---
title: Configuring IdP connection grant mapping
description: Use this configuration to map values obtained from the single sign-on (SSO) tokens into the persistent grants. Persistent grants remain valid until the grant expires or is explicitly revoked.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:help_idpbrowserssotasklet_oauthattributemappingstate
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_idpbrowserssotasklet_oauthattributemappingstate.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
  related-links: Related links
---

# Configuring IdP connection grant mapping

Use this configuration to map values obtained from the single sign-on (SSO) tokens into the persistent grants. Persistent grants remain valid until the grant expires or is explicitly revoked.

## About this task

The `USER_KEY` attribute is the identifier of the persistent grants.

The `USER_NAME` attribute presents the name shown to the resource owner on OAuth user-facing pages.

If extended attributes are defined in **System > OAuth Settings > Authorization Server Settings**, configure a mapping for each attribute.

You can optionally set up datastore queries to supplement values returned from the source.

This mapping configuration is suitable for the Authorization Code and Implicit grant types.

## Steps

1. Go to **Authentication > Integration > IdP Connections** and select an existing identity provider (IdP) connection or click **Create Connection**.

2. On the **Connection Type** tab, select the **Browser SSO Profiles** checkbox and the applicable protocol.

3. On the **Connection Options** window, select the **Browser SSO** checkbox and then select the **OAuth Attribute Mapping** checkbox.

   |   |                                                                                                                                                                                                                                                                 |
   | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | You can also select other options on the **Connection Type** and **Connection Options** tabs. If you do, you will be prompted to complete the required configuration. For simplicity, this topic only focuses on the **OAuth Attribute Mapping** configuration. |

4. On the **General Info** tab, enter the required information.

5. On the **Browser SSO** tab, click **Configure Browser SSO** and follow the steps to complete the **User-Session Creation** tab.

6. On the **OAuth Attribute Mapping** tab, select the **Map directly into Persistent Grant** option, and then click **Configure OAuth Attribute Mapping** to continue.

   Alternatively, if you have mapped an authentication policy contract (APC) in **User-Session Creation > Target Session Mapping**, you can select the **Map to OAuth via Authentication Policy Contract** option, and then select the applicable APC from the list.

## Related links

* [Mapping OAuth attributes](../introduction_to_pingfederate/pf_mapp_oauth_attri.html)