Fulfilling OAuth attribute mapping
On the Contract Fulfillment tab, map authentication source values into persistent grants.
About this task
The USER_KEY
attribute is the identifier of the persistent grants.
The USER_NAME
attribute presents the name shown to the resource owner on OAuth user-facing pages.
If extended attributes are defined in System → OAuth Settings → Authorization Server Settings, configure a mapping for each attribute.
The |
Steps
-
For each attribute, select a source from the list and then choose or enter a value.
-
AccountLink
When selected, the Value list is populated with Local User ID. You can map Local User ID to an attribute that represents the user identifier, such as the
USER_KEY
attribute. This source appears only if you have elected to use account linking for a target session on the Identity Mapping window. -
Assertion or Provider Claims
When selected, the Value list is populated with attributes from the SSO token. Select the desired attribute from the list.
For example, to map the value of
SAML_SUBJECT
from a SAML assertion as the value of theUSER_KEY
user identifier on the contract, select Assertion from the Source list and SAML_SUBJECT from the Value list. -
[.uicontrol]Context**
When selected, the Value list populates with the available context of the transaction. Select the desired context from the list.
As the |
If you are configuring an OAuth Attribute Mapping configuration and have added
|
-
Extended Client Metadata
Values are returned from the client record.
-
LDAP, JDBC, or Other
When selected, the Value list is populated with attributes selected from the datastore. Select the desired attribute from the list.
* [.uicontrol]Expression**
+ When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. Select Expression from the Source list, click Edit under Actions, and compose your OGNL expressions. All variables available for text entries are also available for expressions. For more information, see Text.
+ Expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see Attribute mapping expressions.
-
No Mapping
When selected, no value selection is necessary.
-
Text
When selected, the text you enter is used at runtime. You can mix text with references to any of the values from the SSO token, using the
$\{attribute}
syntax.When applicable, you can also enter values from your datastore using the
$\{ds.attribute}
syntax, whereattribute
is any attribute that you have selected from the datastore.You can reference attribute values in the form of
$\{attributeName:-defaultValue}
. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use$\{
and}
in the default value.-
Click Next.
-