PingFederate Server

Entering an LDAP filter

On the Unique User ID tab, create an LDAP filter to identify user accounts to be provisioned or updated during single sign-on (SSO) events.

About this task

PingFederate uses this expression in conjunction with the Base DN value defined on the Location tab to locate existing account records and to add new ones.

Screen capture of a Unique User ID

This tab appears only when an LDAP datastore is chosen on the User Repository tab.

Steps

  • Enter the statement in the Filter field.

    The filter is in the form: attribute=${value}.

    Unlike filters used to retrieve LDAP attributes for adapter mapping, do not enclose the statement in parentheses.

    The left-side variable is an attribute in your user-datastore. Click the link near the lower-left corner of the tab to see a list of available attributes.

    The right side of the filter uses one or more attribute values passed in from the SSO token. Variables for these attributes, including the correct syntax, are listed under JIT Attributes.

    You can reference attribute values in the form of $\{attributeName:-defaultValue}. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use $\{ and } in the default value.

    If you are unfamiliar with writing LDAP queries, see the documentation accompanying your LDAP installation.