---
title: Configuring an identity mapping
description: A header identity mapping can expose one or more attribute values to the protected API in HTTP request headers.
component: pingaccess
version: 9.1
page_id: pingaccess:pingaccess_use_cases:pa_api_agent_configuring_an_identity_mapping
canonical_url: https://docs.pingidentity.com/pingaccess/9.1/pingaccess_use_cases/pa_api_agent_configuring_an_identity_mapping.html
revdate: February 6, 2023
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Configuring an identity mapping

## About this task

A header identity mapping can expose one or more attribute values to the protected API in HTTP request headers.

For more information about this procedure, including optional steps that are not included here, see [Creating header identity mappings](../pingaccess_user_interface_reference_guide/pa_creating_header_identity_mappings.html).

## Steps

1. Click **Access**, then go to **Identity Mappings > Identity Mappings**.

2. Click **[icon: plus, set=fa]Add Identity Mapping**.

3. In the **Name** field, enter a name for the mapping.

4. From the **Type** list, select **Header Identity Mapping**.

5. In the **Attribute to Header Mapping** section, in the **Attribute Name** field, enter the name of the attribute to retrieve from the user web session. For example, `sub`.

6. In the **Header Name** field, enter the name of the header to contain the attribute value.

   |   |                                                                                                                                                                                                                                                |
   | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | The HTTP header you specify here is the actual header name over the HTTP protocol, not an environment variable interpreted format. For example, enter the `User-Agent` browser type identifying header as `User-Agent`, not `HTTP_USER_AGENT`. |

7. In the **Certificate to Header Mapping** section, enter the header name included in a PEM-encoded client certificate *(tooltip: \<div class="paragraph">
   \<p>A digital file used for identity verification and other security purposes. The certificate, which is often issued by a CA, contains a public key, which can be used to verify the originator's identity.\</p>
   \</div>)*.

   The row position correlates to the index in the client certificate chain. For example, the first row always maps to the leaf certificate. If you are using a certificate chain, click **[icon: plus, set=fa]Add Row** to add another row.

8. Click **Save**.