---
title: Defining an attribute contract for SP STS
description: An attribute contract is the set of user attributes expected in incoming SAML assertions. For more information, see Attribute contracts.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:help_wstrusttokengenerationtasklet_wstrusttokengenerationattrcontractstate
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_wstrusttokengenerationtasklet_wstrusttokengenerationattrcontractstate.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
  result: Result:
---

# Defining an attribute contract for SP STS

An attribute contract is the set of user attributes expected in incoming SAML assertions. For more information, see [Attribute contracts](../introduction_to_pingfederate/pf_attr_contract.html).

## About this task

On the **Attribute Contract** tab, identify the user attributes.

Optionally, you can mask the values of attributes, other than `SAML_SUBJECT`, in logs that PingFederate writes when it receives security tokens.

|   |                                                                                                                                                                                            |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | Use the **Edit**, **Update**, and **Cancel** workflows to make or undo a change to an item. Use the **Delete** and **Undelete** workflows to remove an item or cancel the removal request. |

## Steps

1. Go to **Authentication > Integration > IdP Connections**.

2. On the **WS-Trust STS** tab, click **Configure WS-Trust STS**.

3. On the **Token Generation** tab, click **Configure Token Generation**.

   ### Result:

   The **Token Generation** configuration window opens.

4. Click the **Attribute Contract** tab.

5. Enter the name in the **Extend the Contract** field.

   |   |                                                                                                          |
   | - | -------------------------------------------------------------------------------------------------------- |
   |   | Attribute names are case-sensitive and must correspond to the attribute names expected by the requester. |

6. (Optional) Select the **Mask Values in Log** checkbox .

7. Click **Add**.

8. Repeat until all applicable attributes are defined.

9. Click **Next**.