Attribute mapping with multiple data sources
PingFederate can query multiple datastores for additional attributes in most configurations.
Multiple datastores in one mapping
The PingFederate IdP server supports separate datastores to look up attributes for a single mapping. For example, you can query multiple datastores for values and map those values in one mapping, or query a datastore for a value and use that value as input for subsequent queries of other datastores.
If a datastore uses results from previous queries as input, and if the previous queries return no result, PingFederate continues the process by moving on to the next datastore in the setup. If you prefer PingFederate to abort and fail the requests, see Configuring the behavior of searching multiple datastores with one mapping.
If a required attribute, such as SAML_SUBJECT
in a SAML contact or subject
in an authentication policy contract, is not fulfilled, the request fails.
Multiple datastores in one mapping are available for browser single sign-on (SSO) and WS-Trust security token service (STS) on the identity provider (IdP) side, authentication policy contract to service provider (SP) adapter mappings, and the following OAuth workflows:
-
Identity provider (IdP) adapter grant mappings
-
Resource owner credential grant mappings
-
Access token mappings
-
OpenID Connect policies (the user-attributes mapping process)
Multiple mappings and failsafe mapping
For browser SSO and WS-Trust STS on the IdP side, PingFederate also supports separate search parameters for each datastore and for "fall-through" searches. For example, you can add the same datastore more than once, using different search queries for each instance, or you can search different datastores successively. If any search fails to find a user in the specified attribute source, the next search is executed until a match is found. You can also configure a failsafe attribute source, providing a default set of attributes from the IdP adapter and using text values.