--- title: Fulfilling processor policy grant mapping description: On the Contract Fulfillment tab, map authentication source values into persistent grants. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_fulfilling_processor_policy_grant_mapping canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_fulfilling_processor_policy_grant_mapping.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: February 3, 2025 section_ids: about-this-task: About this task steps: Steps --- # Fulfilling processor policy grant mapping On the **Contract Fulfillment** tab, map authentication source values into persistent grants. ## About this task The `USER_KEY` attribute is the identifier of the persistent grants. The `USER_NAME` attribute presents the name shown to the resource owner on OAuth user-facing pages. If extended attributes are defined in **System > OAuth Settings > Authorization Server Settings**, configure a mapping for each attribute. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The `USER_KEY` attribute values must be unique across all end users because the `USER_KEY` attribute is the user identifier to store and retrieve persistent grants.For example, if you configure an OAuth attribute mapping on a SAML 2.0 identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)* connection and the `SAML_SUBJECT` attribute uniquely identifies all end users, you can map `SAML_SUBJECT` to the `USER_KEY` attribute. | ## Steps 1. On the **Contract Fulfillment** tab, select a source from the **Source** list. 2. Select or enter a value for each attribute in the contract. * **Processor Policy** Populates the associated **Value** list with attributes associated with the processor policy. * **Context** Values are returned from the context of the transaction at runtime. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If `PERSISTENT_GRANT_LIFETIME` is an extended attribute in the **System > OAuth Settings > Authorization Server Settings**, you can set the lifetime of persistent grants based on the outcome of attribute mapping expressions, or the per-client **Persistent Grants Max Lifetime** setting.- To set lifetime based on the per-client `PERSISTENT_GRANT_LIFETIME` setting, select **Context** from the **Source** list and **Default Persistent Grant Lifetime** from the **Value** list. - To set lifetime based on the outcome of attribute mapping expressions, select **Expression** as the source and enter an OGNL expression in the **Value** field. If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes. If the expression returns a `0`, PingFederate doesn't store the grant and doesn't issue a refresh token. If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client **Persistent Grants Max Lifetime** setting. - To set a static lifetime, select **Text** from the **Source** list and enter a static value in the **Value** field. This option is suitable for testing purposes, or cases where the persistent grant lifetime must always be set to a specific value.As the **HTTP Request** context value is retrieved as a Java object rather than text, OGNL expressions are ideal to evaluate and return values. | * **Extended Properties** Values are returned from the client record. * **LDAP/JDBC**/Other (when a datastore is used) Values are returned from your datastore. When you select this option, the **Value** list populates with attributes from your datastore. * **Expression** (when enabled) Provides more complex mapping capabilities, such as transforming incoming values into different formats. All variables available for text entries are also available for expressions. * **No Mapping** Ignores the **Value** field. * **Text** You can enter a text value only, or you can mix text with references to the unique user ID returned from the credentials validator, using the `${attribute}` syntax. You can also enter values from your datastore, when applicable. Using the `${ds.attribute}` syntax, where `attribute` is any of the datastore attributes you have selected. 3. Click **Next**.