Passing binary attributes to PingOne

PingFederate doesn’t currently support formatting the binary data in an attribute to anything other than Base64-encoded before sending it to the connector to then be sent to PingOne, or any other service provider.

Before you begin

PingFederate provides an advanced option allowing administrators to map user attributes by way of an expression language. To enable use of expressions in PingFederate, see Enabling and disabling expressions in the PingFederate documentation.

About this task

For example, if you have an attribute mapping that maps the Account ID field to the objectSid attribute in Active Directory, then PingFederate will Base64-encode that binary data into a string.

Steps

On the Attribute Mapping tab, for the appropriate attribute click Edit.

On the Specify Attribute Mapping tab, enter the appropriate expression in the Expression field.

Example:

You can use the following OGNL expression to encode the objectSid attribute in SID format:

#sidBinary = @java.util.Base64@getDecoder().decode(#this.get("objectSid").toString()),

#sidHex = @String@format("%056x", new java.math.BigInteger(1, #sidBinary)),

#SID = #sidHex.substring(16),
#i = new Long(0),
#subAuths=#SID.split("(?<=\\G.{8})"),
#result="S-1-5",
#subAuths.{
  #BE = #this.substring(6,8) + #this.substring(4,6) + #this.substring(2,4) + #this.substring(0,2),
  #DEC = #i.parseLong(#BE,16),
  #result = #result + "-" + #DEC
},
#result

Click Save.