--- title: Configuring contract fulfillment for token generation description: Fulfill your token generator contract requirements with values from the incoming SAML token, dynamic text, expressions, or from a data store lookup. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_wstrusttokengeneratormappingtasklet_wstrusttokengeneratorcontractfulfillmentstate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_wstrusttokengeneratormappingtasklet_wstrusttokengeneratorcontractfulfillmentstate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: about-this-task: About this task steps: Steps result: Result: --- # Configuring contract fulfillment for token generation Fulfill your token generator contract requirements with values from the incoming SAML token, dynamic text, expressions, or from a data store lookup. ## About this task Map the values that the web services require to the attributes defined for the contract. ## Steps 1. On the **Token Generator Mapping & User Lookup** tab, click **Map New Token Generator Instance**. ### Result: The **Token Generator Mapping & User Lookup** configuration window opens. 2. On the **Token Generator Contract Fulfillment** tab, for each attribute, select a source from the**Source** list and then choose or enter a value. You must map all attributes. **Assertion** When selected, the **Value** list populates with attributes from the incoming SAML token (assertion). Select the desired attribute from the list. At runtime, the attribute value from the assertion is mapped to the value of the attribute in the local token. For example, to map the value of `TOKEN_SUBJECT` from a SAML assertion as the value of the `subject` user identifier on the token generator contract, select **Assertion** from the **Source** list and **TOKEN\_SUBJECT** from the **Value** list. **Context** When selected, the **Value** list populates with the available context of the transaction. Select the desired context from the list. At runtime, the context value is mapped to the value of the attribute in the local token. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Because the **HTTP Request** and **STS SSL Client Certificate Chain** context values are retrieved as Java objects rather than text, use OGNL expressions to evaluate and return values, sees **Expression**. | | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When using the **STS Basic Authentication Username**, **STS SSL Client Certificate's Subject DN**, or **STS SSL Client Certificate Chain** contexts, ensure the associated authentication is enabled and configured on the **System > Server > Protocol Settings > WS-Trust STS Settings** tab. | **LDAP**, **JDBC**, or **Other** When selected, the **Value** list populates with attributes that you have selected from the data store. Select the desired attribute from the list. At runtime, the attribute value from the data store is mapped to the value of the attribute in the local token. **Expression** When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. Select **Expression** from the **Source** list, click **Edit** under **Actions**, and compose your OGNL expressions. All variables available for text entries are also available for expressions. For more information, see **Text**. Expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see [Attribute mapping expressions](pf_attribute_mapping_expressions.html). **No Mapping** Select this option to ignore the **Value** field. * **Text** When selected, the text you enter is used at runtime. You can mix text with references to any of the values from the SAML token, using the `${attribute}` syntax. You can also enter values from your datastore, when applicable, using this syntax: ``` [.codeph]``${ds.[.varname]__attribute__}`` ``` where `attribute` is any of the attributes that you have selected from the data store. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can reference attribute values in the form of `${attributeName:-defaultValue}`. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use `${` and `}` in the default value. | | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you are editing a currently mapped token generator instance, you can update the mapping configuration, which might require additional configuration changes in subsequent tasks. | 3. Click **Next**.