PingFederate Server

Mapping attributes to groups

Map attribute values in the System for Cross-domain Identity Management (SCIM) request to group attributes.

About this task

Steps

  1. On the Attribute Fulfillment tab, for each attribute, select a source from the list and then choose or enter a value. You must map all target attributes.

    • Context

      When selected, the Value list populates with the available context of the transaction. Select the desired context from the list.

      As the HTTP Request context value is retrieved as a Java object rather than text, use OGNL expressions to evaluate and return values.

      If you are configuring an OAuth Attribute Mapping configuration and have added PERSISTENT_GRANT_LIFETIME as an extended attribute in the Authorization Server Settings window, you can set the lifetime of persistent grants based on the outcome of attribute mapping expressions or the per-client Persistent Grants Max Lifetime setting.

      • To set lifetime based on the per-client Persistent Grants Max Lifetime setting, select Context from the Source list and Default Persistent Grant Lifetime from the Value list.

      • To set lifetime based on the outcome of attribute mapping expressions, select Expression as the source and enter an OGNL expression in the Value field.

        If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes.

        If the expression returns the integer 0, PingFederate does not store the grant and does not issue a refresh token.

        If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client Persistent Grants Max Lifetime setting.

      • To set a static lifetime, select Text from the Source list and enter a static value in the Value field.

        This is suitable for testing purposes, or cases where the persistent grant lifetime must always be set to a specific value.

    • Expression

      Enable OGNL expression by editing the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.common.ExpressionManager.xml file. Restart PingFederate after saving the change.

      For a clustered PingFederate environment, edit the org.sourceid.common.ExpressionManager.xml file on the console node, sign on to the administrative console to replicate this change to all engine nodes in the System → Server → Cluster Management window, and restart all nodes.

      This option provides more complex mapping capabilities, transforming outgoing values into different formats. All of the variables available for text entries are also available for expressions.

      If an LDAP attribute needs to be mapped to two attributes in a SCIM response, use an OGNL expression to create them.

    • LDAP

      Values are returned from your query. When you make this selection, the Value list populates with the LDAP attributes you identified for this datastore.

    • Identity Store

      Values are returned from your query. When you make this selection, the Value list populates with the Identity Store attributes you identified for this datastore.

    • No Mapping

      Select this option to ignore the Value field.

    • Text

      The value is what you enter. This can be text only, or you can mix text with references to any of the values from the SCIM request, using the ${attribute} syntax.

    You can reference attribute values in the form of $\{attributeName:-defaultValue}. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use $\{ and } in the default value.

  2. Click Done.