PingFederate Server

Configuring the behavior of searching multiple datastores with one mapping

If a datastore uses results from previous queries as input, and if the previous queries return no result, PingFederate records a warning message in the server log and continues with the request by querying the next datastore in the attribute source setup.

About this task

This default behavior applies to all lookup configurations using multiple datastores in one mapping. For more information, see Attribute mapping with multiple data sources.

If you prefer PingFederate to abort the request immediately, which is the default behavior of many earlier versions of PingFederate, you can override the behavior by modifying a configuration file. Like the default behavior, this override also applies to all lookup configurations using multiple datastores in one mapping.

Steps

  1. Edit the org.sourceid.saml20.domain.AttributeMapping.xml file, located in the <pf_install>/pingfederate/server/default/data/config-store directory.

    If this file does not exist, you must create it.

  2. To override the default behavior, change the value of the AbortOnAttrLookupFailure element from false, the default value, to true.

    The following is an example of a modified org.sourceid.saml20.domain.AttributeMapping.xml file.

    <?xml version="1.0" encoding="UTF-8"?>
<c:config xmlns:c="http://www.sourceid.org/2004/05/config">
    <c:item name="AbortOnAttrLookupFailure">true</c:item>
</c:config>

    Removing the org.sourceid.saml20.domain.AttributeMapping.xml file from the <pf_install>/pingfederate/server/default/data/config-store directory also has the same effect as setting the value of the AbortOnAttrLookupFailure element to true.

    For a clustered PingFederate environment, perform these steps on the console node, and then click Replicate Configuration on System > Server > Cluster Management.

Example

Expected result when this override is set

If a datastore uses results from previous queries as input, and if the previous queries return no result, PingFederate records an error message in the server log, aborts the request immediately, and returns an error message to the user, the application, or the partner.