--- title: Fulfilling OAuth attribute mapping description: On the Contract Fulfillment tab, map authentication source values into persistent grants. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_oauthidpconnection2targetmappingtasklet_oauthidpconnection2targetmappingstate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_oauthidpconnection2targetmappingtasklet_oauthidpconnection2targetmappingstate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: about-this-task: About this task steps: Steps --- # Fulfilling OAuth attribute mapping On the **Contract Fulfillment** tab, map authentication source values into persistent grants. ## About this task The `USER_KEY` attribute is the identifier of the persistent grants. The `USER_NAME` attribute presents the name shown to the resource owner on OAuth user-facing pages. If extended attributes are defined in **System > OAuth Settings > Authorization Server Settings**, configure a mapping for each attribute. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The `USER_KEY` attribute values must be unique across all end users because the `USER_KEY` attribute is the user identifier to store and to retrieve persistent grants. For example, if you are configuring an **OAuth Attribute Mapping** configuration on a SAML 2.0 IdP connection and the `SAML_SUBJECT` attribute uniquely identifies all end users, you can map the `SAML_SUBJECT` attribute to the `USER_KEY` attribute. | ## Steps 1. For each attribute, select a source from the list and then choose or enter a value. **AccountLink** When selected, the **Value** list is populated with **Local User ID**. You can map **Local User ID** to an attribute that represents the user identifier, such as the `USER_KEY` attribute. This source appears only if you have elected to use account linking for a target session on the **Identity Mapping** window. **Assertion** or **Provider Claims** When selected, the **Value** list is populated with attributes from the SSO token. Select the desired attribute from the list. For example, to map the value of `SAML_SUBJECT` from a SAML assertion as the value of the `USER_KEY` user identifier on the contract, select **Assertion** from the **Source** list and **SAML\_SUBJECT** from the **Value** list. **Context** When selected, the **Value** list populates with the available context of the transaction. Select the desired context from the list. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------- | | | As the `HTTP Request` context value is retrieved as a Java object rather than text, use OGNL expressions to evaluate and return values. | | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you are configuring an **OAuth Attribute Mapping** configuration and have added `PERSISTENT_GRANT_LIFETIME` as an extended attribute in the **Authorization Server Settings** window, you can set the lifetime of persistent grants based on the outcome of attribute mapping expressions or the per-client `Persistent Grants Max Lifetime` setting.- To set lifetime based on the per-client `Persistent Grants Max Lifetime` setting, select **Context** from the **Source** list and **Default Persistent Grant Lifetime** from the **Value** list. - To set lifetime based on the outcome of attribute mapping expressions, select **Expression** as the source and enter an OGNL expression in the **Value** field. If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes. If the expression returns the integer 0, PingFederate does not store the grant and does not issue a refresh token. If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client **Persistent Grants Max Lifetime** setting. - To set a static lifetime, select **Text** from the **Source** list and enter a static value in the **Value** field. This is suitable for testing purposes, or cases where the persistent grant lifetime must always be set to a specific value. | **Extended Properties** Values are returned from the client record. **LDAP**, **JDBC**, or **Other** When selected, the **Value** list is populated with attributes selected from the datastore. Select the desired attribute from the list. **Expression** When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. Select **Expression** from the **Source** list, click **Edit** under **Actions**, and compose your OGNL expressions. All variables available for text entries are also available for expressions. For more information, see **Text**. Expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see [Attribute mapping expressions](pf_attribute_mapping_expressions.html). **No Mapping** When selected, no value selection is necessary. **Text** When selected, the text you enter is used at runtime. You can mix text with references to any of the values from the SSO token, using the `${attribute}` syntax. When applicable, you can also enter values from your datastore using the `${ds.attribute}` syntax, where `attribute `is any attribute that you have selected from the datastore. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can reference attribute values in the form of `${attributeName:-defaultValue}`. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use `${` and `}` in the default value. | 2. Click **Next**.