PingFederate Server

Configuring identity hint contract

You can configure the identity hint contract, which contains the set of attributes received in the client initiated backchannel authentication (CIBA) request that identifies the user.

About this task

IDENTITY_HINT_SUBJECT is a core attribute and is automatically populated by the sub attribute of an identity hint token, if found, or the attribute value of the login_hint request attribute.

A client can send an ID token, id_token_hint, or a login hint token, login_hint_token, as the identity hint token. If you extend the identity hint contract with attribute names from the identity token, PingFederate fulfills them with values found in the identity token.

As needed, all attributes can optionally be fulfilled differently on the Identity Hint Contract Fulfillment tab.

Steps

  1. Optional: Go to Applications → OAuth → CIBA Request Policies. On the Identity Hint Contract Fulfillment tab, enter an attribute name under Extend the Contract, and then click Add.

  2. Repeat the previous step to define additional attributes. Click Next.

    Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Click Delete to remove an entry.

Example

Example

Suppose the following JSON web token (JWT) matches the expected structure of the login hint tokens.

{
  "sub": "asmith",
  "attrs": {
    "mail": "asmith@example.com",
    "phone": "555-555-5555"
  }
}

To add both the mail and phone attributes, extend the contract with login_hint_token.attrs.mail and login_hint_token.attrs.phone, respectively.