--- title: Configuring target session fulfillment description: Map values to the attributes defined for the contract. These are the values that the target application requires to create a local session for the user. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_configuring_target_session_fulfillment canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_configuring_target_session_fulfillment.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 10, 2024 section_ids: before-you-begin: Before you begin steps: Steps --- # Configuring target session fulfillment Map values to the attributes defined for the contract. These are the values that the target application requires to create a local session for the user. ## Before you begin If you are bridging an identity provider (IdP) to one or more service providers, the values mapped to the authentication policy contracts are used by the associated service provider (SP) connections to create assertions for the service providers. For more information, see [Federation hub use cases](../introduction_to_pingfederate/pf_fed_hub_use_case.html). At runtime, a single sign-on (SSO) operation fails if PingFederate cannot fulfill the required attribute. ## Steps 1. On the **Adapter Contract Fulfillment** tab, for each attribute, select a source in the **Source** list and then select or enter a value. | | | | - | ---------------------------- | | | You must map all attributes. | * **AccountLink** When selected, the **Value** list populates with **Local User ID**. Normally, you would map **Local User ID** to an adapter attribute that represents the user identifier at the target. This source is not applicable to authentication policy contracts. This source appears only if you have elected to use account linking for a target session on the **Identity Mapping** tab. * **Assertion** or **Provider Claims** When selected, the **Value** list populates with attributes from the SSO token. Select the desired attribute in the list. For example, to map the value of `SAML_SUBJECT` from a SAML assertion as the value of the `subject` user identifier on the contract, select **Assertion** in the **Source** list and **SAML\_SUBJECT** in the **Value** list. **Context** When selected, the **Value** list populates with the available context of the transaction. Select the desired context in the list. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------- | | | As the `HTTP Request` context value is retrieved as a Java object rather than text, use OGNL expressions to evaluate and return values. | | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you are configuring an **OAuth Attribute Mapping** configuration and have added `PERSISTENT_GRANT_LIFETIME` as an extended attribute in the **Authorization Server Settings** window, you can set the lifetime of persistent grants based on the outcome of attribute mapping expressions or the per-client `Persistent Grants Max Lifetime` setting.- To set lifetime based on the per-client `Persistent Grants Max Lifetime` setting, select **Context** from the **Source** list and **Default Persistent Grant Lifetime** in the **Value** list. - To set lifetime based on the outcome of attribute mapping expressions, select **Expression** as the source and enter an OGNL expression in the **Value** field. If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes. If the expression returns the integer 0, PingFederate does not store the grant and does not issue a refresh token. If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client **Persistent Grants Max Lifetime** setting. - To set a static lifetime, select **Text** in the **Source** list and enter a static value in the **Value** field. This is suitable for testing purposes or cases where the persistent grant lifetime must always be set to a specific value. - To set lifetime based on the per-client `Persistent Grants Max Lifetime` setting, select **Context** from the **Source** list and **Default Persistent Grant Lifetime** in the **Value** list. - To set lifetime based on the outcome of attribute mapping expressions, select **Expression** as the source and enter an OGNL expression in the **Value** field. If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes. If the expression returns the integer 0, PingFederate does not store the grant and does not issue a refresh token. If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client **Persistent Grants Max Lifetime** setting. - To set a static lifetime, select **Text** in the **Source** list and enter a static value in the **Value** field. This is suitable for testing purposes or cases where the persistent grant lifetime must always be set to a specific value. | | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)*-enabled IdP connections, the following context values are available:- **Access Token** - **ID Token** - **Scope** - **Authorization Details** - **Token Endpoint Response** - Useful for parsing specific parameters within the token endpoint response. | * **Extended Properties** When selected, the **Value** list populates with extended properties defined in the **Extended Properties** menu. Select the desired extended property. Learn more about defining extended properties in [Populating extended property values for IdP connections](help_idpconnectionconfigtasklet_extendedpropertymanagementstate.html). * **LDAP**, **JDBC**, or **Other** When selected, the **Value** list populates with attributes that you have selected from the datastore. Select the desired attribute in the list. * **Expression** When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. Select **Expression** in the **Source** list, click **Edit** under **Actions**, and compose your OGNL expressions. All variables available for text entries are also available for expressions. For more information, refer to **Text**. Expressions are not enabled by default. Learn more about enabling and editing OGNL expressions in [Attribute mapping expressions](pf_attribute_mapping_expressions.html). * **No Mapping** Select this option to ignore the **Value** field. * **Text** When selected, the text you enter is used at runtime. You can mix text with references to any of the values from the SSO token, using the `${attribute}` syntax. You can also enter values from your datastore, when applicable, using this syntax: ``` [.codeph]``${ds.[.varname]__attribute__}`` ``` where `attribute` is any attribute that you have selected from the datastore. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You can reference attribute values in the form of `${attributeName:-defaultValue}`. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use `${` and `}` in the default value.Two other text variables are available. `SAML_SUBJECT` is the initiating user or other entity. `TargetResource` is a reference to the protected application or other resource for which the user requested SSO access. The `${TargetResource}` text variable is available only if specified as a query parameter for the relevant endpoint, either as `TargetResource` for SAML 2.0 or `TARGET` for SAML 1.x. | You might hard-code a text value for a variety of reasons. For example, if your web application provides a consumer service, you might want to supply a particular promotion code for the partner. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you are editing a currently mapped adapter instance or authentication policy contract (APC), you can update the mapping configuration, which might require additional configuration changes in subsequent tasks. | 2. Click **Next** to continue configuration.