Passing binary attributes to PingOne
PingFederate doesn’t currently support formatting the binary data in an attribute to anything other than Base64-encoded before sending it to the connector to then be sent to PingOne, or any other service provider.
Before you begin
PingFederate provides an advanced option allowing administrators to map user attributes by way of an expression language. To enable use of expressions in PingFederate, see Enabling and disabling expressions in the PingFederate documentation.
About this task
For example, if you have an attribute mapping that maps the Account ID field to the objectSid
attribute in Active Directory, then PingFederate will Base64-encode that binary data into a string.
Steps
-
On the Attribute Mapping tab, for the appropriate attribute click Edit.
-
On the Specify Attribute Mapping tab, enter the appropriate expression in the Expression field.
Example:
You can use the following OGNL expression to encode the
objectSid
attribute in SID format:#sidBinary = @java.util.Base64@getDecoder().decode(#this.get("objectSid").toString()), #sidHex = @String@format("%056x", new java.math.BigInteger(1, #sidBinary)), #SID = #sidHex.substring(16), #i = new Long(0), #subAuths=#SID.split("(?<=\\G.{8})"), #result="S-1-5", #subAuths.{ #BE = #this.substring(6,8) + #this.substring(4,6) + #this.substring(2,4) + #this.substring(0,2), #DEC = #i.parseLong(#BE,16), #result = #result + "-" + #DEC }, #result
-
Click Save.