is true.
expires string The end date up until which the item is valid, in ISO 8601 format (UTC).
id string The persistent, unique ID for the certificate.
issuerDN string The issuer’s distinguished name.
keyAlgorithm string The public key algorithm.
keySize integer The public key size.
serialNumber string The serial number assigned by the CA.
sha1Fingerprint string SHA-1 fingerprint in Hex encoding.
sha256Fingerprint string SHA-256 fingerprint in Hex encoding.
signatureAlgorithm string The signature algorithm.
status CertificateValidity Status of the item.
subjectAlternativeNames array[string] The subject alternative names (SAN).
subjectDN string The subject’s distinguished name.
validFrom string The start date from which the item is valid, in ISO 8601 format (UTC).
version integer The X.509 version to which the item conforms.

X509File - Encoded certificate data.

Property Type Description
cryptoProvider CryptoProvider Cryptographic Provider. This is only applicable if Hybrid HSM mode is true.
fileData * string The certificate data in PEM format. New line characters should be omitted or encoded in this value.
id string The persistent, unique ID for the certificate. It can be any combination of [a-z0-9._-]. This property is system-assigned if not specified.

SigningSettings - Settings related to signing messages sent to this partner.

Property Type Description
algorithm string The algorithm used to sign messages sent to this partner. The default is SHA1withDSA for DSA certs, SHA256withRSA for RSA certs, and SHA256withECDSA for EC certs. For RSA certs, SHA1withRSA, SHA384withRSA, and SHA512withRSA are also supported. For EC certs, SHA384withECDSA and SHA512withECDSA are also supported. If the connection is WS-Federation with JWT token type, then the possible values are RSA SHA256, RSA SHA384, RSA SHA512, ECDSA SHA256, ECDSA SHA384, ECDSA SHA512
includeCertInSignature boolean Determines whether the signing certificate is included in the signature element.
includeRawKeyInSignature boolean Determines whether the element with the raw public key is included in the signature element.
signingKeyPairRef * ResourceLink The ID of the key pair used to sign messages sent to this partner. The ID of the key pair is also known as the alias and can be found by viewing the corresponding certificate under ‘Signing & Decryption Keys & Certificates’ in the PingFederate admin console.

OutboundBackChannelAuth : BackChannelAuth

Property Type Description
digitalSignature boolean If incoming or outgoing messages must be signed.
httpBasicCredentials UsernamePasswordCredentials The credentials to use when you authenticate with the SOAP endpoint.
sslAuthKeyPairRef ResourceLink The ID of the key pair used to authenticate with your partner’s SOAP endpoint. The ID of the key pair is also known as the alias and can be found by viewing the corresponding certificate under ‘SSL Server Certificates’ in the PingFederate Administrative Console.
type BackChannelAuthType [“INBOUND” or “OUTBOUND”]
validatePartnerCert boolean Validate the partner server certificate. Default is true.

UsernamePasswordCredentials - Username and password credentials.

Property Type Description
encryptedPassword string For GET requests, this field contains the encrypted password, if one exists. For POST and PUT requests, if you wish to reuse the existing password, this field should be passed back unchanged.
password string User password. To update the password, specify the plaintext value in this field. This field will not be populated for GET requests.
username string The username.

InboundBackChannelAuth : BackChannelAuth

Property Type Description
certs array[ConnectionCert] The certificate used for signature verification and XML encryption.
digitalSignature boolean If incoming or outgoing messages must be signed.
httpBasicCredentials UsernamePasswordCredentials The credentials to use when you authenticate with the SOAP endpoint.
requireSsl boolean Incoming HTTP transmissions must use a secure channel.
type BackChannelAuthType [“INBOUND” or “OUTBOUND”]
verificationIssuerDN string If a verification Subject DN is provided, you can optionally restrict the issuer to a specific trusted CA by specifying its DN in this field.
verificationSubjectDN string If this property is set, the verification trust model is Anchored. The verification certificate must be signed by a trusted CA and included in the incoming message, and the subject DN of the expected certificate is specified in this property. If this property is not set, then a primary verification certificate must be specified in the certs array.

ContactInfo - Contact information.

Property Type Description
company string Company name.
email string Contact email address.
firstName string Contact first name.
lastName string Contact last name.
phone string Contact phone number.

AdditionalAllowedEntitiesConfiguration - Additional allowed entities or issuers configuration. Currently only used in OIDC IdP (RP) connection.

Property Type Description
additionalAllowedEntities array[Entity] An array of additional allowed entities or issuers to be accepted during entity or issuer validation.
allowAdditionalEntities boolean Set to true to configure additional entities or issuers to be accepted during entity or issuer validation.
allowAllEntities boolean Set to true to accept any entity or issuer during entity or issuer validation. (Not Recommended)

Entity

Property Type Description
entityDescription string Entity description.
entityId string Unique entity identifier.

ParameterValues - Parameter Values.

Property Type Description
values array[string] A List of values