--- title: Mapping attributes to a user account description: Map incoming attributes to the account attributes on an LDAP server, the columns in a database table on a Microsoft SQL Server, or the parameters of a Microsoft SQL Server stored procedure. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_userprovisioningtasklet_userprovisioningadaptercontractmappingstate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_userprovisioningtasklet_userprovisioningadaptercontractmappingstate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: about-this-task: About this task steps: Steps choose-from: Choose from: choose-from-2: Choose from: --- # Mapping attributes to a user account Map incoming attributes to the account attributes on an LDAP server, the columns in a database table on a Microsoft SQL Server, or the parameters of a Microsoft SQL Server stored procedure. ## About this task In addition to values obtained from the single sign-on (SSO) token, you can map attributes from the context of the SSO token text, with or without reference values from the SSO token, and expression if enabled. If you select a Microsoft SQL Server datastore on the **User Repository** tab, then on the **Attribute Fulfillment** tab you can test the insertion of attribute values into the database table or the stored procedure. When mapping to a database column of the `datetime` or `smalldatetime` data type, if you are not using a stored procedure to convert the incoming string value, you can use a PingFederate Java conversion method through OGNL expressions. ## Steps 1. On the **Attribute Fulfillment** tab, select a source from the list for each target attribute or parameter. ### Choose from: * `Assertion or Provider Claims` Values are contained in the SSO token from this identity provider (IdP). When you select this, the associated **Value** list is populated by the attribute contract. * `Context` Values are returned from the context of the transaction at runtime. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | As the HTTP Request is retrieved as a Java object rather than text, OGNL expressions are more appropriate to evaluate and return values. Choose **Expression**from the list and then click **Edit** to enter an expression. | * `Attribute Query` This choice appears only if you choose the **Attribute Query** profile for provisioning. To map an attribute-query value, use the syntax `${query_attribute}`. You can combine attribute-query values with references to attributes in the attribute contract; for example, `${query_attribute}+${attribute.` References to attributes not contained in the attribute contract result in an attribute query back to the IdP partner. * `Expression` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Enable OGNL expression by editing the `/pingfederate/server/default/data/config-store/org.sourceid.common.ExpressionManager.xml` file. Restart PingFederate after saving the change.For a clustered PingFederate environment, edit the `org.sourceid.common.ExpressionManager.xml` file on the console node, sign on to the administrative console to replicate this change to all engine nodes in the **System > Server > Cluster Management** window, and restart all nodes. | This option provides more complex mapping capabilities, such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you need to map multiple attribute values from one or multiple sources to one attribute value, use an OGNL expression to create it.For database mapping, if the data type of a target parameter is `datetime` or `smalldatetime`, you can use an expression to convert date-time strings from the SSO token. After selecting **Expression**, click **Datetime OGNL Examples** for syntax information and examples. | * `System Managed` This mapping option appears only when any automatically assigned attributes are among columns to be provisioned, such as an identity or a timestamp column on the Microsoft SQL Server. * `Text` The value is what you enter. This can be text only, or you can mix text with references to any of the values from the SSO token, using the `${attribute}` syntax. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can reference attribute values in the form of `${attributeName:-defaultValue}`. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use `${` and `}` in the default value. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | For LDAP mapping, choose **Text** as the **Source** for the `objectClass` attribute.For mapping into a database, if no entry is required for a column, you can leave the field blank. A blank entry results in an empty string in the database for string data types and null for all other data types. Alternatively, for string types, you can enter `null` in the field to explicitly set `null` in the column. | 2. Select or enter an attribute value. All values must be mapped. For optional table columns, you can leave the field blank or, for string data types, enter `null` to avoid empty strings. No value is required for **System Managed** attributes. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | | For **Active Directory**, enter `user` in the **objectClass** field. For Oracle Directory Server or Oracle Unified Directory, enter `inetOrgPerson`. | 3. (Optional) When mapping to a Microsoft SQL Server datastore, test the insertion. ### Choose from: * If testing from a table: 1. Click **Test insert into *\***. 2. Enter values for each applicable target parameter. 3. Click **Test Insert**. If the test succeeds, a confirmation displays along with the values inserted. | | | | - | ---------------------------------------------------------------------------------------------- | | | Unless you want to keep the test values in the database, click **Roll Back All Test Inserts**. | * If testing from a stored procedure: 1. Click **Test call to *\***. 2. Enter values for each applicable target parameter. 3. Click **Test Stored Procedure Call**. For stored procedures, only a confirmation displays if the test is successful, indicating that the procedure was populated with parameter values. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------- | | | No roll back feature is provided because PingFederate does not know the result of the procedure. Database rollback must be handled manually. | When finished, click **Return to Attribute Fulfillment**.