--- title: Configuring contract fulfillment for token creation description: Map values to the attributes defined for the contract. These are the values that are included in the SAML security tokens sent to the service provider (SP). component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_wstrusttokenprocessormappingtasklet_wstrustattrcontractfulfillmentstate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_wstrusttokenprocessormappingtasklet_wstrustattrcontractfulfillmentstate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: steps: Steps --- # Configuring contract fulfillment for token creation Map values to the attributes defined for the contract. These are the values that are included in the SAML security tokens sent to the service provider (SP). ## Steps 1. In the **Token Creation \\| IdP Token Processor Mapping** window, on the **Attribute Contract Fulfillment** tab, for each attribute, select a source from the **Source** list and then choose or enter a value. You must map all target attributes. **Token** When selected, the **Value** list is populated with attributes from the token processor instance. Select the desired attribute from the list. At runtime, the attribute value from the token processor instance is mapped to the value of the attribute in the SAML security token. For example, to map the value of the Username Token Processor's `username` attribute as the value of the `TOKEN_SUBJECT` attribute on the contract, select **Token** from the **Source** list and **username** from the **Value** list. **Context** When selected, the **Value** list is populated with the available context of the transaction. Select the desired context from the list. At runtime, the context value is mapped to the value of the attribute in the SAML security token. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The **HTTP Request** and **STS SSL Client Certificate Chain** context values are retrieved as Java objects rather than text. For this reason, OGNL expressions are more appropriate to evaluate and return values, such as **Expression**. | | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When using the **STS Basic Authentication Username**, **STS SSL Client Certificate's Subject DN**, or **STS SSL Client Certificate Chain** contexts, ensure the associated authentication is enabled and configured on the **System > Server > Protocol Settings > WS-Trust STS Settings** tab. | **Request** When selected, the **Value** list populates with parameter values from the token request received from the web service client. This selection is available only if a request contract was selected earlier on the **Request Contract** tab. Select the desired context from the list. At runtime, the context value is mapped to the value of the attribute in the SAML security token. **LDAP**, **JDBC**, or **Other** When selected, the **Value** list populates with attributes that you have selected in the **Attribute Source & User Lookup** window configuration. Select the desired attribute from the list. At runtime, the attribute value from the attribute source is mapped to the value of the attribute in the SAML security token. **Expression** When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. Select **Expression** from the **Source** list, click **Edit** under **Actions**, and compose your OGNL expressions. All variables available for text entries are also available for expressions. For more information, see **Text**. Expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see [Attribute mapping expressions](pf_attribute_mapping_expressions.html). **No Mapping** Select this option to ignore the **Value** field. **Text** When selected, the text you enter is mapped to the value of the attribute in the single sign-on tokens at runtime. You can mix text with references to any of the values from the authentication source using the `${attribute}` syntax. You can also enter values from your data store, when applicable, using the following syntax. ``` [.codeph]``${ds.[.varname]__attr-source-id.attribute__}`` ``` where `attr-source-id `is the attribute source ID value and `attribute `is any of the selected attributes in the attribute source configuration. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can reference attribute values in the form of `${attributeName:-defaultValue}`. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use `${` and `}` in the default value. | | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you are editing a currently mapped token processor instance, you can update the mapping configuration, which might require additional configuration changes in subsequent tasks. |