Review Default Properties
You can review default values of the properties specified in the default.properties file and edit them only if required. This file is located in <PINGFEDERATE_SCRIPT_HOME>, the directory where you saved the automation scripts for the PingFederate configuration.
* 
Enclose the value of every property in single quotes.
The default.properties file has settings for the following properties. Click the links to view the different properties, description, and example values.
Global default properties—Applicable to any IdP configuration
PingFederate connectivity 
The following table describes the properties already configured for connectivity with PingFederate and the default value for each property.
Property
Description
Default Value
global_pingFedProtocol
Specifies the protocol to be used by PingFederate.
global_pingFedProtocol='https'
global_pingFedAdminUser
Specifies the user name of the PingFederate administrator account.
global_pingFedAdminUser='Administrator'
SSL certificates for the Application Layer (SAML encryption and signing) 
The following table describes the properties already configured for SSL certificates for the application layer (SAML encryption and signing) and the default value for each property. For more information, see “Manage digital signing certificates and decryption keys” in the PingFederate documentation.
Property
Description
Default Value
create_pingfed_signing_cert_keyAlgorithm
Specifies the cryptographic formula used to generate a key.
create_pingfed_signing_cert_keyAlgorithm='RSA'
create_pingfed_signing_cert_keySize
Specifies the number of bits used in the key.
create_pingfed_signing_cert_keySize='2048'
create_pingfed_signing_cert_signatureAlgorithm
Specifies the signing algorithm of the certificate.
create_pingfed_signing_cert_signatureAlgorithm=
'SHA256withRSA'
SSL certificates for PingFederate 
The automation scripts let you install the PingFederate admin SSL certificate as the PingFederate runtime SSL certificate.
A new property, activate_global_pingFed_admin_certificate_as_runtime, is introduced to manage this behavior.
The default value of this property is set to true, which activates the PingFederate admin SSL certificate as the PingFederate runtime SSL certificate.
If you set the value of this property to false, the scripts create a new runtime SSL certificate. This new runtime SSL certificate is created using the properties that are defined to run when activate_global_pingFed_admin_certificate_as_runtime=false.
The following table describes the properties you must specify to configure SSL certificates for PingFederate and an example for each property. For more information, see “Manage SSL server certificates” in the PingFederate documentation.
Property
Description
Default Value
PingFederate Runtime SSL Server Certificate:
activate_global_pingFed_admin_
certificate_as_runtime
Allows the PingFederate Admin SSL certificate to be installed as the PingFederate Runtime SSL certificate.
activate_global_pingFed_admin_
certificate_as_runtime='true'
The following properties are required only when the activate_global_pingFed_admin_certificate_as_runtime='false'
create_pf_ssl_server_cert_organization
Specifies the organization or company name creating the certificate.
create_pf_ssl_server_cert_organization='ptc'
create_pf_ssl_server_cert_organizationUnit
Specifies the specific unit within the organization.
create_pf_ssl_server_cert_organizationUnit='ent-sso'
create_pf_ssl_server_cert_city
Specifies the city or other primary location where the company operates.
create_pf_ssl_server_cert_city='Pune'
create_pf_ssl_server_cert_state
Specifies the state or other political unit encompassing the location.
create_pf_ssl_server_cert_state='MAH'
create_pf_ssl_server_cert_validDays
Specifies the time during which the certificate is valid.
create_pf_ssl_server_cert_validDays='36500'
create_pf_ssl_server_cert_country
Specifies the code of the country where the company is based. The country code is represented by a two-letter code.
create_pf_ssl_server_cert_country='IN'
create_pf_ssl_server_cert_keyAlgorithm
Specifies the cryptographic formula used to generate a key.
create_pf_ssl_server_cert_keyAlgorithm='RSA'
create_pf_ssl_server_cert_keySize
Specifies the number of bits used in the key.
create_pf_ssl_server_cert_keySize='2048'
create_pf_ssl_server_cert_signatureAlgorithm
Specifies the signing algorithm of the certificate.
create_pf_ssl_server_cert_signatureAlgorithm='SHA256withRSA'
Service provider connection 
The following table describes the properties already configured for connectivity with the service provider and the default value for each property. For more information, see “Manage SP connections” in the PingFederate documentation.
Property
Description
Default Value
create_sp_connection_type
Specifies the type of connection needed for ThingWorx as the service provider.
create_sp_connection_type='SP'
create_sp_connection_entityId
Specifies the entity identifier needed for ThingWorx as the service provider. For example, ThingWorx or Windchill RV&S.
create_sp_connection_entityId='TWX_SP'
where <SP_name> is TWX, or ILM, or WNC.
create_sp_connection_name
Specifies the plain-language identifier for the connection with ThingWorx as the service provider.
create_sp_connection_name='TWX_SP'
create_sp_connection_loggingMode
Specifies the logging mode for the service provider connection.
create_sp_connection_loggingMode='STANDARD'
create_sp_connection_browserSSO_protocol
Specifies the protocol to support browser-based SSO connection type.
create_sp_connection_browserSSO_protocol='SAML20'
create_sp_connection_browserSSO_assertion_
lifetime_valid_minutes_before
Specifies the amount of time before the assertion was issued during which it is to be considered valid.
create_sp_connection_browserSSO_assertion_
lifetime_valid_minutes_before='60'
create_sp_connection_browserSSO_assertion_
lifetime_valid_minutes_after
Specifies the amount of time after the assertion was issued during which it is to be considered valid.
create_sp_connection_browserSSO_assertion_
lifetime_valid_minutes_after='480'
create_sp_connection_browserSSO_
saml_identity_mapping
Specifies the way for PingFederate to send a secure token (the assertion) containing user-identity information that the service provider (ThingWorx, Windchill RV&S), can translate, or map, to local user stores.
create_sp_connection_browserSSO_
saml_identity_mapping='STANDARD'
create_sp_connection_browserSSO_
attribute_Contract_coreAttribute_name
Specifies the name of the core attribute in the SAML assertion that PingFederate sends as an IdP to ThingWorx, the service provider (ThingWorx, Windchill RV&S).
create_sp_connection_browserSSO_
attribute_Contract_coreAttribute_name='SAML_SUBJECT'
create_sp_connection_browserSSO_
attribute_Contract_extendedAttribute_name
Specifies the name of the attribute contract, an extended attribute in the SAML assertion that PingFederate sends as an IdP to the service provider (ThingWorx, Windchill RV&S).
create_sp_connection_browserSSO_
attribute_Contract_extendedAttribute_name='uid'
create_sp_connection_browserSSO_
attribute_Contract_extendedAttribute_group
Specifies the group of the attribute contract, an extended attribute in the SAML assertion that PingFederate sends as an IdP to the service provider (ThingWorx, Windchill RV&S).
create_sp_connection_browserSSO_
attribute_Contract_extendedAttribute_group='group'
create_sp_connection_browserSSO_
attribute_Contract_extendedAttribute_email
Specifies the e-mail of the attribute contract, an extended attribute in the SAML assertion that PingFederate sends as an IdP to the service provider (ThingWorx, Windchill RV&S).
create_sp_connection_browserSSO_
attribute_Contract_extendedAttribute_email='email'
create_sp_connection_browserSSO_
attribute_contract_1_key
Specifies the name of the service provider connection for the first attribute contract fulfilled by the IdP adapter.
create_sp_connection_browserSSO_
attribute_contract_1_key='uid'
create_sp_connection_browserSSO_
attribute_contract_1_value
Specifies the name of the IdP adapter value used for the fulfillment of the first attribute contract.
create_sp_connection_browserSSO_
attribute_contract_1_value='username'
create_sp_connection_browserSSO_
attribute_contract_2_key
Specifies the name of the service provider connection for the second attribute contract fulfilled by the IdP adapter.
create_sp_connection_browserSSO_
attribute_contract_2_key='SAML_SUBJECT'
create_sp_connection_browserSSO_
attribute_contract_2_value
Specifies the name of the IdP adapter value used for the fulfillment of the second attribute contract.
create_sp_connection_browserSSO_
attribute_contract_2_value='username'
create_sp_connection_browserSSO_
attribute_contract_source
Specifies the data store or directory locations containing information that may be needed for the IdP adapter contract or the token authorization workflow.
create_sp_connection_browserSSO_
attribute_contract_source='ADAPTER'
create_sp_connection_assertion_
consumer_service_url
Specifies the URL for the hypertext transfer protocol resource (HTTP resource) that processes SAML protocol messages and returns a cookie representing the information extracted from the message.
create_sp_connection_assertion_
consumer_service_url='/Thingworx/saml/SSO'
create_sp_connection_assertion_
consumer_service_binding
Specifies the SAML protocol binding used when returning the response message.
create_sp_connection_assertion_
consumer_service_binding='POST'
create_sp_connection_sign_assertion
Specifies whether the response, logout request, and logout response elements received by the service provider is signed.
create_sp_connection_sign_assertion='true'
create_sp_connection_sign_auth_requests
Specifies whether the authentication request message sent by the service provider is signed. The metadata of the service provider provides this information.
create_sp_connection_sign_auth_requests='true'
create_sp_connection_encrypt_entire_assertion
Specifies whether the entire assertion received by the service provider is encrypted.
create_sp_connection_encrypt_entire_assertion='true'
create_sp_connection_signing_algorithm
Specifies the algorithm that the service provider uses during the signing process.
create_sp_connection_signing_algorithm='SHA256withRSA'
create_sp_connection_block_encryption_algorithm
Specifies the cipher code of the block encryption algorithm. 'AES_ 256' is recommended if Unlimited Strength Java (TM) Cryptography Extension (JCE) Policy Files is installed for both PingFederate and ThingWorx JRE or JDK.
create_sp_connection_block_encryption_algorithm='AES_128'
create_sp_connection_key_transport_algorithm
Specifies the key transport algorithm to encrypt the certificate key.
create_sp_connection_key_transport_algorithm='RSA_OAEP'
Access token management 
The following table describes the properties already configured for managing access tokens and the default value for each property. For more information, see “Access token management” in the PingFederate documentation.
Property
Description
Default Value
create_access_token_manager_id
Specifies the unique identifier for the instance of the access token manager.
create_access_token_manager_id='default'
create_access_token_manager_name
Specifies the name for the instance of the access token manager.
create_access_token_manager_name='default'
create_access_token_manager_attribute_name_1
Specifies the attribute name for the first access token issued by the access token management instance.
create_access_token_manager_attribute_name='Username'
create_access_token_manager_attribute_name_2
Specifies the attribute name for the second access token issued by the access token management instance.
create_access_token_manager_attribute_name='username'
Access token mapping 
The following table describes the properties already configured for mapping access tokens and the default value for each property. For more information, see “Manage access token mappings” in the PingFederate documentation.
Property
Description
Default Value
create_access_token_mapping_source
Specifies the source of attributes requested from the authorization server.
create_access_token_mapping_source='OAUTH_PERSISTENT_GRANT'
create_access_token_mapping_value
Specifies the value of attributes requested from the authorization server.
create_access_token_mapping_value='USER_KEY'
OAuth client connections with ThingWorx as the service provider 
The following table describes the properties already configure for OAuth client connections with ThingWorx as the service provider and the default value for each property. For more information, see “Configure an OAuth client” in the PingFederate documentation.
Property
Description
Default Value
create_twx_sp_oauth_client_id
Specifies the OAuth client ID to identify the client application.
create_twx_sp_oauth_client_id='twx-sp-client'
create_twx_oauth_client_name
Specifies the name of the client application.
create_twx_oauth_client_name='twx-sp-client'
create_twx_oauth_client_auth_type
Specifies the authorization type for the client application to register with the authorization server.
create_twx_oauth_client_auth_type='SECRET'
create_twx_oauth_client_grantType1
Specifies the first grant type required by the ThingWorx OAuth client.
create_twx_oauth_client_grantType1=
'AUTHORIZATION_CODE'
create_twx_oauth_client_grantType2
Specifies the second grant type required by the ThingWorx OAuth client.
create_twx_oauth_client_grantType2='REFRESH_TOKEN'
create_twx_oauth_client_grantType3
Specifies the third grant type required by the ThingWorx OAuth client.
create_twx_oauth_client_grantType3=
'ACCESS_TOKEN_VALIDATION'
create_twx_oauth_client_refreshRolling
Specifies the property that determines if a new refresh token is issued each time a new access token is obtained.
create_twx_oauth_client_refreshRolling='ROLL'
create_twx_oauth_client_expirationTime
Specifies the validity period of access tokens generated for the client application.
create_twx_oauth_client_expirationTime='30'
create_twx_oauth_client_expirationTimeUnit
Specifies the unit of measure to specify the validity period of access tokens generated for the client application.
create_twx_oauth_client_expirationTimeUnit='DAYS'
create_twx_oauth_client_persistent_grant_
expiration_type
Specifies the persistent grant expiration settings for client applications.
create_twx_oauth_client_persistent_grant_
expiration_type='OVERRIDE_SERVER_DEFAULT'
OAuth client connections with Windchill as the resource server 
The following table describes the properties already configured for OAuth client connections with Windchill as the resource server and the default value for each property. For more information, see “Configure an OAuth client” in the PingFederate documentation.
Property
Description
Default Value
create_wnc_rp_oauth_client_id
Specifies the OAuth client ID to identify the client application.
create_wnc_rp_oauth_client_id='wnc-rp-client'
create_wnc_oauth_client_name
Specifies the name of the client application to configure Windchill for OAuth delegated authorization.
create_wnc_oauth_client_name='wnc-rp-client'
create_wnc_oauth_client_auth_type
Specifies the authorization type for the client application to register with the authorization server.
create_wnc_oauth_client_auth_type='SECRET'
create_wnc_oauth_client_grantType
Specifies the grant type required by the Windchill OAuth client.
create_wnc_oauth_client_grantType='ACCESS_TOKEN_VALIDATION'
OAuth client connections with Windchill RV&S as the service provider 
The following table describes the properties already configured for OAuth client connections with Windchill RV&S as the service provider and the default value for each property. For more information, see “Configure an OAuth client” in the PingFederate documentation.
Property
Description
Default Value
create_twx_sp_oauth_client_id
Specifies the OAuth client ID to identify the client application.
create_twx_sp_oauth_client_id= 'ilm-rp-client'
create_twx_oauth_client_name
Specifies the name of the client application.
create_twx_oauth_client_name='ilm-rp- client'
create_twx_oauth_client_auth_type
Specifies the authorization type for the client application to register with the authorization server.
create_ilm_oauth_client_auth_type='SECRET'
create_twx_oauth_client_grantType3
Specifies the third grant type required by the Windchill RV&S OAuth client.
create_ilm_oauth_client_grantType='ACCESS_TOKEN_VALIDATION'
Service Provider policy contract 
The following table describes the property you must specify to configure the service provider policy contract for PingFederate and an example for the property. For more information, see Authentication Policy Contract.
Property
Description
Default Value
create_auth_policy_contract_name
Specifies the authentication policy contract as the medium to carry user attributes from the customer IdP through PingFederate and onto the service provider.
create_auth_policy_contract_name='sp-policy-contract'
PingFederate-specific default properties—Applicable when you configure PindFederate as the IdP
Data store 
The following table describes the properties already configured for using LDAP directory server as the data store and the default value for each property. For more information, see “Manage data stores” in the PingFederate documentation.
Property
Description
Default Value
create_ldap_datastore_type
Specifies the data store type.
create_ldap_datastore_type='LDAP'
create_ldap_datastore_ldapType
Specifies the LDAP type.
create_ldap_datastore_ldapType='GENERIC'
LDAP password credential validator 
The following table describes the properties already configured for LDAP password credential validator and the default value for each property. For more information, see “Manage password credential validators” in the PingFederate documentation.
Property
Description
Default Value
create_ldap_pcv_id
Specifies the unique identifier of the LDAP password credential validator.
create_ldap_pcv_id='LdapPcv'
create_ldap_pcv_name
Specifies the name of the LDAP password credential validator.
create_ldap_pcv_name='LdapPcv'
create_ldap_pcv_pluginDescriptorRef_id
Specifies the unique identifier of describable plug-ins of the LDAP password credential validator.
create_ldap_pcv_pluginDescriptorRef_id=
'org.sourceid.saml20.domain.LDAPUsernamePasswordCredentialValidator'
IdP adapter 
The following table describes the properties already configured for an IdP adapter for PingFederate and the default value for each property. For more information, see “Manage IdP adapters” in the PingFederate documentation.
Property
Description
Default Value
create_idp_adapter_id
Specifies the unique identifier of the IdP adapter.
create_idp_adapter_id='IdpAdapter'
create_idp_adapter_name
Specifies the name of the IdP adapter.
create_idp_adapter_name='IdpAdapter'
create_idp_adapter_pluginDescriptorRef_id
Specifies the authentication plugin that performs the actual authentication with PingFederate as the IdP. It is recommended to use the HtmlFormAuthnAdapter plugin.
create_idp_adapter_pluginDescriptorRef_id=
'com.pingidentity.adapters.htmlform.idp.HtmlFormIdpAuthnAdapter'
create_idp_adapter_isPseudonym
Specifies whether the IdP adapter uses pseudonyms for account linking.
create_idp_adapter_isPseudonym='true'
ADFS-specific default properties—Applicable when you configure ADFS as the IdP
IdP connections for ADFS 
The following table describes the properties already configured for an IdP connection for ADFS and the default value for each property.
Property
Description
Default Value
create_idp_adfs_connection_type
Specifies the type of connection that is required to configure ADFS as the identity provider.
create_idp_adfs_connection_type='IDP'
create_idp_adfs_connection_name
Specifies the plain language identifier for the connection with ADFS as the identity provider.
create_idp_adfs_connection_name='ADFS_IDP'
create_idp_adfs_connection_loggingMode
Specifies the logging mode for the identity provider connection.
create_idp_adfs_connection_loggingMode='STANDARD'
create_idp_adfs_connection_browserSSO_protocol
Specifies the protocol to support browser-based SSO connection type.
create_idp_adfs_connection_browserSSO_protocol='SAML20'
create_idp_adfs_connection_browserSSO
_saml_identity_mapping
Specifies the way for ADFS to send a secure token (the assertion) that contains user-identity information; which ThingWorx, the service provider, can translate or map to local user stores.
create_idp_adfs_connection_browserSSO_
saml_identity_mapping='ACCOUNT_MAPPING'
create_idp_adfs_connection_assertion_
consumer_service_url
Specifies the URL for the hypertext transfer protocol resource (HTTP resource) that processes SAML protocol messages. This URL returns a cookie that represents the information that is extracted from the message.
create_idp_adfs_connection_assertion_
consumer_service_url='/adfs/ls/'
create_idp_adfs_connection_assertion_
consumer_service_binding
Specifies the SAML protocol binding that is used when a response message is returned.
create_idp_adfs_connection_assertion_
consumer_service_binding='POST'
create_idp_adfs_connection_signing_algorithm
Specifies the algorithm that the identity provider uses during the signing process.
create_idp_adfs_connection_signing_algorithm=
'SHA256withRSA'
create_idp_adfs_uid
Specifies the name of the attribute contract, an extended attribute in the SAML assertion that ADFS will send as an IdP to ThingWorx, the service provider.
create_idp_adfs_uid=
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
create_idp_adfs_email
Specifies the email address of the attribute contract, an extended attribute in the SAML assertion that ADFS will send as an IdP to ThingWorx, the service provider.
create_idp_adfs_email=
'http://schemas.xmlsoap.org/claims/EmailAddress'
create_idp_adfs_group
Specifies the group of the attribute contract, an extended attribute in the SAML assertion that ADFS will send as an IdP to ThingWorx, the service provider.
create_idp_adfs_group=
'http://schemas.xmlsoap.org/claims/Group'
Generic SAML-specific default properties—Applicable when you configure any generic SAML 2.0 IdP
IdP connections for generic SAML 2.0 
The following table describes the properties already configured for an IdP connection for a generic SAML 2.0 IdP and the default value for each property.
Property
Description
Default Value
create_idp_saml2_connection_type
Specifies the type of connection that is required to configure Generic SAML2.0 as the identity provider
create_idp_saml2_connection_type='IDP'
create_idp_saml2_connection_name
Specifies the plain language identifier for the connection with Generic SAML2.0 as the identity provider.
create_idp_saml2_connection_name='SAML2_IDP'
create_idp_saml2_connection_loggingMode
Specifies the logging mode for the identity provider connection.
create_idp_saml2_connection_loggingMode='STANDARD'
create_idp_saml2_connection_browserSSO_protocol
Specifies the protocol to support browser-based SSO connection type.
create_idp_saml2_connection_browserSSO_protocol=
'SAML20'
create_idp_saml2_connection_browserSSO_
saml_identity_mapping
Specifies the way for Generic SAML2.0 to send a secure token (the assertion) that contains user-identity information that ThingWorx, the service provider, can translate or map to local user stores.
create_idp_saml2_connection_browserSSO_
saml_identity_mapping='ACCOUNT_MAPPING'
create_idp_saml2_connection_assertion_
consumer_service_binding
Specifies the SAML protocol binding that is used when a response message is returned.
create_idp_saml2_connection_assertion_
consumer_service_binding='POST'
create_idp_saml2_connection_signing_algorithm
Specifies the algorithm that the identity provider uses during the signing process.
create_idp_saml2_connection_signing_algorithm=
'SHA256withRSA'
Was this helpful?