--- title: Defining issuance criteria for IdP adapter contract description: You can manage criteria that PingFederate evaluates to determine whether to issue an identity provider (IdP) adapter contract token for a user. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_configplugincontracttasklet_plugincontractissuancecriteriastate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_configplugincontracttasklet_plugincontractissuancecriteriastate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 14, 2023 section_ids: about-this-task: About this task steps: Steps related-links: Related links --- # Defining issuance criteria for IdP adapter contract You can manage criteria that PingFederate evaluates to determine whether to issue an identity provider (IdP) adapter contract token for a user. ## About this task On the **Issuance Criteria** tab, define the criteria to satisfy for PingFederate to further process a request. Use this token authorization feature to conditionally approve or reject requests based on individual attributes. Begin this optional configuration by choosing the source that contains the attribute to verify. Some sources are common to almost all use cases, such as **Mapped Attributes**. Other sources depend on the type of configuration, such as **JDBC**. Irrelevant sources are automatically hidden. After you select a source, choose the attribute to verify. Depending on the selected source, the available attributes or properties vary. Specify the comparison condition and the desired value to compare to. You can define multiple criteria, which must all be satisfied for PingFederate to move a request to the next phase. A criterion is satisfied when the runtime value of the selected attribute matches or does not match the specified value, depending on the chosen comparison method. The **multi-value contains …​** or **multi-value does not contain …​** comparison methods are intended for attributes that can contain multiple values. Such a criterion is considered satisfied if one of the multiple values match or does not match the specified value. Values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | All criteria defined must be satisfied or evaluated as true for a request to move forward, regardless of how the criteria were defined. As soon as one criterion fails, PingFederate rejects the request and returns an error message. | ## Steps 1. Go to **Authentication > Integration > IdP Adapters**. 2. Click the name of the existing instance you want to change in the **Instance Name** list. 3. Click **Adapter Contract Mapping > Configure Adapter Contract > Issuance Criteria**. 4. Depending on the selection, the **Attribute Name** list populates with associated attributes. The following table provides more information. | Source | Description | | --------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Adapter** | Select to evaluate attributes from the IdP adapter instance. | | **Context** | Select to evaluate properties returned from the context of the transaction at runtime. Because the HTTP Request context value is retrieved as a Java object instead of text, attribute mapping expressions are more appropriate to evaluate and return values. | | **Extended Properties** | Select to evaluate extended properties as values for attributes fulfilled by your adapter.Learn more about defining extended properties in [Populating extended property values for IdP connections](help_idpconnectionconfigtasklet_extendedpropertymanagementstate.html). | | **JDBC**, **LDAP**, or other types of datastore (if configured) | Select to evaluate attributes returned from a data source. | | **Mapped Attributes** | Select to evaluate the mapped attributes. | 5. In the **Attribute Name** list, select the attribute to be evaluated. 6. In the **Condition** list, select the comparison method. Available methods: * **equal to** * **equal to (case insensitive)** * **equal to DN** * **not equal to** * **not equal to (case insensitive)** * **not equal to DN** * **multi-value contains** * **multi-value contains (case insensitive)** * **multi-value contains DN** * **multi-value does not contain** * **multi-value does not contain (case insensitive)** * **multi-value does not contain DN** | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The first six conditions are intended for single-value attributes. Use one of the **multi-value …​** conditions for PingFederate to validate whether one of the attribute values matches the specified value. When an attribute has multiple values, using a single-value condition causes the criteria to fail. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions. For more information, see [Attribute mapping expressions](pf_attribute_mapping_expressions.html). | 1. In the **Error Result** field, enter a custom error message. To use localized descriptions, enter a unique alias in the **Error Result** field, such as `someIssuanceCriterionFailed`. Insert the same alias with the desired localized text in the applicable language resource files, located in the `/pingfederate/server/default/conf/language-packs` directory.\ If not defined, PingFederate returns `ACCESS_DENIED` when the criterion fails at runtime. 2. Click **Add**. 3. (Optional) Repeat to add more criteria. 4. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions. For more information, see [Attribute mapping expressions](pf_attribute_mapping_expressions.html). 1. Click **Show Advanced Criteria**. 2. In the **Expression** field, enter the required expressions. 3. In the **Error Result** field, enter an error code or message. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------- | | | If the expressions resolve to a string value instead of `true` or `false`, the returned value overrides the **Error Result** field value. | 1. Click **Add**. 2. Click **Test**, enter values in the applicable fields, and verify the results. 3. Repeat to add multiple criteria using attribute mapping expressions. ## Related links