---
title: Configuring access token mapping
description: Map your policy contract context to the JWT access token manager.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_configure_access_token_mapping
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_configure_access_token_mapping.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: January 28,2025
section_ids:
  steps: Steps
---

# Configuring access token mapping

Map your policy contract context to the JWT access token manager.

## Steps

1. Go go **Applications > OAuth > Access Token Mappings**.

2. On the **Access Token Mappings** page in the **Context** menu, select your policy contract.

3. In the **Access Token Manager** menu, select your JWT ATM.

4. Click **Add Mapping**.

5. On the **Attribute Sources & User Lookup** tab, click **Next**.

6. On the **Contract Fulfillment** tab, select a **Source** and a **Value** to map into the `admin_role`, `iss`, `memberOf`, and `sub` attributes in the **Contract** list.

   ![Screen capture of the Contract Fulfillment tab, on which you select a source and a value to map into the admin\_role, iss, memberOf, and sub attributes.](_images/pjo1657817842645.png)

   1. For the `admin_role` attribute, select **Expression** in the **Source** menu and, in the **Value** field, enter the following expression:

      ```
      #filter1 = "^pf_admins.*",
      #filter2 = "^pf_cryptoadmins.*",
      #filter3 = "^pf_useradmins.*",
      #filter4 = "^pf_datacollectionadmins.*",
      #role1 = "admin",
      #role2 = "cryptoadmin",
      #role3 = "useradmin",
      #role4 = "expressionadmin",
      #role5 = "datacollectionadmin",

      #outboundattribute = new java.util.ArrayList(),

      #groups = #this.get("apc.memberOf")!=null?#this.get("apc.memberOf").getValues():{},

      #i = 0,

      #groups.{
      #group = #this,
      #group = new javax.naming.ldap.LdapName(#groups[#i]),
      #cn = #group.getRdn(#group.size() - 1).getValue().toString(),

      #cn.matches(#filter1)?#outboundattribute.add(#role1):null,
      #cn.matches(#filter1)?#outboundattribute.add(#role4):null,
      #cn.matches(#filter2)?#outboundattribute.add(#role2):null,
      #cn.matches(#filter3)?#outboundattribute.add(#role3):null,
      #cn.matches(#filter4)?#outboundattribute.add(#role5):null,

      #i = #i + 1},

      #outboundattribute.size() > 0 ? new org.sourceid.saml20.adapter.attribute.AttributeValue(#outboundattribute):null
      ```

      |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
      | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | This example OGNL expression gets the `memberOf` value from the policy contract, looks for group distinguished name (DN) *(tooltip: \<div class="paragraph">&#xA;\<p>A name uniquely identifying an object within the hierarchy of a directory tree.\</p>&#xA;\</div>)* that match the filters, and assigns a role when a filter is matched. In the expression, anyone that is in the Admins group is assigned both the Admin and Expression Admin role, because the Expression Admin role requires the Admin role assignment. Using this expression to map roles allows you to control access with groups from your identity provider's data source. Match your filter values in the expression to the group names created in your LDAP directory to assign those roles. |

   2. For the `iss` attribute, select **Text** in the **Source** menu, and enter a text string in the **Value** field.

      |   |                                                                                                                                      |
      | - | ------------------------------------------------------------------------------------------------------------------------------------ |
      |   | Make a note of the text string. The value entered here is the issuer claim value and should identify the organization as the issuer. |

   3. For the `memberOf` attribute, select **Authentication Policy Contract** in the **Source** menu, and **memberOf** in the **Value** menu.

   4. For the `sub` attribute, select **Persistent Grant** in the **Source** menu, and **USER\_KEY** in the **Value** menu.

   5. Click **Next**.

7. On the **Issuance Criteria** tab, click **Next**.

8. On the **Summary** tab, review your mappings. Click **Save**.