--- title: Managing attribute requester mappings description: If you are using the SAML 2.0 X.509 attribute sharing profile (XASP), applications at your site must supply the subject distinguished name (DN) to identify a user's X.509 authentication certificate. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_manageattributerequestermappingtasklet_attributerequestermappingstate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_manageattributerequestermappingtasklet_attributerequestermappingstate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: about-this-task: About this task steps: Steps next-steps: Next steps --- # Managing attribute requester mappings If you are using the SAML 2.0 X.509 attribute sharing profile (XASP), applications at your site must supply the subject distinguished name (DN) to identify a user's X.509 authentication certificate. ## About this task Optionally, an application can also supply an issuer DN, which can be used to determine the correct identity provider (IdP) attribute authority to use for a set of users associated with an IdP. For more information, see [Attribute Query and XASP](../introduction_to_pingfederate/pf_attrib_query_xasp.html). | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You must set the `Format` query parameter to a specified value for XASP. For more information, see [SP services](../developers_reference_guide/pf_sp_services.html). | You can map X.509 identifying information to connections and specify a default connection on the **System > Protocol Metadata > Attribute Requester Mapping** window. At runtime, the issuer DN, if supplied, is evaluated against the entries under **Issuer DN Pattern** in hierarchical order until a match is found. If a match is found, the corresponding IdP connection is selected to issue a response to the attribute query request. If the issuer DN matches no entry or if it is not provided, the subject DN from the request is compared against the entries under **Subject DN Pattern** in a similar manner. If the subject DN matches no entry, then the default IdP connection is used. You can use a regular expression to match different DNs to the same connection. Only one expression can be used in any single entry. DN values must be entered in all lower-case characters. ## Steps 1. Map one or more issuer DNs to SAML 2.0 IdP connections, as needed. 1. Enter an issuer DN under **Issuer DN Pattern**. 2. Select an IdP connection under **IdP Connection Name**. 3. Click **Add**. 4. Repeat these steps to add more entries. 2. Map one or more subject DNs to SAML 2.0 IdP connections, as needed. 1. Enter a subject DN under **Subject DN Pattern**. 2. Select an IdP connection under **IdP Connection Name**. 3. Click **Add**. 4. Repeat these steps to add more entries. 3. Select a default IdP connection from the list. ## Next steps You can click **Edit**, **Update**, and **Cancel** to make or undo a change to an entry. Click **Delete** and **Undelete** to remove an entry or cancel the removal request.