--- title: Configuring contract fulfillment for IdP Browser SSO description: On the Attribute Contract Fulfillment tab, you can map values to the attributes defined for the contract. These are the values that will be included in the single sign-on (SSO) tokens sent to the service provider (SP). component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_configuring_contract_fulfillment_idp_browser_sso canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_configuring_contract_fulfillment_idp_browser_sso.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 8, 2024 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps --- # Configuring contract fulfillment for IdP Browser SSO On the **Attribute Contract Fulfillment** tab, you can map values to the attributes defined for the contract. These are the values that will be included in the single sign-on (SSO) tokens sent to the service provider (SP). ## Before you begin For initial steps to configure identity provider (IdP) adapter instances or authentication policy contracts (APC), see [Managing authentication source mappings](help_assertioncreationtasklet_idpadaptermappingstate.html). ## About this task If you are bridging one or more identity providers to a service provider, map values to an authentication policy contract. For more information, see [Federation hub use cases](../introduction_to_pingfederate/pf_fed_hub_use_case.html). At runtime, an SSO operation fails if PingFederate cannot fulfill the required attribute. On the **Attribute Contract Fulfillment** tab, you must complete the following steps for each attribute contract. ## Steps 1. Select a **Source** from the drop-down. 2. Select a **Value** from the drop-down or enter a **Value** in the text field. See the following for more information. * **Adapter** or **Authentication Policy Contract** (the authentication source) When selected, the **Value** list is populated with attributes from the authentication source. Select the desired attribute from the list. At runtime, the attribute value from the authentication source is mapped to the value of the attribute in the SSO token. For example, to map the value of the HTML Form Adapter's `{username}` attribute attribute as the value of the `{SAML_SUBJECT}` attribute on the contract, select **Adapter** from the **Source** list and **username** from the **Value** list. * **Context** When selected, the **Value** list populates with the available context of the transaction. Select the desired context from the list. At runtime, the context value is mapped to the value of the attribute in the SSO token. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you are configuring an SP connection to bridge one or more identity providers to a service provider, consider mapping the original issuer of the assertions into an attribute by selecting **Context** as the source and **Authenticating Authority** as the value. This is important when bridging multiple identity providers to one service provider, where the service provider should take the information about the original issuer into consideration before granting access to protected resources.For more information, see [Bridging multiple IdPs to an SP](../introduction_to_pingfederate/pf_bridg_multi_idp_to_sp.html). | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Because the **HTTP Request** context value is retrieved as a Java object rather than text, use OGNL expressions to evaluate and return values (see **Expression**). | * **LDAP**, **JDBC**, or **Other** When selected, the **Value** list populates with attributes that you have selected in the attribute source configuration. Select the desired attribute from the list. At runtime, the attribute value from the attribute source is mapped to the value of the attribute in the SSO token. * **Expression** When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. Select **Expression** from the **Source** list, click **Edit** under **Actions**, and compose your OGNL expressions. All variables available for text entries are also available for expressions. For more information, see **Text**. Expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see [Attribute mapping expressions](pf_attribute_mapping_expressions.html). * **No Mapping** Select this option to ignore the **Value** field. * **Text** When selected, the text you enter is mapped to the value of the attribute in the single sign-on tokens at runtime. You can mix text with references to any of the values from the authentication source using the `${attribute}` syntax. You can also enter values from your datastore, when applicable, using this syntax: ``` [.codeph]``${ds.[.varname]__attr-source-id.attribute__}`` ``` where `attr-source-id `is the attribute source ID value and `attribute `is one of the selected attributes in the attribute source configuration. Note that when using alternate data stores with a failsafe mapping, the attribute source ID value is not applicable. Use the following syntax instead: ``` [.codeph]``${ds.[.varname]__attribute__}`` ``` | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Two other text variables are also available: `${SAML_SUBJECT}` and `${TargetResource}`. `SAML_SUBJECT` is the initiating user (or other entity). `TargetResource` is a reference to the protected application or other resource for which the user requested SSO access; the `${TargetResource}` text variable is available only if specified as a query parameter for the relevant endpoint (either as `TargetResource` for SAML 2.0 or `TARGET` for SAML 1.x). | There are also a variety of reasons why you might hard code a text value. For example, if the SP web application provides a service based on the name of your organization, you might provide that attribute value as a constant. 3. After all attributes have been mapped, click **Next** to save changes. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you are editing a currently mapped adapter instance or APC, you can update the mapping configuration, which might require additional configuration changes in subsequent tasks. |