PingFederate Server

Defining an attribute contract

An attribute contract is the set of user attributes that you and your partner have agreed will be sent in single sign-on (SSO) tokens for this connection.

About this task

You can extend the attribute contract with additional attributes. Optionally, you can configure PingFederate to mask individual extended attributes in its logs. For more information, see Attribute contracts and Attribute masking.

If you are creating or updating a SAML or an OpenID Connect identity provider (IdP) connection, consider using the partner’s metadata to do so. If the metadata contains the required information, PingFederate automatically populates the attribute contract for you.

Steps

  1. On the Attribute Contract tab, enter the attribute name in the text box.

    Attribute names are case-sensitive and must correspond to the attribute names expected by your partner.

    If you are configuring a SAML connection to an InCommon participant, the assertion might contain attributes such as urn:oid:0.9.2342.19200300.100.1.3 and urn:oid:2.5.4.42, which are standard names under various specifications, such as RFC4524 and RFC4519. For more information, see www.incommon.org/participants. The following table describes a subset of the object IDs (OIDs) referenced by the most common attributes used by InCommon participants.

    OID value Description

    0.9.2342.19200300.100.1.3

    mail

    1.3.6.1.4.1.5923.1.1.1.1

    eduPersonAffiliation

    1.3.6.1.4.1.5923.1.1.1.6

    eduPersonPrincipalName

    1.3.6.1.4.1.5923.1.1.1.7

    eduPersonEntitlement

    1.3.6.1.4.1.5923.1.1.1.9

    eduPersonScopedAffiliation

    1.3.6.1.4.1.5923.1.1.1.10

    eduPersonTargetedID

    2.5.4.3

    cn

    2.5.4.4

    sn

    2.5.4.10

    o

    2.5.4.42

    givenName

    2.16.840.1.113730.3.1.241

    displayName

    For other attributes, see the metadata from your partner. The FriendlyName values, if available, should provide additional information about the attributes. Alternatively, third-party resources, such as www.ldap.com/ldap-oid-reference and www.oid-info.com, might help as well.

  2. Optional: Select the check box under Mask Values in Log.

  3. Click Add.

  4. Repeat until all desired attributes are defined.

Next steps

Click Edit, Update, and Cancel to make or undo a change to an item. Click Delete and Undelete to remove an item or cancel the removal request.