---
title: Configuring OAuth assertion grant contract fulfillment
description: Map values from the SAML assertions or JSON web tokens (JWTs) to the attributes defined for the attribute contract. The access token manager instance requires these values to create an OAuth access token.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:help_oauthsaml2targetmappingtasklet_oauthsaml2targetmappingstate
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_oauthsaml2targetmappingtasklet_oauthsaml2targetmappingstate.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Configuring OAuth assertion grant contract fulfillment

Map values from the SAML assertions or JSON web tokens (JWTs) to the attributes defined for the attribute contract. The access token manager instance requires these values to create an OAuth access token.

## About this task

At runtime, a single sign-on (SSO) operation fails if PingFederate cannot fulfill the required attribute.

## Steps

1. On **OAuth Assertion Grant Attribute Mapping > OAuth Assertion Grant Attribute Mapping Configuration > Contract Fulfillment** , select a source from the **Source** list and then choose or enter a value for each attribute.

   * **Assertion**

     When selected, the **Value** list populates with attributes from the SAML assertion or the JWT.

     For example, to map the value of `SAML_SUBJECT` from a SAML assertion, or `sub` from a JWT, as the value of an attribute on the access-token contract, select **Assertion** from the **Source** list and **TOKEN\_SUBJECT** from the **Value** list.

   * **Context**

     When selected, the **Value** list populates with the available context of the transaction.

     |   |                                                                                                                                                                                          |
     | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
     |   | Because the **HTTP Request** context value is retrieved as a Java object rather than text, use OGNL expressions to evaluate and return values. For more information, see **Expression**. |

   * **Extended Client Metadata**

     Values are returned from the client record.

   * **LDAP**, **JDBC**, or **Other**

     When selected, the **Value** list is populated with attributes that you have selected from the datastore. Select the desired attribute from the list.

   * **Expression**

     When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. Select **Expression** from the **Source** list, click **Edit** under **Actions**, and compose your OGNL expressions. All variables available for text entries are also available for expressions. For more information, see **Text**.

     Expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see [Attribute mapping expressions](pf_attribute_mapping_expressions.html). **Expression**

     When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. Select **Expression** from the **Source** list, click **Edit** under **Actions**, and compose your OGNL expressions. All variables available for text entries are also available for expressions. For more information, see **Text**.

     Expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see [Attribute mapping expressions](pf_attribute_mapping_expressions.html).

   * **No Mapping**

     Select this option to ignore the **Value** field.

   * **Text**

     When selected, the text you enter is used at runtime. You can mix text with references to any of the values from the SSO token, using the `${attribute}` syntax.

     When applicable, you can enter values from your datastore using the `$\{ds.<attribute>}` syntax, where `<attribute>` is any attribute that you have selected from the datastore.

   |   |                                                                                                                                                                                                                                                 |
   | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | You can reference attribute values in the form of `${attributeName:-defaultValue}`. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use `${` and `}` in the default value. |

2. Click **Next**.