Configuring target session fulfillment
Map values to the attributes defined for the contract. These are the values that the target application requires to create a local session for the user.
Before you begin
If you are bridging an identity provider (IdP) to one or more service providers, the values mapped to the authentication policy contracts are used by the associated service provider (SP) connections to create assertions for the service providers. For more information, see Federation hub use cases.
At runtime, a single sign-on (SSO) operation fails if PingFederate cannot fulfill the required attribute.
Steps
-
On the Adapter Contract Fulfillment tab, for each attribute, select a source from the Source list and then choose or enter a value. You must map all attributes.
-
AccountLink
When selected, the Value list populates with Local User ID. Normally, you would map Local User ID to an adapter attribute that represents the user identifier at the target. This source is not applicable to authentication policy contracts. This source appears only if you have elected to use account linking for a target session on the Identity Mapping tab.
-
Assertion or Provider Claims
When selected, the Value list populates with attributes from the SSO token. Select the desired attribute from the list.
For example, to map the value of
SAML_SUBJECT
from a SAML assertion as the value of thesubject
user identifier on the contract, select Assertion from the Source list and SAML_SUBJECT from the Value list.
Context
-
When selected, the Value list populates with the available context of the transaction. Select the desired context from the list.
As the |
If you are configuring an OAuth Attribute Mapping configuration and have added
|
+ [.uicontrol]LDAP, [.uicontrol]JDBC, or [.uicontrol]Other**
+ When selected, the Value list populates with attributes that you have selected from the datastore. Select the desired attribute from the list.
+
-
Expression
When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. Select Expression from the Source list, click Edit under Actions, and compose your OGNL expressions. All variables available for text entries are also available for expressions. For more information, see Text.
Expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see Attribute mapping expressions.
-
No Mapping
Select this option to ignore the Value field.
-
Text
When selected, the text you enter is used at runtime. You can mix text with references to any of the values from the SSO token, using the
$\{attribute}
syntax.You can also enter values from your datastore, when applicable, using this syntax:
[.codeph]``$\{ds.[.varname]__attribute__}``
where
attribute
is any attribute that you have selected from the datastore.You can reference attribute values in the form of
$\{attributeName:-defaultValue}
. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use$\{
and}
in the default value.Two other text variables are available.
SAML_SUBJECT
is the initiating user or other entity.TargetResource
is a reference to the protected application or other resource for which the user requested SSO access. The${TargetResource}
text variable is available only if specified as a query parameter for the relevant endpoint, either asTargetResource
for SAML 2.0 orTARGET
for SAML 1.x.You might hard-code a text value for a variety of reasons.For example, if your web application provides a consumer service, you might want to supply a particular promotion code for the partner.
If you are editing a currently mapped adapter instance or authentication policy contract (APC), you can update the mapping configuration, which might require additional configuration changes in subsequent tasks.
-
Click Next to continue configuration.
-