--- title: Defining an attribute contract for IdP STS description: During token creation configuration, define an attribute contract that the server sends in the security tokens issued in response to a web service client at your site. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_wstrustsptokencreationtasklet_wstrustattributecontractstate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_wstrustsptokencreationtasklet_wstrustattributecontractstate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: about-this-task: About this task steps: Steps result: Result: result-2: Result --- # Defining an attribute contract for IdP STS During token creation configuration, define an attribute contract that the server sends in the security tokens issued in response to a web service client at your site. ## About this task An attribute contract is the set of user attributes that a web service client at your site expects to receive in security tokens issued for this connection. You identify these attributes on the **Attribute Contract** tab. For more information, see [Attribute contracts](../introduction_to_pingfederate/pf_attr_contract.html). ## Steps 1. Enter the attribute name in the **Extend the Contract** field. Attribute names are case-sensitive and must correspond to the attribute names, including claims, expected by the requesting web services client (WSC). ### Result: | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The Format attribute associated with the `NameID` element in outgoing SAML tokens can be set by adding an attribute called `SAML_NAME_FORMAT`. The value of that attribute can then be mapped later. For more information, see [Configuring contract fulfillment for token creation](help_wstrusttokenprocessormappingtasklet_wstrustattrcontractfulfillmentstate.html).Learn more about the `NameID` elements and applicable URI values in the SAML 2.0 specification at [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html). | | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can add a special attribute, `SAML_AUTHN_CTX`, to indicate to the service provider (SP) the type of credentials used to authenticate to the identity provider (IdP) application-authentication context. Map a value for the authentication context on the attribute-mapping window later in the configuration, from any available attribute source, including the RST if a requested context is specified as a request parameter. For more information, see [Configuring contract fulfillment for token creation](help_wstrusttokenprocessormappingtasklet_wstrustattrcontractfulfillmentstate.html). | 2. (Optional) For SAML 1.1 tokens, select a attribute namespace from the list. This field appears only when the chosen default token type is **SAML 1.1** or **SAML 1.1 for Office 365** in the **WS-Trust STS > Protocol Settings** configuration. Change the default namespace selection if you and your SP partner have agreed to a specific namespace. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can customize name-format alternatives in the `custom-name-formats.xml` configuration file located in the `/pingfederate/server/default/data/config-store` directory. You must restart PingFederate to activate any changes made to this file. | For more information about attribute namespace, see [Attribute contracts](../introduction_to_pingfederate/pf_attr_contract.html). 3. Click **Add**. 4. Repeat until all applicable attributes are defined. 5. Click **Next**. ## Result Use the **Edit**, **Update**, and **Cancel** workflow to make or undo a change to an item. Use the **Delete** and **Undelete** workflow to remove an item or cancel the removal request.