---
title: Creating header identity mappings
description: Create a header identity mapping to make user attributes or client certificates available as HTTP request headers to applications, both site- and agent-based, that use them for authentication.
component: pingaccess
version: 9.0
page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_creating_header_identity_mappings
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_creating_header_identity_mappings.html
revdate: July 22, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
  choose-from: Choose from:
---

# Creating header identity mappings

Create a header identity mapping to make user attributes or client certificates available as HTTP request headers to applications, both site- and agent-based, that use them for authentication.

## About this task

A single header identity mapping can expose a number of attribute values or a certificate chain up to three levels deep. Header identity mappings are assigned to applications.

## Steps

1. Click **Access**, then go to **Identity Mappings > Identity Mappings**.

2. Click **[icon: plus, set=fa]Add Identity Mapping**.

3. In the **Name** field, enter a name for the mapping.

4. In the **Type** list, select **Header Identity Mapping**.

5. In the `Attributes` section, select a list type.

   ### Choose from:

   * **Inclusion List**: Includes the specified attributes as headers.

   * **Exclusion List**: Includes all attributes as headers, with the exception of those specified.

6. If you selected **Inclusion List**, specify the **Inclusion List** parameters.

   1. In the **Header Name Prefix** field, enter a prefix.

      This prefix is prepended onto all header names.

   2. In the **Attribute Name** field, enter or select the name of the attribute to retrieve from the user web session in the **Attribute Name** field.

      For example, `sub`.

   3. In the **Header Name** field, enter the name of the HTTP requests header to contain the attribute value.

      The HTTP header you specify here is the actual header name over the HTTP protocol, not an environment variable interpreted format. For example, enter the `User-Agent` browser type identifying header as `User-Agent`, not `HTTP_USER_AGENT`.

   4. **Optional:** Click **[icon: plus, set=fa]Add Row** to add additional sets of attributes and headers.

   5. **Optional:** Click **Subject** to select which attribute is used as the subject.

7. If you selected **Exclusion List**, specify the **Exclusion List** parameters.

   1. In the **Header Name Prefix** field, enter a prefix.

      This prefix is prepended onto all header names.

   2. **Optional:** In the **Excluded Attributes** field, enter one or more attributes to exclude.

      All attributes not specified are included as headers.

   3. In the **Subject Attribute Name** list, select an attribute to use as the subject.

8. In the **Certificate to Header Mapping** section, enter the header name included in a PEM-encoded client certificate.

   The row position correlates to the index in the client certificate chain. For example, the first row always maps to the leaf certificate.

   1. If you are using a certificate chain, click **[icon: plus, set=fa]Add Row** to add another row.

9. Click **Save**.