PingFederate for universal token translation

Proprietary token translation is one of several use cases for a Security Token Service.

While Security Token Services were originally invented to identity-enable Web Services, PingFederate customers are discovering a growing list of interesting use cases for the STS and its ability to universally translate security tokens. The PingFederate STS can be used for the following use cases:

Generating SAML assertions from existing tokens A common use of the PingFederate STS is to generate a SAML assertion equivalent to a token used in a local security domain. Once generated, the SAML assertion can be used to transfer identity attributes to another security domain. SAML is an ideal format for transportation across security domains due to its inherent portability and security.

Generating SAML from claims and attributes In some cases, the application calling the STS does not have an existing security token with the same set of attributes that need to be in the generated SAML assertion. In these cases, the STS can accept claims (attributes) submitted via the RST call from the Java or .NET client.

Generating new security tokens from SAML Another use of the PingFederate STS is to generate a new security token from a SAML assertion that was transported over from another security domain. Once generated, the new token can be used to represent the original identity in the local security domain.

Using the STS for token exchange By combining the two previous scenarios, it is possible to use the PingFederate STS to exchange virtually any security token type for and equivalent token of any other type. PingFederate uses SAML as an intermediary to perform this operation. The calling program needs only make two calls to perform this  complex operation: one to generate the intermediary SAML assertion from the existing security token, and a second to generate the new token from the SAML assertion.

Identity-enabled Web Services This is the use case for which Security Token Services were originally created. In this scenario, a Web Service provider needs to  know the identity of the maker of requests to determine whether and how to respond to the request. (Identity in this context can mean person, application, system or any combination of the three.) In this scenario, PingFederate can play a role at the IdP, SP or both.

Proprietary token exchange A common use for universal token translation is a large company with multiple security domains that encounters situations where users whose identities are managed in one domain need programmatic access to applications managed in another domain. This scenario can work for any token types supported by PingFederate Token Translators, as well as custom token translators created with the Token Translator SDK.