---
title: Extending the contract
description: Apply the same extended contract changes to the policy contract and OpenToken SP adapter. Map the policy contract to the authentication policy's IdP adapter success step and the browser SSO of the SP and IdP connections.
component: pingone-credentials
page_id: pingone-credentials:setup:pf_p1_credentials_ik_configuring_the_extended_contract
canonical_url: https://docs.pingidentity.com/integrations/pingone-credentials/setup/pf_p1_credentials_ik_configuring_the_extended_contract.html
revdate: September 3, 2024
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
---

# Extending the contract

Apply the same extended contract changes to the policy contract and OpenToken SP adapter. Map the policy contract to the authentication policy's IdP adapter success step and the browser SSO of the SP and IdP connections.

## Before you begin

This procedure assumes that you've created:

1. An OpenToken SP adapter. Learn more in [Configuring an OpenToken SP adapter instance](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_config_opentoken_sp_adapt_instance.html).

2. The authentication policy that you want to use the PingOne Credentials IdP Adapter in. Learn more in [Authentication policies](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_authentication_policies.html).

3. An SP connection for the OpenToken SP adapter and an IdP connection for the PingOne Credentials IdP Adapter. Learn more in [SP connection management](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_sp_connect_management.html) and [Managing IdP adapters](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_managing_idp_adapters.html).

## About this task

Complete this procedure to finish configuring the PingOne Credentials IdP Adapter and successfully use the [same device or different device SSO flow](../pf_p1_credentials_ik_overview_of_the_sso_flow.html) to collect the credential attribute values presented from the user's digital wallet. Chained adapters can then use the collected attribute values later in the configured PingFederate authentication policy flow.

Credential attributes can't be added to the core attribute contract because administrators might require different credential types and attributes for verification. Unlike with the PingOne Verify integration kit, administrators must configure the PingOne Credentials IdP Adapter credential fields manually, then extend the attribute contract to match.

## Steps

1. Create the same extended contract from the [Configuring an adapter instance](pf_p1_credentials_ik_configuring_an_adapter_instance.html) procedure in a PingFederate policy contract:

   Learn more in [Policy contracts](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_policy_contracts.html).

   |   |                                                         |
   | - | ------------------------------------------------------- |
   |   | You will use this policy contract in steps 2, 4, and 5. |

   1. Go to **Authentication > Policies > Policy Contracts** and click **Create New Contract**.

   2. On the **Contract Info** tab, in the **Contract Name** field, enter a unique value, then click **Next**.

      For example, `PingOne Credentials contract`.

   3. On the **Contract Attributes** tab, add the same attributes that you added to the extended contract in step 7 of the [Configuring an adapter instance](pf_p1_credentials_ik_configuring_an_adapter_instance.html) procedure. Click **Save**, then click **Next**.

      For example, `verifiedEmployee.firstName` and `verifiedEmployee.lastName`.

   4. On the **Summary** tab, click **Save**.

2. Map the policy contract that you created in step 2 to the PingOne Credentials IdP Adapter contract on the adapter's success step in the authentication policy:

   Learn more in [Applying policy contracts or identity profiles to authentication policies](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_apply_policy_contract_or_ident_profile_to_auth_policies.html).

   1. Go to **Authentication > Policies > Policies** and edit the authentication policy that you've included the PingOne Credentials IdP Adapter in.

   2. In the **Policy** section, expand the **Success** step containing the PingOne Credentials IdP Adapter, and click **Contract Mapping** under the adapter's **Success** step.

   3. On the **Contract Fulfillment** tab, add the same attributes that you added to the extended contract in step 7 of the [Configuring an adapter instance](pf_p1_credentials_ik_configuring_an_adapter_instance.html) procedure.

      For each attribute, select the adapter as the **Source** and add the attribute as the **Value**.

   4. On the **Contract Fulfillment** tab, click **Done**, then click **Next**.

   5. On the **Summary** tab, click **Done**.

3. Create the same extended contract from the [Configuring an adapter instance](pf_p1_credentials_ik_configuring_an_adapter_instance.html) procedure in your OpenToken SP adapter instance:

   Learn more in [Extending an SP adapter contract](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_sessioncreationadaptertasklet_createadaptercontractstate.html).

   1. Go to **Applications > SP Adapters** and open your OpenToken SP adapter configuration.

   2. On the **Extended Contract** tab, add the same attributes that you added to the extended contract in step 7 of the [Configuring an adapter instance](pf_p1_credentials_ik_configuring_an_adapter_instance.html) procedure. Click **Save**, then click **Next**.

   3. On the **Summary** tab, click **Save**.

4. Map the policy contract that you created in step 2 to the **Browser SSO** section of the SP connection:

   Learn more in [Configuring SP browser SSO](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_idpconnectionconfigtasklet_idpbrowserssostate.html).

   1. Go to **Applications > SP Connections** and open the connection that you used for your SP adapter.

   2. On the **Browser SSO** tab, click **Configure Browser SSO**, go to the **Assertion Creation** tab, click **Configure Assertion Creation**, and then go to the **Attribute Contract** tab.

   3. In the **Extend the Contract** section, add the same attributes that you added to the extended contract in step 7 of the [Configuring an adapter instance](pf_p1_credentials_ik_configuring_an_adapter_instance.html) procedure. Click **Save**, then **Next**.

      For each attribute, use `urn:oasis:names:tc:SAML:2.0:attrname-format:basic` as the **Attribute Name Format**.

   4. On the **Authentication Source Mapping** tab, confirm that your PingOne Credentials policy contract is mapped in the **Authentication Policy Contract Name** section.

   5. Open the authentication policy mapping, go to the **Attribute Contract Fulfillment** tab, and add the same attributes that you added to the extended contract in step 7 of the [Configuring an adapter instance](pf_p1_credentials_ik_configuring_an_adapter_instance.html) procedure.

      For each attribute, use **Authentication Policy Contract** as the **Source** and the attribute as the **Value**.

   6. Click **Save**, then **Done**.

5. Map the policy contract that you created in step 2 to the **Browser SSO** section of the IdP connection:

   Learn more in [Configuring IdP Browser SSO](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spconnectionconfigtasklet_spbrowserssostate.html).

   1. Go to **Authentication > IdP Connections** and open the connection associated with the PingOne Credentials IdP Adapter.

   2. On the **Browser SSO** tab, click **Configure Browser SSO**, go to the **User-Session Creation** tab, click **Configure User-Session Creation**, and then go to the **Attribute Contract** tab.

   3. In the **Extend the Contract** section, add the same attributes that you added to the extended contract in step 7 of the [Configuring an adapter instance](pf_p1_credentials_ik_configuring_an_adapter_instance.html) procedure. Click **Save**, then **Next**.

   4. On the **Target Session Mapping** tab, confirm that your PingOne Credentials IdP Adapter is mapped in the **Adapter Instance Name** section.

   5. Open the adapter instance mapping, go to the **Adapter Contract Fulfillment** tab, and add the same attributes that you added to the extended contract in step 7 of the [Configuring an adapter instance](pf_p1_credentials_ik_configuring_an_adapter_instance.html) procedure.

      For each attribute, use **Assertion** as the **Source** and the attribute as the **Value**.

   6. Click **Save**, then **Done**.