Fulfilling IdP adapter grant mapping
On the Contract Fulfillment tab, map authentication source values into persistent grants. Persistent grants and any associated attributes and their values remain valid until the grants expire or until PingFederate explicitly revokes or cleans them up.
About this task
The USER_KEY
attribute is the identifier of the persistent grants.
The USER_NAME
attribute presents the name shown to the resource owner on OAuth user-facing pages.
If extended attributes are defined in System → OAuth Settings → Authorization Server Settings, configure a mapping for each attribute.
The |
Steps
-
Go to Authentication → OAuth → IdP Adapter Grant Mapping and select your mapping, or click Add Mapping.
-
On the Contract Fulfillment tab, select a source from the Source list and then select or enter a value for each attribute in the contract.
You can map each attribute from one of the following sources:
-
Adapter
When selected, the associated Value drop-down list contains attributes configured in the IdP adapter instance.
-
Context
When selected, the Value list populates with the available context of the transaction. Select the desired context from the list.
As the
HTTP Request
context value is retrieved as a Java object rather than text, use OGNL expressions to evaluate and return values.If you are configuring an OAuth Attribute Mapping configuration and have added
PERSISTENT_GRANT_LIFETIME
as an extended attribute in the Authorization Server Settings window, you can set the lifetime of persistent grants based on the outcome of attribute mapping expressions or the per-clientPersistent Grants Max Lifetime
setting.-
To set lifetime based on the per-client
Persistent Grants Max Lifetime
setting, select Context from the Source list and Default Persistent Grant Lifetime from the Value list. -
To set lifetime based on the outcome of attribute mapping expressions, select Expression as the source and enter an OGNL expression in the Value field.
If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes.
If the expression returns the integer 0, PingFederate does not store the grant and does not issue a refresh token.
If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client Persistent Grants Max Lifetime setting.
-
To set a static lifetime, select Text from the Source list and enter a static value in the Value field.
This is suitable for testing purposes, or cases where the persistent grant lifetime must always be set to a specific value.
-
-
Extended Client Metadata
Values are returned from the client record.
-
LDAP, JDBC, or Other
When selected, the Value list is populated with attributes selected from the datastore. Select the desired attribute from the list.
-
Expression
When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. Select Expression from the Source list, click Edit under Actions, and compose your OGNL expressions. All variables available for text entries are also available for expressions. For more information, see Text.
Expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see Attribute mapping expressions.
-
No Mapping
When selected, no value selection is necessary.
-
Text
When selected, the text you enter is used at runtime. You can mix text with references to any of the values from the SSO token, using the
$\{attribute}
syntax.When applicable, you can also enter values from your datastore using the
$\{ds.attribute}
syntax, whereattribute
is any attribute that you have selected from the datastore.You can reference attribute values in the form of
$\{attributeName:-defaultValue}
. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use$\{
and}
in the default value.
-
-
Click Next.