Defining an attribute contract for IdP STS
During token creation configuration, define an attribute contract that the server sends in the security tokens issued in response to a web service client at your site.
About this task
An attribute contract is the set of user attributes that a web service client at your site expects to receive in security tokens issued for this connection. You identify these attributes on the Attribute Contract tab. For more information, see Attribute contracts.
Steps
-
Enter the attribute name in the Extend the Contract field. Attribute names are case-sensitive and must correspond to the attribute names, including claims, expected by the requesting web services client (WSC).
Result:
The Format attribute associated with the
NameID
element in outgoing SAML tokens can be set by adding an attribute calledSAML_NAME_FORMAT
. The value of that attribute can then be mapped later. For more information, see Configuring contract fulfillment for token creation.For information about the
NameID
elements and applicable URI values, locate the SAML 2.0 specification at www.oasis-open.org/standards.You can add a special attribute,
SAML_AUTHN_CTX
, to indicate to the service provider (SP) the type of credentials used to authenticate to the identity provider (IdP) application-authentication context. Map a value for the authentication context on the attribute-mapping window later in the configuration, from any available attribute source, including the RST if a requested context is specified as a request parameter. For more information, see Configuring contract fulfillment for token creation. -
Optional: For SAML 1.1 tokens, select a attribute namespace from the list.
This field appears only when the chosen default token type is SAML 1.1 or SAML 1.1 for Office 365 in the WS-Trust STS → Protocol Settings configuration.
Change the default namespace selection if you and your SP partner have agreed to a specific namespace.
You can customize name-format alternatives in the
custom-name-formats.xml
configuration file located in the<pf_install>/pingfederate/server/default/data/config-store
directory. You must restart PingFederate to activate any changes made to this file.For more information about attribute namespace, see Attribute contracts.
-
Click Add.
-
Repeat until all applicable attributes are defined.
-
Click Next.