PingFederate Server

Defining an attribute contract for IdP STS

During token creation configuration, define an attribute contract that the server sends in the security tokens issued in response to a web service client at your site.

About this task

An attribute contract is the set of user attributes that a web service client at your site expects to receive in security tokens issued for this connection. You identify these attributes on the Attribute Contract tab. For more information, see Attribute contracts.

Steps

  1. Enter the attribute name in the Extend the Contract field. Attribute names are case-sensitive and must correspond to the attribute names, including claims, expected by the requesting web services client (WSC).

    Result:

    The Format attribute associated with the NameID element in outgoing SAML tokens can be set by adding an attribute called SAML_NAME_FORMAT. The value of that attribute can then be mapped later. For more information, see Configuring contract fulfillment for token creation.

    For information about the NameID elements and applicable URI values, locate the SAML 2.0 specification at www.oasis-open.org/standards.

    You can add a special attribute, SAML_AUTHN_CTX, to indicate to the service provider (SP) the type of credentials used to authenticate to the identity provider (IdP) application-authentication context. Map a value for the authentication context on the attribute-mapping window later in the configuration, from any available attribute source, including the RST if a requested context is specified as a request parameter. For more information, see Configuring contract fulfillment for token creation.

  2. Optional: For SAML 1.1 tokens, select a attribute namespace from the list.

    This field appears only when the chosen default token type is SAML 1.1 or SAML 1.1 for Office 365 in the WS-Trust STS → Protocol Settings configuration.

    Change the default namespace selection if you and your SP partner have agreed to a specific namespace.

    You can customize name-format alternatives in the custom-name-formats.xml configuration file located in the <pf_install>/pingfederate/server/default/data/config-store directory. You must restart PingFederate to activate any changes made to this file.

    For more information about attribute namespace, see Attribute contracts.

  3. Click Add.

  4. Repeat until all applicable attributes are defined.

  5. Click Next.

Result

Use the Edit, Update, and Cancel workflow to make or undo a change to an item. Use the Delete and Undelete workflow to remove an item or cancel the removal request.